Cyber liability insurance (also known as cyber insurance) is driving a long-overdue improvement in user access security. Multi-factor authentication (MFA) is fast becoming a cyber insurance requirement for all accounts, privileged and non-privileged, to protect on-site and remote access. Here’s a quick guide to understanding the MFA insurance mandate.
Not a requirement in previous cyber insurance subscriptions or renewals, cybersecurity insurance providers now demand MFA. It seems insurers are tired of paying claims for data breaches and have toughened their requirements for coverage. And as the cyber insurance market tightens, insurers scrutinize their portfolios and look for clients with security controls that more closely align to a higher standard. By requiring MFA, cyber liability insurers drastically cut their exposure.
What Are the Benefits of MFA?
MFA is no silver bullet, but it is a key defense to the threat of compromised passwords. Throughout the 2021 Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The report found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.
Quite simply, when an attacker is actually using valid (that is, stolen but valid) credentials, why would your antivirus, firewall, and other technologies flag anything unusual? Your security tools assume people accessing your network are who they say they are.
This is where MFA comes in. Adding a second factor (two-factor authentication, or 2FA) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know”. If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.
Where Do Cyber Insurers Want to See MFA Deployed?
Insurers view MFA as a best practice. When placing or renewing cyber insurance, you can expect to see several questions about MFA. If organizations are unable to demonstrate that MFA is in place, cyber insurance providers are saying no.
- 1. Is multi-factor authentication required for all employees when accessing email through a website or cloud based service?
- 2. Is multi-factor authentication required for all remote access to the network provided to employees, contractors, and third-party service providers?
- 3. In addition to remote access, is multi-factor authentication required for the following, including such access provided to third-party service providers:
- a. All internal and remote adminisstrator access to directory services (Active Directory, LDAP, etc.)
- b. All internal and remote administrator access to network backups
- c. All internal and remote administrator access to network infrastructure components (switches, routers, firewalls)
- d. All internal and remote administrator access to the organization’s endpoints/servers
That’s not to say that enacting MFA cybersecurity across your organization guarantees a premium discount. According to Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the U.S.,
“Insurers rarely provide a substantial discount based on a single security control, preferring to assess the combination of controls a company deploys against cyber threats in addition to the company’s industry, size, and specific risks. Rather, enacting MFA will benefit your insurance program in two potential ways: Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and, qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.”
What Stops Companies from Deploying MFA?
The threat of compromised credentials is well known. Yet, despite the push from cyber insurers, some organizations are still reluctant to adopt MFA. We believe this reluctance is driven by the 4 myths of MFA.
- MFA is not just for large enterprises. The data to protect is as sensitive and the disruption as serious in any company, regardless of size.
- MFA is not just for privileged users. Most “non-privileged” employees also have access to sensitive; not forgetting that cybercriminals usually don’t start with a privileged account, but take advantage of any account to then move laterally within the network.
- MFA is not perfect, but it’s a huge step forward. No security measure is perfect. But, as the FBI affirms, MFA is effective and one of the simplest steps an organization can take to improve security.
- MFA doesn’t have to disrupt users’ productivity. Administrators can avoid prompting users for MFA each time they log in. MFA should be customized according to each company’s needs.
Meet the MFA Insurance Requirement With UserLock
Applying MFA is a key security measure for any company, regardless of size – especially as a remote workforce becomes the new norm. Whether you need MFA for insurance requirements or not, it can be one of the easiest ways to keep your accounts secure.
UserLock makes it easy to enable MFA for Windows logon, RDP, RD Gateway, VPN, IIS, SSO and cloud applications. Verify the identity of all Active Directory accounts and secure their access to the network and cloud resources.
Download UserLock today and see for yourself how MFA is easily applied for all user sessions.