Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Eric Williams of HID argues that as data breaches become more common, MFA will help you qualify for cyber insurance and lower your premiums.
It’s not your imagination. Data breaches and ransomware attacks have become a nearly regular topic in the news. Why? One reason is the explosion of cloud and SaaS applications, which led to a 307 percent rise in account takeover attacks between 2019 and 2021 alone. The financial losses incurred by these attacks can be staggering. According to IBM’s “Cost of Data Breach 2022” report, the average cost of a data breach reached USD 4.35 million in 2022, an existential cost for many SMEs.
There are no easy answers to this problem. Organizations of all sizes need a robust cybersecurity strategy to help minimize risks, utilizing a range of tools and procedures that ensure adequate protection. However, there is one crucial foundation that all organizations should have in place: multi-factor authentication (MFA), which is the use of multiple discrete authentication methods during access to accounts, applications, and data. MFA is so effective that its use can lead to reduced cyber insurance premiums. In fact, some cyber insurance companies won’t provide coverage unless MFA is in place.
A Cyber Insurance Primer
While any organization should consider cyber insurance, sit is especially imperative for small businesses since they are prime targets for cyber-criminals. These businesses don’t have the expensive security tools in place required to prevent network breaches or scams and, if attacked, they could not afford to cover the huge expenses incurred without cyber insurance.
There are hundreds of cyber insurance providers and policies available around the world, covering many different scenarios. Commonly, these policies cover:
- The costs of direct expenses associated with an attack, ranging from expert consultant services to breach notification and restoring or repairing data.
- Legal costs and associated profit losses if a cyber-attack leads to a class-action lawsuit, a breach of privacy, or the inability to meet contractual obligations.
- Technology rendered unusable and associated costs required to restore it
- Recouping of monetary transfer payment fraud losses caused by social engineering
- Profit losses from reputational damage (often limited to a set period)
Not all providers will cover all these costs unconditionally, and premiums can be expensive. It’s also important to note that cyber insurance does not replace having a strong cybersecurity framework with features like MFA that stop cyber-crime in the first place. In fact, MFA is increasingly becoming a non-optional tool for obtaining insurance. Without it, you could face being denied coverage, or be forced to pay much higher insurance premiums.
There are established conditions for obtaining cyber insurance coverage and reducing premiums. These range from implementing security awareness training to backing up sensitive and valuable data, regularly auditing and reviewing security procedures and policies, and encrypting all data. One of the most common conditions is the implementation of identity and access controls with secure provisioning and – crucially – MFA. MFA helps to prevent account takeover attacks and is proven to be highly effective in stopping identity-related data breaches.
How MFA Works
The authentication “factors” in the MFA acronym are the methods for confirming identity when a user requests access to a digital resource.
The three most common are:
- Something you know: a password, or PIN
- Something you have: a secure device such as a smartphone, card, or USB device
- Something you are: a biometric check, including a fingerprint or facial recognition
In the current threat landscape, implementing MFA is an important step. Not just when qualifying for cyber insurance but also in establishing a strong cybersecurity posture. MFA protects access to sensitive applications, systems, and data by preventing attackers from compromising accounts, even if they have managed to steal usernames and passwords. Password theft is frequently done via phishing emails disguised as legitimate emails meant to harvest passwords.
These user-focused attacks are easy to execute at scale, leaving many organizations at risk globally. However, some insurance providers will not cover breaches from these attacks. MFA helps organizations avoid this scenario by enabling authentication policies over networks, applications, and devices that prevent unauthorized access, no matter the location.
MFA is essential even if you are not looking to qualify for a cyber insurance policy or reduce premium costs. Just as important is regulatory compliance. In May 2021, The Executive Order On Improving the Nation’s Cybersecurity signed by U.S. President Joe Biden mandated the use of MFA for all federal agencies, and in Europe, the use of MFA is recommended by ENISA guidelines. Globally and domestically, there are a growing number of mandates that recommend or require MFA, including PCI DSS v4.0 for the payment industry, and CJIS v5.9.2 for law enforcement.
The easiest way for organizations to implement MFA across all accounts is by deploying an enterprise multi-factor authentication solution. There are different types of ways to implement MFA that strengthen cybersecurity, improve a risk profile, and achieve phishing-resistant authentication.
MFA Deployment Best Practices
Key features to look for in an MFA solution include:
- Phishing Resistant Multi-Factor Authentication: New methods of phishing are designed to bypass MFA controls. MFA solutions’ authentication methods and policies must be designed to withstand these attacks. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) recommends implementing FIDO2/WebAuthn-based authentication. This is a widely supported authentication method that enables secure, passwordless authentication utilizing trusted devices. With this method, a private key is stored locally on the client device, while the public key is registered with the online service. During a login attempt, the user’s device proves possession of the private key with a multi-factor authentication check, such as a fingerprint scan, which then enables secure, phish-resistant access to accounts, without the use of a password.
- Support For Various User Preferences and Access Requirements: The best authentication providers offer a broad range of flexible authentication methods to meet your organization’s unique needs and support user preferences. There are a range of authentication methods (OTP, PIN, FIDO, biometrics, push notifications, etc.) and form factors (mobile, smart card, security key) available, so it is important to consider the unique needs of your users when selecting a solution. It is also important to consider that not all methods of authentication are equally secure. Sending an OTP via email or SMS is less secure than biometrics or a push notification – choosing a solution that offers these more secure methods can help to reduce cyber insurance premiums.
- Flexible Access Control Policies: An MFA solution should support a broad range of authentication methods and form factors (OTP, PINs, FIDO, hardware, biometrics) but also access control policies which can be configured and fine-tuned to ensure consistent security rules are set and maintained to prevent unauthorized account access. For example, the question of how many times an MFA attempt is allowed before the system is locked is ultimately dependent on how risk-adverse your organization wishes to be. This must be balanced against the needs of users who need to log into their work accounts quickly.
Qualifying for cyber insurance and reducing premiums requires an investment in robust, secure MFA for all accounts and devices. Not all MFA solutions are created equal, though, and the best solution will offer a broad range of authentication options and form factors, and will be easy to deploy, manage and use.