How To Lower Cyber Insurance Premiums And Improve Security With Multi-Factor Authentication
How can multi-factor authentication keep your organization more secure, while lowering your cyber insurance premiums?
What Is Cyber Insurance, And What Does It Cover?
Cyber insurance, or cyber liability insurance, comprises a number of insurance policies designed to help your organization in the event of a cybersecurity breach. Globally, there are hundreds of cyber insurance providers and policies available, covering a vast range of different scenarios. These policies commonly include:
- The costs of direct expenses from being hit by a network attack. This can include the cost of expert consultancy, forensics, restoring or repairing data, notifying customers of a breach, legal expenses and even PR costs
- Legal costs if a cyberattack causes breach of privacy regulations or contractual agreements, or in the case of a class-action lawsuit
- Costs to profits and legal defense payments in the case of your organization being unable to fulfil contractual obligations due to cyberattacks
- Technology rendered unusable and profits lost due to attacks such as ransomware, and even the cost of ransomware payments to restore access to technology
- Transfer payment fraud caused by social engineering, such as phishing attacks and impersonation scams
- Loss to profits caused by the reputational damage brands often see post-breach – this is often limited to a set period
Not all providers will cover the full range of these policies, however. Many will not cover potential future loss to profits or cover the damages from any loss to your intellectual property – those that do, often have very expensive premiums.
For this reason, cyber insurance cannot replace a robust security framework to stop cybercrime in the first place. Rather, it helps ensure businesses enforce security best practices and offers support if an attack were to take place.
How Can You Qualify For Cyber Insurance?
As with any type of insurance, there are certain conditions that must be met to obtain coverage. These conditions can determine if you are eligible for coverage and, crucially, the cost of cyber insurance premiums. This has become increasingly important as global cyber insurance rates are increasing by 40% to 60% in response to skyrocketing rates of ransomware attacks.
Specific requirements vary by provider, but there are some key requirements that are commonly seen across different security policies. These include:
- Implementing Security Awareness Training, which includes phishing simulation and awareness campaigns
- Ensuring that sensitive and valuable data is regularly backed up to be restored in the case of a ransomware attack
- Regularly auditing and reviewing security procedures and policies
- Ensuring key data is encrypted to secure against data breach and theft
- Ensuring devices are secured against malware, and kept up to date with endpoint security and management
- Compliance with data protection frameworks and procedures such as GDPR
- Implementing identity and access controls with secure provisioning and, crucially, multi-factor authentication
Multi-factor authentication is increasingly becoming a non-optional tool for obtaining insurance. Without it, you could face being denied coverage, or be offered much higher insurance premiums.
What Is Multi-Factor Authentication And How Does It Work?
Multi-factor authentication enforces the use of multiple different verification methods when users log-in to their accounts and applications. This helps to prevent account takeover attacks and is proven to be highly effective in stopping identity-related data breaches. MFA is often mandated by many cyber insurance providers – and the most secure MFA solutions can help to keep premiums costs low.
A “factor” is a way of confirming identity when a user requests access to a digital account. The three most common authentication factors are:
- Something you know: a password, or pin
- Something you have: a secure device, such as a smartphone, smart card, or USB key
- Something you are: a biometric check, including a fingerprint or facial recognition
Traditionally, identity authentication has taken place with just one factor: a password. The increasing rise of password-related scams has meant additional security factors are now commonplace, particularly for consumer accounts, but increasingly in the workforce.
For example, when logging into an account with MFA, you may be asked for a password, and then a verification code sent via SMS or an authentication application. Alternatively, you may use a PIN and a fingerprint or facial scan using a trusted smart device.
In the consumer space, MFA is often managed on a per-account basis. For the enterprise, there are a range of MFA solutions on the market that provide centralized authentication controls for all systems and applications. Implementing MFA is an important step, not just when qualifying for cyber insurance but also in establishing a strong cybersecurity posture in the current threat landscape.
Why Do Cyber Insurance Providers Want To See MFA?
The explosion of cloud and SaaS applications led to a 307% rise in account-takeover attacks between 2019 and 2021, with financial losses caused by account takeover increasing by 90% in 2021 alone. These attacks are often not high–tech or advanced, but instead operate using simple methods, with low costs and high rewards.
For example, attackers may send out phishing emails disguised as legitimate emails to harvest passwords – over 80% of data breaches begin with a compromised password. They can also buy off-the-shelf malware to compromise email addresses and passwords. These attacks are easy to execute at scale, leaving millions of organizations at risk globally.
MFA protects access to sensitive applications, systems, and data by preventing attackers from compromising accounts, even if they have managed to steal usernames and passwords. In fact, research from Microsoft has found that the simple step of mandating MFA can prevent 99.9% of attacks on accounts.
Some insurance providers will not cover breaches caused by internal employee errors. This includes phishing scams where an employee has given an attacker access to an account by accident. MFA helps organizations avoid this scenario by enforcing authentication policies over networks, applications, and devices to prevent unauthorized access, no matter the location.
MFA is therefore an essential security measure to have in place – even if you’re not looking for a cyber insurance policy. In May 2021, The Executive Order On Improving the Nation’s Cybersecurity, signed by President Biden of the US, mandated the use of MFA for all federal agencies, and in Europe, use of MFA is recommended by ENISA guidelines.
How To Choose The Right Multi-Factor Authentication Solution To Lower Insurance Premiums
Implementing an MFA solution can help to meet the requirements set by many insurance providers. But not all MFA solutions are created equal, and there are three key areas to consider when looking for a solution to ensure the highest level of protection and further reduce the risk of a data breach – an important way to lower cyber insurance premiums.
Let’s take a look at each of these areas in detail:
Phishing-Resistant Multi-Factor Authentication
As we’ve covered, implementing MFA helps prevent the vast majority of account compromise attacks. But threat actors continue to innovate with new attack methods designed to bypass authentication controls. The most common of these attacks include phishing, push notification spamming, system cookie theft, and SIM swap attacks. For this reason, it is important to look for multi-factor authentication solutions with robust authentication methods and policies designed to withstand these attacks.
In the US, the Cybersecurity and Infrastructure Security Agency (CISA) has released guidance on phishing-resistant authentication. They recommend implementing FIDO2/WebAuthn based authentication, a widely supported authentication method which enables secure, passwordless authentication utilizing trusted devices.
With FIDO, a private key is stored locally on the client device, while the public key is registered with the online service. During a login attempt, the user device proves possession of the private key with a multi-factor authentication check, such as a fingerprint scan. This enables secure, phish-resistant access to accounts, without the use of a password. We therefore recommend looking for a solution which provides FIDO-based authentication.
Support For Various User Preferences And Access Requirements
The best authentication providers offer a broad range of flexible authentication methods to meet your organization’s unique needs and support user preferences. There are a range of authentication methods (OTP, PIN, FIDO, biometrics, push notifications, etc.) and form factors (mobile, smart card, security key) available, so it is important to consider the unique needs of your users when selecting a solution.
For example, some users will use biometrics on their personal mobile devices to authenticate, while others may wish to keep private devices separate from work and use a company provided security token instead. Certain industries cannot use smartphones at all: for example, workers in oil rigs, where they are a fire risk, or workers in regions with poor mobile coverage. In these instances, organizations must be able to offer authentication cards or keys to their users.
It is also important to consider that not all methods of authentication are equally secure. Sending an OTP via email or SMS is less secure than biometrics or a push notification – choosing a solution that offers these more secure methods can help to reduce cyber insurance premiums.
Finally, admins must be able to easily manage authentication credentials and devices. In larger organizations, managing credentials for hundreds of users can be incredibly complex and time consuming. We recommend choosing a solution that offers central PKI credential management, and automatically provisions/revokes access when an employee joins or leaves your organization.
Flexible Access Control Policies
Whichever MFA solution you choose should include flexible deployment options to ensure usability and scalability, while meeting the needs and requirements of your organization’s own security posture. This includes support for a broad range of authentication methods, but also access control policies which can be configured and fine-tuned.
For example, the question of how many times an authentication attempt is allowed before the system is locked is ultimately dependent on how risk adverse your organization wishes to be. This must be balanced against the needs of users who need to quickly log into their work accounts. Organizations should be able to customize this type of access control policy to ensure consistent security rules are set and maintained thereby preventing unauthorized account access.
Another important access policy is around privileged users. In some organizations, privileged users, such as IT admins with access to sensitive resources and data, must adhere to additional security policies. This may include additional factors of authentication, such as needing to authenticate with both a push notification and a hardware key or biometric check. They may also need to authenticate more regularly than users with access to less sensitive data. The best authentication solutions will support the configuration and implementation of policies to support this use case.
We therefore recommend looking for a solution that delivers this flexibility – with access control policies that can be deployed across the whole organization at a user- and role-based level. This ensures that MFA security best practices can be met and balanced against the overall needs of the business, managing user convenience and security while enhancing the security of privileged users.
Cyber insurance has become a necessity for many organizations around the world, as rates of cybercrime have massively increased. To qualify for insurance – and crucially, keep premiums affordable – organizations must invest in robust, secure multi-factor authentication for all accounts and devices.