Ransomware – a demand for monetary payment to regain access to one’s data or network – continues to rock the charts as a go-to get-rich-quick scheme for cybercriminals. As we know, the pandemic has spurred the work-from-home or hybrid work movement that will likely continue for years to come. With more and more employees working from home, more data is being shared remotely, leaving the door open for missed or inadequate IT and technology security. Phishing and fraud schemes and social engineering methods used to demand ransom are particularly attractive because they target and take advantage of the number one security risk – company personnel.
In light of the heightened risk of ransomware, cyber insurance coverage has seen explosive growth, forcing insurance companies to make massive payouts. In turn, the prerequisites for obtaining cyber cover have also evolved, including, but not limited to, an internal security measure called multi-factor authentication (“MFA”). General one-password systems are no longer sufficient safeguards. Password theft is common because many people use the same password on every system they access and one of those systems has been compromised at one time or another.
Multi-factor authentication is not a new concept, but the topic is a hot one and a sticking point as insurers assess the solutions and policies required for cyber insurance coverage in light of the exponential rise in attacks of ransomware.
What is the MFA? Multi-factor authentication is an additional level of security over common passwords. When logging into a system, program, or device with a password, MFA requires the user to receive and enter a second form of authentication which can be sent via text, call, email, or any other code to get there. My colleague Scot Ganow wrote about this years ago in his PDS blog post (he would call it a plea), “Multi-factor authentication (MFA). Please. Do it. Now.“Some may find MFAs a bit boring because it’s an extra step in the login process. While this may be true, MFAs are relatively simple to use and implement, relatively inexpensive, and quite effective in preventing hackers from attempting to gain access to a system.
The cost-benefit analysis is a no-brainer as the average ransomware payout is in the millions and MFAs are said to block 99% of attempted attacks. Implementing an MFA is a simple and effective step to proactively prevent breaches when a threat actor strikes. And, in the end, let’s face it. Security isn’t meant to be convenient. Trust us, the extra few seconds it takes to log into an account are nothing compared to the days and weeks (and dollars) spent trying to recover from a security incident. And if that wasn’t enough, how about doing it just to get or just keep your cyber insurance? This is because carriers require it to get insurance and may deny coverage if you don’t have it in place. Again, consider the call: Multi-factor authentication (MFA). Please. Do it. Now.