Multi-Factor Authentication (MFA) is the process of identifying users by validating two or more “factors” that are unique to a user. Some of the different factors that are most often used in the authentication process include:
- Something you know (such as a password or PIN)
- Something you have (like a code sent to your smartphone)
- Something you are (fingerprint, facial recognition, or voice recognition)
It is well known that MFA is an effective security control that can help mitigate the risk of falling victim to cybercrime. However, it is reported that only 57% of businesses actually have MFA deployed. More businesses need to implement this effective cyber defense and cyber insurance underwriters are driving businesses to implement MFA.
As the incidence of cybercrime continues to grow, so too is the demand for cyber insurance. This increasing demand is causing a tightening of the cyber insurance market. The result is that cyber insurance underwriters are raising their rates and becoming more selective about who they choose to insure. This is where MFA comes in.
Cyber insurance underwriters are demanding that those they insure have a set of cybersecurity best practices in place – including MFA. Underwriters now expect businesses to have the minimum MFA controls in place:
- MFA must be required for all employees accessing email through a website or cloud-based service
- MFA must be required for all remote access to the network provided to employees, contractors, and 3rd party service providers
- MFA must be required for all internal and remote admin access to directory services (active directory)
- MFA must be required for all internal and remote access to network backup environments
- MFA must be required for all internal and remote admin access to network infrastructure (firewalls, routers, switches, etc.)
- MFA must be required for all internal and remote admin access to the organization’s endpoints/servers
Implementing MFA needs to be done thoughtfully. Here are a few things you should consider when implementing MFA:
- Roll-out MFA in stages – Start with implementing MFA for all your administrative accounts. Your administrative accounts are your highest value targets and the most urgent to secure.
- Use the right type of MFA – Use the right type of MFA for the right situations. This includes the use of a unique code that is sent via SMS, email, or through an app like Microsoft Authenticator.
- Have a support plan – Plan for how and who will handle failed sign-ins and account lockouts. Know how you will handle lost devices and how you will be able to securely get employees who have issues back to work as fast as possible.
- Measure and monitor – Track how proficient users are with the MFA you have deployed. Regularly check helpdesk tickets and logs to see if users are having MFA related issues and then tweak your implementation as needed to improve productivity while maintaining a high level of security.
MFA is one of a variety of cybersecurity controls that cyber insurance underwriters expect businesses to have in place. If you want to know more about how to implement MFA and the other cybersecurity best practices that you’ll need to secure a cyber insurance policy, then let us know. Or take advantage of our IT risk assessment and get a detailed plan for optimizing your IT environment and mitigating your cybersecurity risk exposure.