Benefits of Multi-Factor Authentication and Cyber Insurance
In 2022, the cost of a data breach reached an all-time high, averaging $4.35 million (USD). And with cybercrime costs projected to grow by 15 percent per year, the resulting global costs are expected to hit $10.5 trillion by 2025, according to a Cybersecurity Ventures report. However, the cost imposed by low cybersecurity reaches far beyond financial losses. Along with reputational damage, businesses also face a loss of trust from business associates and customers as well as the possibility of serious legal jeopardy.
In this blog post, we’ll discuss the importance of sound security practices and learn how multi-factor authentication (MFA) is being used not only to combat cyberattacks, but also as a strategy to enable additional protections and benefits from cyber insurance.
MFA’s Connection to Cyber Insurance
Cyber insurance, also referred to as cyber liability insurance, covers a business’s liability in the event of a cybercrime incident. These types of incidents are typically excluded from a general business or property insurance policy, so organizations will secure a supplemental cyber insurance policy to cover costs associated with a data breach, which may include operational disruptions, data loss, legal expenses and more.
Much like an individual must meet certain qualifications to get affordable life insurance coverage (e.g., smokers are going to pay more for life insurance than non-smokers due to the known risks), cyber insurance works in the same manner — and this is where MFA enters the picture. MFA enforces the use of multiple different verification methods when users log into their accounts and applications. Thus, an MFA security strategy helps prevent account takeover attacks and is proven to be highly effective in stopping identity-related data breaches. Because stolen credentials are cited as the most common initial attack method (and over 80% of data breaches begin with a compromised password), cyber insurance companies require MFA for obtaining coverage. Therefore, organizations opting out of MFA will be denied coverage all together, while those that deploy weaker authentication methods ― such as SMS or email versus security keys or push notification ― are likely to be saddled with higher insurance premiums.
A Collaborative Approach to Cybersecurity Offers Many Benefits
With the frequency, severity and cost of cyberattacks on the rise, cyber insurers are grappling with how to manage the situation. A recent U.S. Government Accounting Office (GAO) report noted that the “stability in premium rates and access to policies are changing, and insurers are starting to take steps to limit their exposure to these losses.” The result of this dilemma is comparable to a quid pro quo approach ― in return for a cyber insurance policy (with a reasonable premium) that offers support in the event of an attack, an organization is required to create a strong security framework and enforce security best practices. The result is a win-win, as it lowers risk and elevates the likelihood of success for both insurance providers and organizations.
Once organizations begin building a strong security framework, the additional benefits of having an MFA solution and/or cyber insurance become apparent in other ways. For example, a growing trend in business agreements and contracts is the requirement for businesses to uphold a certain level of cybersecurity hygiene. Cybercriminals tend to consider small and mid-sized businesses/enterprises (SMBs/SMEs) easy targets because they rely on the fact that the SMBs have fewer resources, more security skills gaps and cyber defense systems which are not as robust as those of larger organizations. Consequently, deploying MFA becomes a critical security measure for an SMB (even when a cyber insurance policy isn’t required). With robust authentication methods and policies, MFA helps prevent the vast majority of attacks and is designed to withstand new and innovative attack methods that intend to bypass authentication controls.
Governments around the globe are getting involved through various mandates that help strengthen cybersecurity measures and protect their citizens, businesses and national interests. This year, the U.S. Securities and Exchange Commission (SEC) will consider implementing cybersecurity disclosure mandates for public companies as a way to evolve with emerging cybersecurity risks. Requiring disclosures about cybersecurity policies, procedures and coverage would be a way for companies to demonstrate their sound security practices and risk management as well as a way for any person or business to evaluate how an organization may be managing growing cyber risks. In a similar approach to mandate sound cybersecurity practices, the German IT Security Act 2.0, passed in 2021, will legally oblige any companies working in the special public interest to implement enhanced security measures for cyber intrusion detection as of May 1, 2023.
Much like the phrase, “a rising tide lifts all boats,” the entire security ecosystem will become more resilient and better at fighting threats and blunting risks as entities work together to incentivize more effective cybersecurity planning and management. Optimistically, as this ecosystem grows stronger through both incentives and mandates, cyberattacks that cause far-reaching damages ― like the Colonial Pipeline ransomware attack (which originated from one exposed password) ― will be considered worst case scenarios of the past.
Where to Start When You Realize You Need MFA
Robust security frameworks are crucial for all types and sizes of businesses given the risks involved, but certain industries are more vulnerable to cyberattacks than others. Industries that rise to the top of the high-risk list most often include financial services, government, healthcare, energy and utilities, education, retail and manufacturing. However, any organization that stores and manages sensitive information online, uses digital systems or is highly regulated by state, federal and international agencies must take the threat of cyberattacks seriously.
Since finding the right MFA solution and vendor may be overwhelming, a critical first step is to evaluate your cybersecurity practices and identify specific gaps, needs or use cases unique to your organization. As MFA is not a “one size fits all” solution, it is important to understand the differences and choose appropriately. Here are the three key areas to consider when seeking the highest level of protection and reduction of risk:
- Phishing and Social Engineering Resistance – Look for robust authentication methods and policies designed to withstand phishing, push notification spamming, and SIM swap attacks
- Various User Preferences and Access Requirements – Consider solutions that offer a broad range of flexible authentication methods (e.g., do most employees in your organization use biometrics on their mobile devices to authenticate, or does your organization rely more heavily on authentication smart cards or security keys for users, or a combination of all those?)
- Flexible Access Control Policies – Ensure usability within your organization by choosing a solution that includes flexible deployment options which can be configured to meet the user- and/or role-based access needs within your business
With the massive uptick in cyberattacks around the globe, organizations must consider an investment in a strong and secure MFA solution with a partner that is well-versed in MFA for all sizes of organizations across various verticals. Not only is it important to have a solution that is easy to deploy, manage and use, but it must also meet the qualifying requirements for obtaining cyber insurance ― and notably, help keep premiums affordable.
To learn more about the role that multi-factor authentication plays in cybersecurity and its significance in securing cyber insurance, read our white paper, How to Lower Cyber Insurance Premiums and Improve Security With Multi-Factor Authentication.
Eric Williams is a senior solutions architect at HID Global where he works directly with customers to understand the best solutions for their needs. He has over 20 years of industry experience at companies including AT&T Research Labs and Yahoo! Music, where he worked in systems and network engineering. Prior to joining HID, he held a position as the VP or operations for a startup based in Asia. He joined HID in February 2016 as part of the pre-sales engineering team working in identity management and authentication. He brings first-hand experience to real-world challenges.