Chris McMurray, cyber lead at Travelers Europe, examines why multifactor authentication is a vital tool for protecting businesses from cyber attacks
The numbers are difficult to ignore - multifactor authentication (MFA) typically blocks more than 99% of attacks by cyber criminals attempting to compromise a company’s systems. Traditional passwords on their own aren’t secure enough anymore. Hackers have developed countless tried and tested methods of stealing credentials and gaining unauthorised access to private accounts.
According to the Department for Digital, Culture, Media and Sport’s Cyber security breaches survey 2022, published in March this year, nearly one-third of businesses in the UK experience cyber attacks or breaches at least once a week. MFA, therefore, is being put to the test – successfully – with increasing regularity.
We have seen a distinct trend in insurance claims. As the industry saw a spike in claim activity towards the end of 2020, a clear correlation emerged between claims and insured businesses lacking MFA. The good news is these claims may be minimised or even prevented through MFA implementation.
MFA is a solid control that a business can put in place without a great deal of time or expense – and cyber criminals often differentiate businesses depending on whether or not they have MFA.
There are three main types of MFA. The first includes passwords and pins, for example. The second type uses a physical object, such as a key or smart card. Finally, the third type involves the use of a fingerprint, retina scan or voice recognition as a form of biometric verification.
A straightforward solution
A fraudster who comes up against a multifactor check may be able to circumvent it, but it takes work. If the next company on their list isn’t using MFA, it’s that much easier for them to deceive an employee with a phishing email and breach the company’s systems.
Easy targets remain plentiful right now, so until everyone adopts MFA and criminals find another way into a company’s systems, MFA remains a strong layer of protection.
For this reason, we have begun asking more technical questions about MFA when businesses renew their cyber insurance or buy it for the first time.
Instead of asking simply if a company has MFA, we’re asking if they have it for email, or for administrative accounts and if employees with elevated access privileges use it for internal access.
When insureds and brokers read our questionnaire and see the level of specificity we request, they may think implementing MFA will be a lengthy and costly endeavour. But it’s a relatively straightforward fix and our insureds have the benefit of a free consultation with our cyber security partner, which helps them develop an implementation plan.
Final layer of protection
Of course, while MFA is important, it isn’t the only cyber protection required. To put it in simple terms, just because you have locks on your home, it sadly doesn’t mean you can’t be broken in to.
A business should have multiple layers of security, including an email filtering system that catches as many malicious emails as possible, a training programme to help employees recognise phishing emails and a software defence that includes firewalls and an advanced endpoint detection and response system to monitor cyber threats. MFA provides the final layer of protection.
Within the last six months, most insurers have begun requiring potential policyholders to have some level of MFA to provide a cyber insurance quote.
As MFA requirements become more stringent, brokers can help their clients present themselves as more attractive risks by taking proactive steps to improve their cyber protections prior to renewal. And, in the process, they may potentially deter a cyber attack.
While MFA is not a silver bullet, it’s a critical piece of a multilayered plan to make clients’ cyber security that much stronger.