Cyber insurance policies are quickly becoming critical coverage for almost all businesses. Many commercial cyber insurance policies will also require that your company use some form of multi-factor authentication for your computer systems. This can seem like a daunting undertaking to implement, but it could be easier than you think.
In this article we will take a high-level look at different authentication methods and we will look at why the cyber insurance insurers are making this a requirement on your insurance policy.
What is a Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an authentication method that requires two or more verification methods from the user.
The user will try to login to their VPN, Remote Desktop (RDP), website, or application and will have to provide their login credentials like normal. After that, depending on your setup, it could ask for a pin number from an app, physical key, or even a push notification on their cell phone.
The real purpose here is to have another form of authentication from the user that cannot be duplicated or copied like a password can. Usually if there is a pin number, that number changes in the application every 30-60 seconds.
This makes it extremely hard to “hack” the account with just the user’s username and password. They would also have to control the extra device that is being used for the multi-factor authentication such as the users cell phone for an example.
Why Would the Insurance Companies Require MFA?
According to a 2019 Data Breach Investigation, 80% of security breaches involve compromised passwords.
Your employees or coworkers will most likely have passwords that are insecure or that have been reused. If a password is reused and that password leaks in a different data breach, that password is automatically added to a list of passwords that hacker will try. You might be startled to know how many employees or coworkers use simple passwords such as “password123” or “abcd1234”.
The insurance companies can see this trend and that is why they are most likely going to require an MFA setup. Having an MFA setup still is not a good excuse for a weak password, but it will at least make hacking your systems a lot more difficult as the attacker will need to not only have the username/password, but they will need access to the MFA device or application as well.
This will leave the hackers with less options to gain access to your system if they cannot get access through the user accounts. They will then have to rely on more complicated means of gaining access and could possibly give up trying.
Software MFA or Hardware MFA?
As with all things in life, there are plenty of choices and options. You can choose between a software setup with a third party, or you can choose to have a hardware setup. There is no perfect option, and you will have to choose what is the best scalable option based on your business.
The software option will usually be at a lower cost initially but may require ongoing monthly subscriptions. The benefit to the software option is that the user will most likely not lose their own device and that you do not have to buy a bunch of hardware devices with a higher upfront investment. The downfall is that there could be more IT support when users change devices or forget to bring their device.
The hardware option will be a small USB looking device usually that plugs into your machine. If the key is not present in the computer or cellphone, the account cannot be logged into. The hardware option has been proven to reduce IT costs for large companies due to the lack of support calls needed to keep the MFA operational.
Are There Suggested Companies or Products?
The IT world is ever changing, but we have compiled a small list of MFA products that should help you start your search. We are not IT experts, but we do see a lot of different options in setting up our own systems and from helping our clients navigate their cyber insurance policies. We are simply providing a list of possible options to help you start your search, but you need to have your IT team evaluate your systems and choose the right option for your business.
This list was completed in June 2021:
- Google Authenticator (Android or Apple) – 2FA Onetime Password
- Microsoft Authenticator – 2FA Onetime Password
- LastPass Authenticator – 2FA Onetime Password
The Wrap Up
Having a proper MFA setup is important to keep your computer systems safe from credential theft or account hacking. At the end of the day, we simply cannot rely on the users to setup secure passwords that have not been reused.
To learn more about cyber insurance, you can read more on our Cyber Insurance Webpage. If you need a cyber insurance policy or to see if you’re getting the best premium and coverage combination on your current policy, please do not hesitate to contact our office for a free quote.