Multi-Factor Authentication: Why Your Small Business Needs It and How to Get It
Posted in: Commercial Insurance
With the number and severity of cyber-attacks increasing over the past few years, most insurance companies are now asking for certain cybersecurity measures to be implemented for businesses to qualify for Cyber insurance at all. These measures include Multi-Factor Authentication and Data Backup. As a result, we have seen an increase in PSA clients asking for assistance and guidance regarding selecting the right cybersecurity technology and best practices that will help them obtain coverage while also protecting their operations.
Since PSA believes in being a true partner to our clients, which means helping them beyond providing risk management solutions, we have decided to interview Chad Quarles, Senior CISO Advisor from Hartman Executive Advisors, experts in business and IT consulting, to write a blog series on the various basic protection best practices small and mid-size businesses should have in place.
In this first installment of the series, we’ll be discussing Multi-Factor Authentication (MFA), which is required by the majority of insurance companies when writing Cyber insurance. Specifically, businesses without MFA could run the risk of not being able to renew or purchase a policy. But even if you are lucky enough to find a carrier that will provide you with Cyber insurance without an MFA, you’ll likely overpay for coverage. Bottom line, you need MFA because it is also critical as an extra layer of security for your business to prevent 99.9% of account takeovers.
PSA: So, what exactly is Multi-Factor Authentication (MFA)?
Hartman: Multi-Factor authentication (MFA) adds a layer of security that can be highly effective at protecting your accounts from being accessed by cyber-criminals. It requires users to provide one or more additional pieces of information to verify their identity before gaining access to a system or an account. There are different types of MFA, and they are not all created equal. Some of the most common types of MFA include:
- SMS One-Time Password (OTP) – In addition to your username and password, successful authentication requires a 6-8 digits number sent to your mobile phone via SMS text message. The one-time password is only valid for one login session and expires after a short period of time. The additional layer helps protect you from password guessing attacks and even compromised usernames and passwords. While significantly stronger than a password alone, a sophisticated or determined attacker may be able to intercept the SMS text message and defeat the extra layer of security.
- Time-Based One Time Password (TOTP) Authenticator App – Authenticator apps, sometimes referred to as software tokens, or soft tokens, add an extra layer of protection by requiring two types of authentication. This is something you know, your password, and something you have, your phone. The one-time password generated by the authenticator app on your phone is the “something you have”. This form of MFA is preferred over SMS passcodes since cybercriminals have been known to intercept SMS messages.
- Push-Based MFA – This method builds on the two technologies discussed above to improve security and user experience. Like the software token solution, push MFA usually requires the use of an authenticator app installed on your phone. When you attempt to login to any of your accounts that use push-based MFA, you will receive a prompt from the authenticator app asking you to approve or deny the login attempt with a tap on the screen. This form of MFA is secure and convenient making it a popular security feature used by financial institutions. Just be careful to think before you click “Yes” if it wasn’t really you logging in. Cyber-criminals have been known to send a flurry of approval requests to frustrate users and trick them into approving a malicious sign-in.
PSA: What are the main benefits of MFA?
Hartman: MFA is quickly becoming “table stakes” for businesses that are serious about protecting their customers’ and employees’ sensitive information. MFA is particularly critical for protecting remote access technologies, Software as a Service (SaaS) applications that are accessible from the Internet, and privileged administrative user accounts. Benefits of using MFA for your business include:
- Limiting the impact of password breaches
- Reducing vulnerability to credential phishing
- Staying compliant with various regulatory requirements
- Demonstrating to customers, employees and stakeholders that your business takes information security seriously
PSA: I agree, and I would add that with these many benefits, MFA has been ubiquitous. Now even most insurance carriers starting to require the use of MFA to qualify for Cyber insurance. Fortunately, some carriers offer a 60-day extension period for businesses to set up MFA before denying them renewal or new policies.
What we find interesting is that with this high demand for companies to implement MFA, there are still some businesses that don’t use any type of MFA. According to a recent study conducted by Travelers Insurance, 29% of users claimed that they did not know about MFA. Another study concluded that 10% of companies did not want to use MFA because they found them inconvenient. Again, I need to stress, that if you fall into any of these statistics, it is important to know that if you choose not to leverage MFA, you may have to pay an arm and a leg to receive any Cyber coverage or simply won’t get any insurance at all.