With the number and severity of cyber-attacks increasing over the past few years, most insurance companies are now asking for certain cybersecurity measures to be implemented for businesses to qualify for Cyber insurance at all. These measures include Multi-Factor Authentication and Data Backup. As a result, we have seen an increase in PSA clients asking for assistance and guidance regarding selecting the right cybersecurity technology and best practices that will help them obtain coverage while also protecting their operations.
Since PSA believes in being a true partner to our clients, which means helping them beyond providing risk management solutions, we have decided to interview Chad Quarles, Senior CISO Advisor from Hartman Executive Advisors, experts in business and IT consulting, to write a blog series on the various basic protection best practices small and mid-size businesses should have in place.
In this first installment of the series, we’ll be discussing Multi-Factor Authentication (MFA), which is required by the majority of insurance companies when writing Cyber insurance. Specifically, businesses without MFA could run the risk of not being able to renew or purchase a policy. But even if you are lucky enough to find a carrier that will provide you with Cyber insurance without an MFA, you’ll likely overpay for coverage. Bottom line, you need MFA because it is also critical as an extra layer of security for your business to prevent 99.9% of account takeovers.
PSA: So, what exactly is Multi-Factor Authentication (MFA)?
Hartman: Multi-Factor authentication (MFA) adds a layer of security that can be highly effective at protecting your accounts from being accessed by cyber-criminals. It requires users to provide one or more additional pieces of information to verify their identity before gaining access to a system or an account. There are different types of MFA, and they are not all created equal. Some of the most common types of MFA include:
- SMS One-Time Password (OTP) – In addition to your username and password, successful authentication requires a 6-8 digits number sent to your mobile phone via SMS text message. The one-time password is only valid for one login session and expires after a short period of time. The additional layer helps protect you from password guessing attacks and even compromised usernames and passwords. While significantly stronger than a password alone, a sophisticated or determined attacker may be able to intercept the SMS text message and defeat the extra layer of security.
- Time-Based One Time Password (TOTP) Authenticator App – Authenticator apps, sometimes referred to as software tokens, or soft tokens, add an extra layer of protection by requiring two types of authentication. This is something you know, your password, and something you have, your phone. The one-time password generated by the authenticator app on your phone is the “something you have”. This form of MFA is preferred over SMS passcodes since cybercriminals have been known to intercept SMS messages.
- Push-Based MFA – This method builds on the two technologies discussed above to improve security and user experience. Like the software token solution, push MFA usually requires the use of an authenticator app installed on your phone. When you attempt to login to any of your accounts that use push-based MFA, you will receive a prompt from the authenticator app asking you to approve or deny the login attempt with a tap on the screen. This form of MFA is secure and convenient making it a popular security feature used by financial institutions. Just be careful to think before you click “Yes” if it wasn’t really you logging in. Cyber-criminals have been known to send a flurry of approval requests to frustrate users and trick them into approving a malicious sign-in.
PSA: What are the main benefits of MFA?
Hartman: MFA is quickly becoming “table stakes” for businesses that are serious about protecting their customers’ and employees’ sensitive information. MFA is particularly critical for protecting remote access technologies, Software as a Service (SaaS) applications that are accessible from the Internet, and privileged administrative user accounts. Benefits of using MFA for your business include:
- Limiting the impact of password breaches
- Reducing vulnerability to credential phishing
- Staying compliant with various regulatory requirements
- Demonstrating to customers, employees and stakeholders that your business takes information security seriously
PSA: I agree, and I would add that with these many benefits, MFA has been ubiquitous. Now even most insurance carriers starting to require the use of MFA to qualify for Cyber insurance. Fortunately, some carriers offer a 60-day extension period for businesses to set up MFA before denying them renewal or new policies.
What we find interesting is that with this high demand for companies to implement MFA, there are still some businesses that don’t use any type of MFA. According to a recent study conducted by Travelers Insurance, 29% of users claimed that they did not know about MFA. Another study concluded that 10% of companies did not want to use MFA because they found them inconvenient. Again, I need to stress, that if you fall into any of these statistics, it is important to know that if you choose not to leverage MFA, you may have to pay an arm and a leg to receive any Cyber coverage or simply won’t get any insurance at all.
[psa_cta id=”19102″]PSA: What are some of the most popular MFA providers, and how can a small or mid-size business decide which one is right for them?
Hartman: With numerous MFA providers on the market, your business has many options to choose from. Most businesses that use platforms, such as Microsoft Office 365, or a firewall service, already pay for MFA capabilities as part of their service. So, before you jump to buying a stand-alone MFA software, I would recommend checking with your IT team or your various application vendors to see if any of them already include MFA, which then can be easily enabled at no additional cost.
However, if you find you do need to purchase MFA, then here are some leading brands that you might want to consider. While prices to implement MFA can vary, some companies that small or mid-size business can consider include:
- Auth0
- Symanetic VIP
- Duo Security
- Google Authenticator
- Microsoft Authenticator
PSA: Where should small and mid-size businesses start when implementing MFA?
Hartman: MFA should be considered anywhere you store Personally Identifiable Information (PII) or Protected Health Information (PHI). I find small to mid-size businesses are most vulnerable to cyber-attacks targeting three aspects of their operations – email, remote access technologies (such as VPN) and internet facing services (such as SaaS applications that are in the cloud). To get started, here are some basic steps for each category.
- Email – Email presents a significant vulnerability for any company because these days you cannot conduct business without it. Most cyber-attacks include some type of social engineering intended to coerce you into providing access to sensitive information via email. This could come in the form of a malicious web link, attachment, or even an urgent request for you to take some sort of action. If a bad actor can get control of your business email account, they can use that access to carry out convincing social engineering attacks on your employees or customers. These types of attacks are known as business email compromise (BEC), and they cost consumers and businesses billions of dollars every year! Using MFA can help stop these types of attacks by making it harder for criminals to access your email. Gmail and Outlook 365 are the two most common email service providers small to mid-size businesses typically use. Both offer MFA to users. If you have a different email provider, inquire if they offer MFA capabilities and request their instructions for turning it on.
- Remote Access Technologies – The COVID-19 pandemic created an abrupt and unprecedented need for entire workforces to work from home or other remote locations. While employees made the adjustment to this new working style, cyber-criminals have been seeking to exploit weaknesses associated with the shift to an increasingly remote workforce. It is more important than ever to ensure remote access technologies like virtual private networks (VPNs) and other remote access tools are equipped with MFA to protect your organization from cyber-attacks. If you already have any remote access technology in place, contact your vendors or manufacturers to help you enable MFA.
- Cloud Service (a.k.a. Software as a Service (SaaS)) – Cloud service (or SaaS) is a way of delivering applications over the Internet—as a service. Some examples small businesses use include email automation programs, customer management systems, or accounting software. Instead of installing and maintaining software, you simply access it via the Internet. This strategy frees up your business from complex software and hardware management. However, with this convenience come new security challenges. These SaaS or cloud-based applications can be accessed from anywhere, not just from inside the four walls of your corporate office. Passwords alone may be ineffective at securing these types of applications. Check with your application vendor to confirm your options for enabling MFA.
PSA: These best practices should help your small or mid-size business get started to protect your business as well as qualify for Cyber insurance. If you need any assistance implementing cybersecurity technology measures, consider Hartman Executive Advisors as a resource. If you have any questions regarding your existing policy or purchasing new Cyber coverage, do not hesitate to contact me at cmorsberger@psafinancial.com.