Knowledge Base
Risks of not implementing End User Verification Client Facing Educational Documents
Disclaimer: This is not a substitute for Legal advice. Pleas consult with your attorney on local, state and federal guidelines before including this in any legal agreements. This document is intended for educational purposes.
Risks of Not Implementing End User Verification with Company Signature
Introduction
In the digital age, verifying the identity of end users has become a crucial aspect of managing security and maintaining trust in business operations. End User Verification (EUV) processes, particularly those that include a company signature (either digital or physical), play a critical role in ensuring that services and information are accessed only by authorized individuals. This document outlines the potential risks associated with the refusal or failure to implement an EUV system that includes a company signature, emphasizing the importance of such measures for safeguarding business integrity, customer trust, and legal compliance.
Risks Associated with Non-Implementation
- **Increased Vulnerability to Fraud and Identity Theft**
Without a robust EUV process, businesses are more susceptible to fraudulent activities. Fraudsters can easily impersonate users or create fake accounts, leading to identity theft and unauthorized access to sensitive information. This not only results in financial losses but can also damage the company's reputation.
- **Legal and Compliance Risks**
Many industries are governed by strict regulatory requirements that mandate the verification of customer identities (e.g., GDPR in Europe, KYC regulations in the banking sector). Failure to implement an EUV system with a company signature can result in non-compliance, leading to hefty fines, legal sanctions, and remediation costs.
- **Data Breaches and Security Incidents**
Lack of end user verification weakens the overall security posture of a company. It becomes easier for attackers to gain unauthorized access to the system, potentially leading to data breaches. Such incidents not only have financial repercussions but also erode customer trust and loyalty.
- **Loss of Customer Trust and Reputation Damage**
Customers expect businesses to protect their personal information and ensure secure transactions. A company's refusal to implement adequate EUV measures can lead to a perception of negligence, undermining customer trust. Rebuilding reputation after such damage is often costly and time-consuming.
- **Operational Disruptions and Financial Losses**
Fraudulent activities facilitated by inadequate EUV processes can disrupt operations, requiring significant resources to address security breaches, investigate fraud, and implement corrective measures. These disruptions often lead to direct financial losses and increased operational costs.
- **Decreased Market Competitiveness**
In a market where competitors are enhancing their security measures and trustworthiness through robust EUV processes, companies that fail to do so may find themselves at a competitive disadvantage. Customers and partners are more likely to engage with businesses that demonstrate a commitment to security and privacy.
- **Increased Risk of Insider Threats**
Without effective EUV, it's challenging to track and monitor user activities accurately. This increases the risk of insider threats, as malicious or negligent actions by employees, contractors, or partners can go undetected. Insider threats are particularly dangerous because they can cause extensive damage due to their access to sensitive information.
Conclusion
Implementing End User Verification with a company signature is not just about adhering to regulatory requirements; it's a fundamental component of a comprehensive security strategy that protects against a wide range of risks. The refusal to implement such measures can expose businesses to significant vulnerabilities, including financial losses, legal penalties, operational disruptions, and reputational damage. To safeguard their interests, assets, and stakeholders, companies should prioritize the implementation of robust EUV processes that include company signatures as a standard practice for verifying and authenticating user identities.
Recommendations
- Assess Current Security Posture: Conduct a comprehensive security assessment to understand the existing vulnerabilities and identify the need for enhanced EUV processes.
- Implement Robust EUV Solutions: Invest in and implement advanced EUV technologies that include company signatures, leveraging biometrics, digital signatures, and other authentication methods.
- Regular Training and Awareness: Educate employees, partners, and customers about the importance of security and the role of EUV in protecting their information.
- Continuous Monitoring and Improvement: Regularly review and update the EUV processes to adapt to emerging threats and changing regulatory requirements.
- Legal and Compliance Consultation: Work with legal and compliance experts to ensure that the EUV processes meet all relevant regulatory requirements and industry standards.
Waiver of Liability for Non-acceptance of Zero Trust Policy Client Facing Educational Documents
Waiver of Liability for Non-Acceptance of Zero Trust Policy
I, [Your Name], hereby acknowledge that I have been informed of the zero trust policy implemented by [Organization/Company Name], herein referred to as "the Company." I understand that the zero trust policy is designed to enhance security measures within the Company's network and systems.
I further acknowledge that despite being informed of the zero trust policy, I have chosen not to accept or adhere to its principles and guidelines.
By not accepting the zero trust policy, I acknowledge and agree to the following:
-
Assumption of Risk: I understand that by not adhering to the zero trust policy, I may be exposing myself and the Company to increased cybersecurity risks, including but not limited to unauthorized access, data breaches, and other security incidents.
-
Release of Liability: I hereby release, waive, discharge, and covenant not to sue the Company, its officers, directors, employees, agents, and affiliates from any and all liabilities, claims, demands, actions, or damages of any kind arising out of or related to my decision not to accept the zero trust policy.
-
Indemnification: I agree to indemnify and hold harmless the Company, its officers, directors, employees, agents, and affiliates from any and all liabilities, damages, losses, costs, or expenses (including reasonable attorneys' fees) arising out of or related to any security incidents or breaches resulting from my non-acceptance of the zero trust policy.
-
Acknowledgment of Consequences: I acknowledge that the Company has provided me with ample opportunity to review and understand the implications of not accepting the zero trust policy. I understand that my decision may impact my access to certain resources, systems, and privileges within the Company.
-
Voluntary Agreement: I certify that my decision not to accept the zero trust policy is voluntary and made of my own free will, without coercion or undue influence from any party.
I have read this waiver of liability and fully understand its terms and implications. I acknowledge that I am voluntarily waiving certain rights by not accepting the zero trust policy.
Signed this [Date] day of [Month, Year].
[Your Signature]
[Your Printed Name]
Please note that this waiver is a template and may need to be reviewed and adjusted by legal professionals to ensure compliance with relevant laws and regulations in your jurisdiction and to tailor it to the specific circumstances of your organization.
How To Verify a Technician's Identity Over SMS Client Facing Educational Documents
Adhering to our Zero-Trust Policy, your staff should treat every incoming call from us with skepticism and initiate the Technician Verification process without hesitation. With a clearly defined and easily accessible procedure, you attain peace of mind in mere moments.
{yourMSP} has a dedicated verification number to which you can direct all Technician Verification requests to. It is {VerificationNumber}.
For all purported requests from {yourMSP}'s service desk, please send a #verify message to {VerificationNumber}:
In a few seconds, you will be provided with a code, as above and in this case 870421, that should also be the code that your service desk technician should be provide to you. If it matches what you have been provided, you can be assured that the current call is from a legitimate technician from the {yourMSP} service desk.
With your satisfaction that the code matches, please respond with a #confirm to the same phone number and SMS conversation. This will close the Tech Verification process and will log this interaction with our service desk software and tied to the service ticket that your technician is calling about:
E-mail Template: What is End-User and Tech Verification? Client Facing Educational Documents
What is End-User and Tech Verification?
End-User and Tech Verification are identity verification techniques that confirm the identity of the respective person. Identity verification, in the context of cybersecurity and access control, refers to the process of confirming and validating the identity of individuals who are trying to access a system, application, or network. The goal is to ensure that only authorized users gain access to specific resources, while unauthorized or malicious actors are prevented from doing so.
Why does an {MSP} make use of Identity Verification?
{put MSP Name here} has adopted a Zero Trust Policy (ZTP). A ZTP is an approach to cybersecurity that assumes no entity, whether inside or outside the organization, can be trusted by default. This security model requires strict verification of anyone trying to access resources in the network, regardless of their location or the device they are using. There are several reasons why we have adopted a zero-trust policy:
- Changing Perimeter: Traditional security models rely on a secure perimeter, assuming that once someone is inside the network, they can be trusted. However, with the rise of remote work, cloud computing, and mobile devices, the concept of a secure perimeter has become less relevant. Zero trust acknowledges that threats can come from both inside and outside the network.
- Advanced Threats: Traditional security measures are not always effective against advanced persistent threats and sophisticated cyber-attacks such as AI-induced Voice Phishing Attacks. A ZTP approach helps to mitigate the risk of these threats by continuously verifying and authenticating users.
- Data Security: As organizations increasingly store sensitive data in the cloud and allow remote access to their networks, protecting data becomes paramount. ZTP ensures that only authorized users have access to specific data and resources, reducing the risk of data breaches.
- Mobile Workforce: With more employees working remotely or using mobile devices to access corporate resources, the traditional model of trusting devices based on their location becomes impractical. Zero trust considers every access attempt as potentially untrusted, regardless of the user's location.
- Privileged Access: Zero trust is particularly important for managing privileged access. Even employees with higher levels of access must continuously authenticate and prove their identity, reducing the risk of misuse of privileged credentials.
- Insider Threats: While the majority of employees are trustworthy, insider threats can still pose a significant risk. Zero trust helps organizations minimize the potential damage from insider threats by enforcing the principle of least privilege and continuous monitoring.
- Compliance Requirements: In many industries, there are regulatory requirements that mandate a high level of security and data protection. Adopting a ZTP can help organizations meet these compliance standards and demonstrate a commitment to securing sensitive information.
By adopting a ZTP, {MSP} aims to enhance our client’s overall security posture, adapt to the evolving threat landscape, and protect critical assets from both internal and external threats.
What are typical ways to Authenticate an Identity?
The goal of identity verification is to ensure that the person claiming a particular identity is, indeed, who they say they are. Verification, to be effective, relies on Multi-Factor Authentication (MFA). He is a list of factors that we rely on:
- Something You Know: This involves knowledge-based factors such as passwords, PINs, or security questions. Often these are not available at the time of authentication because of forgotten information. They can often be compromised because they are often shared or based upon easily generated information (birth dates, addresses or less.)
- Something You Have: This includes possession-based factors such as security tokens, smart cards, or mobile devices. In the case of a mobile device, this usually means the phone number and possession of the device as forms of authentication because you can reference them via a phone call, SMS or an application notification push.
- Something You Are: This involves biometric factors like fingerprints, facial recognition, or retina scans. With access to your mobile devices your biometric information authenticated and stored on the device is proof of something that is unique to the end user.
So how does End-User Verification make use of the Authentication Factors listed above?
End-User Verification is a 30-second process and because of our ZTP, it is required on every service desk call from our clients.
SMS send – EUV pushes a 6-digit code or a single-click link to a mobile device (Something you Have). Since the end-user has supplied the phone number (Something you Know) of the mobile device that relies on a PIN, Password (Something you know) or a biometric (Something you Are) to access the device, you have three levels of authentication in place.
Email send – as above, EUV pushes the 6-digit code or single-click link to a known email address. The email box would be authenticated by the physical access to the mobile or desktop device AND to the email client.
Client Portal or Client App – in the event that you don’t have access SMS or email or it is more convenient to do so, the user can access either the Client Portal with a password (Something You Know) or the Client App with a biometric login (Something you Are). Once the End-User has accessed the Portal or App, the technician can push a code or a confirmation request for the End-User to complete the Verification.
What is the purpose of Tech Verification?
Often threat actors will pose as a technician from a service desk in an attempt to gain access to your network, servers, or other network applications. They often sound credible because they may have obtained some pertinent or meaningful information that can be used to fool you into believing that you are speaking with a technician from the {MSP} service desk.
With ZTP, all End-Users should verify any solicited or unsolicited call purporting to be from {MSP} or our service desk.
Tech Verification is a simple, 30 second process. The End-User sends #verify using SMS on their mobile (Something you have) number to our published Verification phone number (Something you know). In response to this, you will be provided with aa unique 6-digit code that only you and a valid service technician from our service desk will know. When the technician provides this code to you, and you are satisfied that it is correct, you send #confirm on SMS back to the Verification phone number.
Here are some tips to help you prevent phishing attacks:
Don’t trust caller ID: Caller ID can be easily spoofed, so just because a call appears to be from your {MSP} or other Service Provider doesn’t mean it’s legitimate. Always be suspicious of unsolicited calls asking for personal, network, applications or computer information.
Verify the caller: If someone calls claiming to be from your {MSP} provider or another organization, initiate the Tech Verification procedure or hang up and call them back using a phone number you know to be genuine. Don’t use the number they give you, as it may be fake.
Don’t give out personal information: Never give out personal or corporate information, such as passwords, PINs, or credit card numbers, to someone who calls you, until you have confirmed that they belong to a trusted organization.
Modes of Operation for Zero-Trust Policy on Voice Calls Client Facing Educational Documents
Introduction
Enterprises or individuals (collectively referred to as End-Users or “EU)” recently have been burned by Threat Actors (“TA”) who pose as authority representatives from a government, bank, telecom provider, IT service provider, or any other service provider (collectively referred to as Service Providers or “SP”). They try, through what is colloquially called voice phishing, to pry information from the EU which might enable them to compromise the EU’s enterprise systems, data, bank accounts, etc. In an attempt to thwart the threat attempts, we have developed a Verification System (“VS”) which allows the EU to verify that any voice call requests can be verified as legitimate or a threat.
How is it achieved?
This is accomplished by training the EU to have no trust for any incoming phone call from any SP seeking proprietary information. They are instructed to initiate a verification sequence to validate that the request is from a legitimate entity at the SP.
This provides confidence because it is achieved through multi-factors, all of which are only known by the two participating and valid entities – the SP and the EU.
There is always an a priori information known only by each entity. In the case of the SP, they would know the EU’s phone number, email address or that the EU is a valid registered user of the Customer Portal (“CP”). The EU would know of the SP-provided phone number, email address, or CP. The CP is protected by a UserID/Password sequence.
No matter what medium is used for verification – SMS, email, CPl – the process for the verification follows a very similar procedure. There is always something that is known between the two parties that is not generally published for public consumption such as an SP-provided SMS phone number (“SPN”), Private email address (“PEA”), or a customer portal (“CP”) with a UserID/Password (“UIP”) login sequence.
The sequence would be as follows:
- The SP has reason to contact the EU, and this is done through a voice call to the EU. The SP may be a IT SP responding to a service request ticket, or a bank looking for confirmation on a potentially fraudulent transaction.
- The agreed upon policy between the SP and the EU is that the verification procedure will be initiated for any voice call initiated by the SP to the EU
- The EU, using the agreed upon medium (SMS on a mobile device, an email on mobile, laptop or other computing device, or a web-based customer portal accessed by any of the above devices, the EU starts the verification request (“VR”) by sending a Verify Code (“VC”), #verify for example, to a pre-agreed but private SPN, or a pre-agreed PEA. In these cases, the VC must be initiated from an EU email address or phone number known by the SP. In the case of the CP, the EU logs into the CP with their specific UIP, and clicks on a Verify button within the CP.
- Any of the above Verify commands initiate a sequence of events within our VS that will be completed when the EU has been satisfied that the SP been verified or can reject the verification. In the event that the VR comes from an unknown phone number or email address, the VR process will not be started. However, all VR will be logged for compliance and historical recall.
- The VS will generate a random number (usually 6 digits, but could be any number) that will be:
-
-
- Sent back to the EU through the medium (SMS, email, or CP) from where the VR originated and to the respective phone number (SMS) or email address (email) that originated the VR. In the case of CP-originated VR, the code will be pushed to a banner on the CP. In all cases the code will be sent with an appropriate message indicating its use. The message will read something thing like “The verification code ‘012345’ should be provided BY your service provider. If the code matches the one previously provided to you, you may initiate the confirmation response”.
-
-
-
- Provided to the SP in a SP console with a message that will read something like “ Please provide code ‘012345’ to the EU.
-
-
- The SP will provide the code to the EU via the phone call.
-
- If the EU is satisfied that the SP has provided the corresponding matching code:
-
-
- the EU may give a verbal confirmation to the SP that they are satisfied with the legitimacy of the SP and continue the phone call in which case the SP must manually log this response,
-
-
-
- the EU may send a Confirmation Code (“CC”), #confirm for example, to the SPN or the PEA. In the case of the CP, the EU would click on the “Confirm” button within the CP.
-
-
- If the EU is not satisfied that the SP has provided the matching code the EU may:
-
-
- Hang-up the phone
-
-
-
- Re-initiate the VR
-
5. There are some ancillary functions of the VR that can be considered in specific applications. In the event that the SP has a service or help desk platform, the entire sequence of events ( VR, and corresponding response) can be logged within a service ticket for posterity when the Verification Sequence has been completed. This could be automatic or at the approval of the SP personnel.
E-mail Templates: Short Introductions to Zero Trust Policies Client Facing Educational Documents
Subject: End-User Verification: Ensuring Mutual Security with {Your MSP Name}!
Body:
In today's digital landscape, cyber security threats loom large, fueled by the rapid advancements in Artificial Intelligence. At {Your MSP Name}, we're dedicated to staying ahead of these threats and fortifying our service desk against potential breaches.
Think about the routine verification processes you encounter when contacting your bank, government agency, or mobile phone provider. Shouldn't the same level of scrutiny be applied when safeguarding your business?
That's why {Your MSP Name} is implementing a Zero-Trust Policy for End-User Verification. Every interaction with our service desk involves a simple identity verification process, ensuring that only authorized personnel access your sensitive information or provide support instructions.
While we understand that this additional step may seem like a minor inconvenience, it's a critical measure to uphold the security of your business. Our End-User verification process is designed to be seamless, non-intrusive, and efficient, eliminating the need for memorization of information or PINs and typically completed in seconds.
With {Your MSP Name}, rest assured that your security is our priority. Together, let's reinforce our defenses and create a safer digital environment for your business.
Subject: Technician Verification: Elevating Your Security with {Your MSP Name}!
Body:
At {Your MSP Name}, our team is highly trained to detect security threats. However, as the landscape of voice-phishing attempts evolves with increasing sophistication, we've bolstered our Zero-Trust security policy by introducing End-User Verification. Through our proactive security measures, we enhance your overall security.
Yet, many businesses lack the necessary tools to combat similar attacks within their own environments. That's why {Your MSP Name} offers a swift Technician Verification process, enabling you to promptly and accurately confirm the identity of any caller claiming to be from our team. Adhering to our Zero-Trust Policy, your staff should treat every incoming call from us with skepticism and initiate the Technician Verification process without hesitation. With a clearly defined and easily accessible procedure, you attain peace of mind in mere moments.
Seeking evidence of our commitment to the Zero-Trust Policy? Rest assured, all verification interactions between {Your MSP Name} and your organization are meticulously logged for compliance and historical reference.
Together, we're dedicated to ensuring robust security measures.
Instructing your Customer About the End-User Verification Workflow Client Facing Educational Documents
End-User Verification
{yourMSP} takes security seriously. As part of that, we will be verifying your identity on each call to our Service Desk.
The End-User Verification will take one of 7 forms depending on what information we have available and the available configurations (Duo, Client Portal) :
1) If we have a valid email in our system verification can take one of two forms:
-
- email one-click Secure Link. Note that his email will come from noreply@mspprocess.com. Please click on the link as indicated below within the specified period of time:
The final step is to click on the "Validate":
If the Validate completed successfully, you will see the following:
2) If Duo has been configured, please go to your Duo Mobile app on your mobile phone and "Approve" the verification push:
3) If we have a valid mobile phone number on file we can do the End-User Verification via SMS. The published phone number for all Verification requests for {yourMSp} will come from {YourVerificationNumber}:
- Six-Digit Code - Please repeat the six-digit code back to your service desk technician within the specified period of time:
4) Single-Click Secure Link - when you receive the text via SMS, please click on the validation link as specified below:
Click on "Validate" to complete the verification process:
If verification is successful, you will get the following screen. The verification is now complete:
5) If a client portal has been configured, verification can proceed via the client portal. Please go to http://{your Msp}.mspprocess.net and log in to the portal with your credential information.
When you are logged in and ready, your service technician will verify you in one of two ways:
-
- Confirmation from the Client Portal. Click on the "CONFIRM" button before expiration:
6) Confirmation from the Client Portal with a six-digit code sent via SMS to your mobile phone:
Take the six-digit code that you receive from your mobile phone via SMS to put in the client portal dialog box and click "CONFIRM":
7) If no email or mobile phone is available, you can be verified with a voice phone call to the specified landline phone that we may have on file. The automated system will read you a six-digit phone number so be prepared to write this single-use number down. The six-digit will be repeated a second time if you happen to miss the first time. Provide this six-digit code to your service technician. Your technician will confirm the sucessful completion of the verification.