Once relatively rare, fiduciary liability litigation is on the rise across the country: In 2019, participants in Anthem Inc.’s 401(k) plan reached a $23.7 million settlement in an ERISA fiduciary brea...
Cybersecurity Awareness Month is an opportunity to evaluate risk and ensure basic controls are implemented to lower our risk. One control all leaders should embrace is the use of MFA to protect their business accounts. In this article, we will evaluate MFA and why we believe it is now a business imperative.
In the last two years, cybercriminals have launched more ransomware attacks than ever before, and these attacks have resulted in record losses from cyberattacks for businesses across the world. Consider the following statistics:
- Cybercrime is up 600% following the onset of the COVID-19 pandemic in March 2020
- In 2016, there was a ransomware attack every 40 seconds. Today, there is one every 11 seconds.
- The Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, with reported losses exceeding $4.1 billion. This record number of complaints represents a 69% increase in total complaints over 2019 alone.
The rise in business email compromise (BEC), ransomware, and other cyberattacks has driven significant changes in the cyber insurance marketplace. For example, in previous years, filing a cyber insurance application was relatively simple, and obtaining quotes from multiple carriers was easy. For renewals, underwriters generally only required updates around major changes to business operations and an overview of operations involving sensitive consumer data.
Today, insurance carriers and underwriters require businesses to submit more information related to their specific security controls, vulnerability management posture, incident response, data inventory, and cybersecurity risk management efforts.
In 2021, following scores of high-profile cyberattacks, it is common for underwriters to view MFA as a fundamental security control—especially around email access. Without MFA in place, businesses could face non-renewal or a very steep retention hike. Enforcing MFA, like putting on a seatbelt in your car, is an actionable way to lower your risk despite the perceived inconvenience of its use.
What is MFA?
According to the National Institute of Standards and Technology, “MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence–your credentials–when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.” Additional authentication controls also consider the user’s device and location.
MFA creates an additional problem for the attacker to solve. One of the most significant shortcomings of the common username and password logins we use every day is the fact that passwords can be compromised with enough time, effort, and resources. When this happens, it can potentially cost organizations millions of dollars, as an attacker may act on your employee’s behalf in ways that may be difficult to detect.
MFA is intended to create a layered defense that increases identity security and makes it more difficult for a cybercriminal to access sensitive company or client data that is only password-protected. If one factor is compromised, the unauthorized user must still defeat additional barriers before they can successfully infiltrate the target network.
How Does MFA Protect Businesses?
Businesses call insurance carriers and brokers almost every week to report security incidents involving ransomware, BEC, or other social engineering attacks. These claims often cost businesses hundreds of thousands of dollars, can compromise sensitive company and client data, and damage an organization’s brand for years.
Attackers strive to compromise employee passwords to gain a foothold into the business. Next, they may use the account to search for information, escalate privilege to gain broader access, or launch attacks from a compromised account to target others. Though we use them every day, compromised credentials often serve as attack vectors for malicious actors. When employees create passwords that are easy to guess, use the same login credentials across multiple systems, share login information, or unknowingly give cybercriminals clues about their credentials, both the employee and the business are at risk.
According to the article cited above, brute-force attacks are also a real threat. Cybercriminals can leverage automated password cracking tools to try various combinations of usernames and passwords until they find the right sequence to gain access to an account.
The additional layer of protection MFA provides may help block most attacks even when credentials are compromised. For example, in a phishing attack, cybercriminals may acquire an employee’s credentials, but be unable to use the one-time password generated from a token that is also required for authentication.
- Double Down on Cyber Security with Multi-Factor Authentication
- Cybersecurity Awareness Month 2021 – Multi-Factor Authentication Guide
As you continue to evaluate risk during Cybersecurity Awareness Month, we hope you see the value of MFA. We believe implementing and enforcing MFA is a business imperative to your lower risk and your cyber liability insurance carriers and underwriters may also assign great value to MFA when they assess your security posture. At a minimum, accounts that are not protected by MFA may increase your business risk and will likely increase your cyber liability costs.
Consider evaluating your use of MFA within your business to ensure you are not carrying unacceptable risk. While MFA will not prevent all attacks and it is not always popular with your users, the security benefits outweigh the effort to implement and manage the change.
This Cybersecurity Awareness Month—and every month—remember to do your part and #BeCyberSmart by incorporating MFA into your company’s cybersecurity efforts.
Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.