The average ransom demand grew 36% to $ 6.1 million last year as attacks placed increasing emphasis on leaking stolen data as a way to pressure victims into paying ransoms. As the threat increases, we’ve seen an uptick in companies seeking cyber insurance to compensate them in case of attack. While not too long ago businesses were able to obtain cybersecurity insurance without following any specific cybersecurity practices as a prerequisite, this is generally no longer the case and many cyber insurance providers are now requiring basic security hygiene from their customers.
One of those requirements is multi-factor authentication (MFA), which adds a layer of protection to sign-in processes. The move was encouraged in part by a recent Executive Order on improving the nation’s cybersecurity, which included a mandate for multi-factor authentication (MFA) within all federal agencies in the United States. New requirements for cyber policies can now include a number of prerequisites around MFA, such as enforcing MFA for all employees accessing email through a website or cloud-based service; requiring remote access to the network provided to employees, contractors, third-party providers; and providing internal and remote admin access to directory services, network backup environments, network infrastructure, and the organization’s endpoints and servers.
An MFA-protected system is much harder to hack than one protected by passwords alone. This is especially true because humans are inherently terrible at creating and remembering passwords that are difficult to crack. By definition, MFA requires two or more proofs of your identity beyond your standard login credentials. The different verification factors come from these groups:
- Something you know: A “knowledge factor” like a password or answer to a security question.
- Something you have: A “possession factor” like a one-time SMS password or security key.
- Something you are: An “inherence factor” like a fingerprint or facial scan.
MFA is clearly important, but organizations may be struggling to determine how it can or should be implemented across their IT infrastructure. With no shortage of MFA approaches, solutions, and products available, it’s good to map out where you might want it implemented. From there, take a step back to identify the solution that solves the problem for you and will be the easiest to implement and manage.
We generally recommend focusing first on remote access as this leaves companies open to the most risk and provides low hanging fruit to attackers (commonly VPN with no MFA). We then recommend addressing email access, as that can then lead to additional account compromise; We have seen attackers gain access to e-mail and then leverage MFA (with e-mail based verification) to move laterally. Finally, look at implementing MFA on privileged / administrative accounts which will help reduce internal blast radius. It’s also important to consider and prioritize critical business applications that store sensitive data as those applications will be targets for the attacker.
MFA can protect organizations from a variety of cyber threats, including phishing, compromised applications, malware, and business email compromise (BEC). With MFA in place, attackers won’t have access to the additional pieces of information needed for authentication – keeping targeted resources safe and out of reach. Further, an unauthorized login attempt on an MFA-enabled system or application will also alert the IT admins and empower them to take immediate action. In this way, MFA can also improve readiness and increase the speed of incident response.
Insurance underwriters have a difficult job of assessing an organization’s risk in a cyber threat landscape that changes as rapidly as the technologies built to combat them – and organizations are challenged to keep up with the requirements that change as a result. MFA alone is not a panacea. Organizations seeking to secure cyber insurance – and better protect their IT infrastructure – should consider MFA as one piece of the comprehensive cybersecurity puzzle.