Protecting sensitive data with multi-factor authentication (MFA) has become a requirement for cyber insurance policies. Recent attacks (SolarWinds, Colonial Pipeline, Kaseya) and mandates like the White House’s Executive Order to implement MFA in 180 days or less, are proving that identity and password-related vulnerabilities are a top security threat, and one where you can lose a lot of money. The Colonial Pipeline hack is one example of many where a credential found in the dark web was used to get remote access to a network. No MFA was implemented.
If you want to increase your eligibility for cyber insurance, make sure to add MFA protection in these key areas:
- Email access: Emails contain sensitive information, especially now in a world where employees are not always in the office. Also, most systems use email to reset passwords, thus becoming the key to accessing multiple services.
- Remote Access/VPNs: Remote access to the network is how most hacks get started. Insurers work with risk, so it makes sense that this is a top priority to avoid paying for a breach that could be prevented.
- Login credentials to servers, firewalls, and other critical devices: Password-only access to a firewall or VPN server, for example, would allow an attacker to change the VPN configuration to accept password-only credentials. Servers are more than ever accessed remotely by admins and MSPs.
Two more things to consider when purchasing cyber insurance:
- Define which services are critical or contain sensitive information and protect them with MFA: Some services might support MFA using some of the common integration methods, like SAML and RADIUS. Home-developed applications and web portals with critical access to sensitive data should be protected as well.
- Be prepared to write an MFA attestation document: This document should inform which systems are – or are not – protected by MFA. This is a very important step, since once approved, the insurer might refuse to pay the company in case it is proven the attack happened through a non-protected service.
Bottom line is… for those out there considering cyber insurance for their business, start by protecting users and assets with MFA and evaluate your current security practices to ensure you meet insurers’ requirements. Learn more about how MFA can be a game changer when buying cyber insurance.