The average ransom demand increased 36% to $6.1 million last year as attacks increasingly focused on leaking stolen data as a way to pressure victims into paying ransoms. As the threat increases, we have seen an increase in the number of businesses seeking cyber insurance to compensate them in the event of an attack. While not long ago businesses could obtain cybersecurity insurance without following specific cybersecurity practices as a prerequisite, this is generally no longer the case and many cyberinsurance providers now require basic security of their customers.
One such requirement is multi-factor authentication (MFA), which adds a layer of protection to login processes. This move was encouraged in part by a recent executive order on improving the country’s cybersecurity, which included a mandate for multi-factor authentication (MFA) within all federal agencies in the United States. New cyber policy requirements can now include a number of prerequisites around MFA, such as enforcing MFA for all employees accessing email through a website or cloud-based service; require remote access to the network provided to employees, contractors, third party suppliers; and provide internal and remote administrator access to directory services, network backup environments, network infrastructure, and organization endpoints and servers.
A system protected by MFA is much more difficult to hack than a system protected only by passwords. This is especially true because humans are inherently terrible at creating and remembering hard-to-crack passwords. By definition, MFA requires at least two proofs of your identity in addition to your standard login credentials. The different verification factors come from these groups:
- Something you know: A “knowledge factor” like a password or answer to a security question.
- Something you have: an “possession factor” like a one-time SMS password or security key.
- Something you are: An “inherent factor” like a fingerprint or facial scan.
MFA authentication is clearly important, but organizations can struggle to determine how it can or should be implemented in their IT infrastructure. As there is no shortage of MFA approaches, solutions, and products, it’s good to figure out where you might want to implement it. From there, take a step back to identify the solution that solves the problem for you and will be the easiest to implement and manage.
We generally recommend focusing on remote access first, as this leaves businesses at the greatest risk and provides low-hanging fruit for attackers (typically VPN without MFA). We recommend that you then address the email access, as this can then lead to further account compromise; we’ve seen attackers access email and then leverage MFA (with email-based verification) to move laterally. Finally, consider implementing MFA on privileged/administrator accounts, which will help reduce the internal explosion radius. It is also important to consider and prioritize critical business applications that store sensitive data, as these applications will be targets for the attacker.
MFA can protect organizations against a variety of cyber threats, including phishing, compromised apps, malware, and business email compromise (BEC). With MFA in place, attackers won’t have access to additional pieces of information needed for authentication, which will keep targeted resources safe and out of reach. Additionally, an unauthorized login attempt on an MFA-enabled system or application will also alert IT administrators and allow them to take immediate action. In this way, MFA can also improve preparedness and increase incident response speed.
Insurance underwriters face the difficult task of assessing an organization’s risk in a landscape of cyber threats that changes as rapidly as the technologies designed to combat them – and organizations are challenged to keep up with requirements that change accordingly. . MFA alone is not a panacea. Organizations looking to secure cyber insurance – and better protect their IT infrastructure – should consider MFA as one piece of the complete cybersecurity puzzle.