Insurance policies are designed to share risk. But, right now, cybersecurity incidents and payouts are through the roof, and insurance companies are tired of paying.
There are so many infected websites and automatic malware programs out there that even if every hacker gave up the internet for life, hacks would continue for a decade or more after their departure. The direct cost of the most common data breach, ransomware, has gone up considerably in the past few years.
Today, one stolen data file could lead to hundreds of identity theft incidents, possibly thousands. In addition, the necessary post-breach recovery process can often cost a company millions of dollars. Rebuilding servers and security after the breach, paying data security fines, notifying, and compensating affected parties, and rescuing your data is a considerable cost, one most companies are not prepared for when a hack or malware strikes. Helping pay for this is the purpose of cyber insurance.
However, the major insurance providers have collaborated, and at this time, they will not grant a policy to a company unless they are actively using multi-factor authentication or MFA.
What is MFA and Why Does My Cyber Insurance Require It?
MFA stands for multi-factor authentication. MFA is an add-on or improvement to a traditional password. It acts as a second layer of protection to confirm authorized access. Anything an employee might need to log in for, MFA gives them a second layer of authentication. Logging into an application or device with a strong password is good, but adding MFA makes it better.
When it comes to hackers and stolen accounts, MFA often trips up a hacker who has gained access to the primary password. So instead, MFA asks a second question or some other type of test that only the user would know.
Cyber insurance requires businesses to have MFA to reduce the risk of remote and internal hacks significantly. Considering that 50% of businesses were hacked remotely and 33% were hacked internally, this is an essential precautionary measure. Insurance companies survive by reducing the risk that a claim will be necessary. Having multi-factor authentication is a strong indicator of a secure business, who will have a much lower risk factor.
Types of Multi-Factor Authentication
So, what counts as Multi-Factor Authentication in the eyes of your cyber insurance provider? A 2FA or 2-Factor Authentication must be made of two different categories of authorization. For example, two passwords would not be sufficient, but a password and a PIN would be. Of course, your company can choose from a full selection of potential multi-factor authorization options, and letting your team choose their second factor both tailors the method to their memory and adds an element of randomness to stop methodical hackers.
Here are the types of multi-factor authentication to choose from:
- PIN Number
- Security Questions
- Fingerprints and Biometric Data
- Emailed Auth Tokens
- Image-Based Codes
- Phone SMS Auth Tokens
- Previously Downloaded Token File
- Third-Party Authentication
How to Protect MFA Security Integrity
Just as passwords can be compromised, so too can any MFA unless we protect its integrity. So, here is how you can ensure your MFA methods add an extra layer of anti-hacker security.
Send One-Time Codes with a Time Limit
Minimize the validity of any MFA token or code. For example, send codes that can only be used one-time. Also, set time limits where the code is only suitable for 10 minutes, so hackers do not have time to scam or hack their way to a working code.
Provide Creative or Custom Security Questions
A choice of five cookie-cutter security questions might lead to insecure and careless answers. So instead, use a deep well of more personal questions and let your team write (or ad-lib) their security questions for custom and more obscure security answers.
Assess Risk-Based Factors
Pay attention to factors that might indicate a hacker. For example, if a device is trying to connect but the IP address is not on your internal network. The user's physical location, are they in a country where you don't have employees or clients? Even the time of day can flag a login as suspicious. Is somebody checking email or grabbing a file at 3:00 AM? A hacker in another city might give themselves away by not being at the approved account holder's home or work.
How to Get MFA for Your Business
So how do you get the multi-factor authentication your insurance provider requires before they allow coverage? First, turn to your IT team or on-staff professional. If your team is swamped or you do not have on-site IT, don't sweat it. An outsourced professional or group can help you set up your system with MFA defenses on your network and your enterprise software. Once MFA is set up for your devices and applications and your team has tested it, you'll be ready to protect your business with a cybersecurity insurance policy.
Contact us today to discuss your business IT services and MFA implementation needs.