News

Why multi-factor authentication isn’t the cure-all for your client’s cyber woes

  • MFA is a secondary check to ensure “you’re the right person logged into your system

  • Insurers are often requiring businesses to implement MFA in order to obtain cyber insurance coverage

  • A massive talent shortage in the security industry is contributing to cyber risk

Staying one step ahead of cybercriminals seems to be a never-ending battle for insurers and insureds, cyber experts said during an industry event Wednesday.

  • List 1
  • List 2
  • List 3

“The problem is, as we increase our cyber hygiene and become better insureds, the criminals adapt and find new areas to gain access or new things to do in order to get in,” says Neal Jardine, global cyber risk intelligence & claims director with BOXX Insurance Inc. “It’s kind of like a game of Whack-a-Mole. You put MFA (multi-factor authentication) on and then they start designing their business email compromises around that.”

  1. List 1
  2. List 2
  3. List 3

Cyber insurers are now often requiring businesses to implement MFA in order to obtain cyber insurance coverage. MFA adds a layer of protection to the sign-in process, requiring users to provide two or more verification factors to gain access to a resource such as an online account. For example, when accessing accounts or apps, users may also scan a fingerprint or enter a code received on a mobile device.

MFA is a secondary check to ensure “you’re the right person logged into your system,” Jardine says during Resetting Cyber Risk, a session at the 2022 virtual CIP Society Symposium.

“The beauty behind MFA is that if a hacker steals your credentials and tries to log into your system, you’re going to get a text message saying that someone’s trying to log in and then you’re like, ‘Wait a sec, that’s not me,’” Jardine says. “The downfall of MFA is hackers are aware of it.

“So, what they’re actually doing is sending social engineering emails out saying, ‘Hey, I’m with your bank. Please log in here and then give us a call so that we can verify your MFA code is correct,’” Jardine says. “And funny enough, we’re actually getting claims for that, which we’re seeing coming through. So as much as MFA is stopping a lot of [attacks], it’s also creating a new area.”

One webinar participant asked why, if a majority of clients are being forced to implement MFA to obtain insurance cyber, this isn’t reflected in premiums/deductibles once MFA is implemented.

The response? MFA is now really table stakes in the market.

The evolving landscape is also causing a shift in cyber underwriting, where the focus is increasingly on an insured’s cyber hygiene and what security controls they have in place. “We’re basically doing requirements like if you don’t patch your system every 15 or 30 days automatically, that’s going to affect our ability to provide you with proper coverage, because of the fact that you should have known or ought to have known or at least turned on automatic updates to prevent that,” Jardine says.

 

A massive talent shortage in the security industry

Looking ahead, the next requirement could be something like ensuring “the least amount of privilege given to the end user,” for example, Jardine says. “The idea behind it is, users only get access to data they need at the time. The moment they’re done using that data, that access is revoked, and that tries to stop [unauthorized access]. So, is that going to be the future in order to make it?”

A massive talent shortage in the security industry is also contributing to cyber risk, since fewer people are available to monitor and patch systems.

“Good hygiene [means] understanding what your environment is, how you interact with the world, and then constantly training your employees, shifting what you do, in order to try to stay ahead of that,” Jardine says. “This is going to be ever-evolving, ever-changing over time. You will need to keep up-to-date: What steps do you take in order to limit your cyber exposure? And really making sure you drill that down.”

 

Original Article Published by Canadian Underwriter

A massive talent shortage in the security industry is also contributing to cyber risk, since fewer people are available to monitor and patch systems.

 

About BOXX Insurance

BOXX Insurance Inc. helps businesses and families insure and defend against cyber threats. BOXX Insurance Inc. is privately-held with headquarters in Toronto, Canada. BOXX’s vision is to help businesses, individuals and families stay ahead of, respond to and recover from cyber threats, putting their digital safety first.

Related Posts

News Cyber insurer BOXX fills gap between insurance and security with Virtual CISO for Small Business

Cyber insurer BOXX fills gap between insurance and security with Virtual CISO for Small Business

BOXX announces the launch of Virtual CISO, an enhanced service that makes it easier and more affordable for SMEs.

27/04/2022
News Brokers should focus on prevention in the cyber sales conversation, suggests MGA

Brokers should focus on prevention in the cyber sales conversation, suggests MGA

A cyber claim can be terminal for a business, Vishal Kundi, CEO and co-founder of BOXX Insurance, told Canadian Underwriter.

09/09/2021

Sign up for the BOXX Insurance Newsletter

Get the latest updates about Cyber Insurance and Protection with our newsletter.