In January and February, many organizations renew their cybersecurity insurance through what used to be a straightforward process. Over the last few years as more breaches occurred, insurance companies have chosen to tighten their requirements and refuse insurance to organizations that aren’t following strict guidelines. This year, the renewing process is more complicated because insurance companies have set their sights on multi-factor authentication (MFA).
MFA describes the use of two or more types of identification users have to undergo to get into their account. These categories consist of something you know (e.g., username and password), something you have (e.g., secondary device that you can receive a confirmation code on), or something you are (e.g., biometric data).
In the past, cybersecurity insurance companies didn’t require organizations to implement so many security measures before they could receive coverage. MFA wasn’t always required, but now cybersecurity insurance companies want their customers to use MFA on every account requiring a username and a password. Since requirements have become tighter, this poses problems for any organizations looking to potentially get cybersecurity insurance if they don’t already meet the MFA requirements. While cybersecurity insurance isn’t always a must, many organizations are interested in having it because their board of directors hear about current cybersecurity concerns and want to avoid financial liabilities.
Some might wonder why insurance providers are cracking down on MFA use in particular. The best way to explain this is to look into the most common type of cybersecurity breaches. First off, password breaches are one of the most common cybersecurity issues because users tend to reuse passwords for multiple different logins, so having the login information for one account may allow hackers access to other accounts as well.
Another common way organizations are breached is through phishing attempts where hackers pose as a legitimate source requiring a user’s login information. If the victim falls prey to the attempt and provides that information, then hackers can log in to their accounts with little effort.
While user education is paramount for any organization serious about cybersecurity, MFA is an easy fix for these issues because it adds at least one more way users must verify themselves before gaining access. Even if a hacker cracks your password, they still have to provide a second factor like your fingerprint scan or a confirmation code from your cell phone, which may be enough to stop them in their tracks.
How Do We Meet the New MFA Standards?
While not all cybersecurity insurance companies have the same standards for MFA, there is a general progression your organization can follow to increase your MFA adoption and align with the common policy requirements. First, you should make sure you implement MFA for all your staff email accounts if you don’t already have it, and then you can look towards requiring MFA for all users accessing cloud services within your organization. The next level is to require staff to perform MFA for logins to desktops and laptops. Finally, your organization can choose to require MFA for administrative access to servers and network infrastructure.
When implementing MFA, it’s important to ensure the process is user-friendly. Picking the right type of authentication from the start is key, which is why DelCor recommends apps like Cisco’s Duo MFA to clients. Instead of having staff input a long code from their phone, Duo and similar apps allow users to complete MFA with just a push notification. Keeping MFA simple for your staff will keep them invested in following your new security protocols, and then your organization will be in a good place to meet one of the new cybersecurity insurance requirements.