Multi Factor Authentication (MFA) and the evolving world of cyber security
Published On : 11 Aug 2021
‘Everybody’s Talking About MFA’.
No, not the name of a hit new insurance musical centred on the fast-evolving world of digital risk – but an acronym interspersing every renewal conversation between brokers and cyber underwriters nonetheless.
Just the mention of MFA is likely to give rise to a series of questions from SMEs not familiar with this particular piece of technical jargon: what is it, why are cyber insurers now requiring it, where can we get it and how much does it cost?
All of which can be answered easily and reassuringly.
The first bit of good news for smaller businesses is that Multi-Factor Authentication – to give it its full name – is much less onerous than it sounds. And the price tag to implement it can be as a little as a few pounds per user, if not entirely free depending on which vendors an SME uses for IT applications.
Turning to what MFA is and why it is now being requested by the vast majority of cyber insurers, it quickly becomes clear this should really be treated as a matter of everyday cyber hygiene – not a luxury but straightforward risk management. An upgraded lock on your cyber front and back doors to deter and prevent criminals gaining access.
The combination of a rapid rise in ransomware and other data breach incidents, coupled with the surge in IT dependency and a pandemic-driven but longer term shift to remote working requiring individuals to often work outside secure networked environments, is understandably prompting insurers to ask more in-depth questions about how companies are protecting themselves from cyber threats.
MFA, sometimes referred to as two-factor authentication or 2FA, is a simple security enhancement fulfilled by presenting two pieces of evidence – your credentials – when remotely accessing a network or email. And whether the acronym is familiar or not, most of us will already have experienced MFA when undertaking personal online interactions. For example, when additional verification is sought and a unique code pinged to your mobile to input before an online banking transaction can complete.
Credentials essentially fall into three categories: something you know (like a password); something you have (such as a mobile phone); and/or something you are (biometric identification). Common sense dictates that any and all remote access to sensitive information should be protected via MFA and, to be fully effective, it should extend to all employees regardless of their role.
The second piece of good news is that research from Microsoft and Google suggests that MFA can block over 99% of account compromise attacks. So the clear, consistent and critical message is that this isn’t about underwriters creating more hoops through which brokers and their clients need to jump to secure cyber cover, but an easy, cost-effective and practical way for firms to increase their resilience and defence against cyber-attack.
True, a handful of insurers are not yet requiring MFA. But the question for brokers to satisfy on behalf of their clients is whether those insurers are, instead, attaching different or additional conditions that their client may struggle to satisfy. Also as an insured do you want to expose yourself to risk when you can easily mitigate it? Remember, a cyber breach or attack is something no organisation will want to experience even if they have insurance.
Third, vendors in the MFA space are not just making it less expensive but the process easier and more flexible for businesses of all sizes to deploy, as well as more intuitive and user-friendly, regardless of technical savvy.
Positive, proactive cyber risk management shouldn’t stop at MFA though. We’re urging brokers to get close to – and stay close to – their cyber underwriters, while making sure they keep alive the conversation on cyber risk with their clients. Cyber is undoubtedly the fastest evolving and most dynamic area of risk we face in insurance and that ongoing dialogue will ensure early warning of any new vulnerabilities, preventions and cures.
The reality is that cyber is no longer a peril where brokers and their clients should expect to find an underwriter with the appetite to quote unless the client can demonstrate they take cyber security seriously, and can confirm – even if via a quick ‘Yes’ or ‘No’ as with the Pen portal – the steps taken to mitigate their exposure. An ever greater emphasis on controls should be wholly expected, and none more so than in system security.
MFA is simply the most recent example of that. It isn’t the first and certainly won’t be the last.
So when we look at MFA in the round and consider the strength of protection it can provide, losses it can prevent, its cost-effectiveness and user-friendly nature, the question is not so much why would you invest in implementing and activating it across your business, but why on earth wouldn’t you?