Cyber insurance is driving a long-overdue improvement in user access security. Multi-factor authentication (MFA) is fast becoming a requirement for all privilege and non-privilege accounts, whether users are working on the internal network or remotely.
Not a requirement in previous cyber insurance renewals, cyber insurers are demanding firms have MFA. It seems insurers are tired of paying claims for data breaches and have toughened their requirements for coverage. As the cyber insurance market hardens, insurers scrutinize their portfolios and look for clients with security controls that more closely align to a higher standard. By requiring MFA, cyber insurers drastically cut their exposure.
What are the Benefits of MFA?
MFA is no silver bullet, but it is a key defense to the threat of compromised passwords. Throughout the 2021 Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The report found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.
Quite simply, when an attacker is actually using valid (that is stolen but valid) credentials, why would your antivirus, firewall, and other technologies you might have in place flag anything unusual? Your tools assume people accessing your network are who they say they are.
Adding a second factor (two-factor authentication) typically means either requiring “something that you have” or “something that you are” in addition to a password – “something that you know”. If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.
Where are Cyber Insurers wanting to see MFA Deployed?
Insurers view MFA as a best practice and are starting to ask more questions about MFA when placing or renewing cyber insurance. Cyber insurance providers are saying no to a renewal, if organizations are unable to demonstrate that MFA is in place.
For example, an organization must answer yes to all of the following questions concerning MFA.
- 1. Is Multi-factor authentication required for all employees when accessing email through a website or cloud based service?
- 2. Is Multi-factor authentication required for all remote access to the network provided to employees, contractors, and 3rd party service providers?
- 3. In addition to remote access, is multi-factor authentication required for the following, including such access provided to 3rd party service providers:
- a. All internal & remote admin access to directory services (Active Directory, LDAP, etc)
- b. All internal & remote admin access to network backups
- c. All internal & remote admin access to network infrastructure components (switches, routers, firewalls)
- d. All internal & remote admin access to the organization’s endpoints/servers
That’s not to say that enacting MFA across your organization is going to guarantee you a premium discount. According to Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the US,
“Insurers rarely provide a substantial discount based on a single security control, preferring to assess the combination of controls a company deploys against cyber threats in addition to the company’s industry, size, and specific risks. Rather, enacting MFA will benefit your insurance program in two potential ways: Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and, qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.”
Multi-Factor Authentication: A Small Step for a Big Decline in Cyber Attacks
What Stops Companies from Deploying MFA?
The threat of compromised credentials is well known amongst most organizations, and despite the drive from cyber insurance, some organizations are still reluctant to adopt MFA. We believe this reluctance is driven by the 4 myths of MFA.
- MFA is not just for large enterprises. The data to protect is as sensitive and the disruption as serious in any company, regardless of size.
- MFA is not just for privileged users. Most “non-privileged” employees actually have access to data that can be harmful to the company; not forgetting that cybercriminals usually don’t start with a privileged account but take advantage of any account to then move laterally within the network.
- MFA is not perfect, but it’s a huge step towards it! No security is perfect and as the FBI affirms, MFA is effective and one of the simplest steps an organization can take to improve security.
- MFA doesn’t have to disrupt users’ productivity. Administrators can avoid prompting users for MFA each time they log in. MFA should be customized according to each company’s needs.
[“source=isdecisions”]
