Multi-Factor Authentication: A Small Step for a Big Decline in Cyber Attacks

This article is part of a series for National Cyber Security Awareness Month in October. Woodruff Sawyer is proud to be recognized as a champion of cybersecurity by the National Cybersecurity Alliance for the third consecutive year in 2020.

Multi-factor authentication (MFA) is an increasingly important solution to thwart account compromise attacks. This goes double in a world where the workforce is remote and gaining access to key corporate networks and applications is vital.

Far from just an annoying extra-step in your login process, MFA can be a key security tool to stop cyber attacks before they start and improve your risk in the eyes of cyber insurers.

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security measure that requires two or more forms of identification to access an account. This involves some combination of something you know, something you have, and something you are.

For example, something only the account holder knows could be a password, something the account holder has could be a token sent to their cell phone, and who the account holder is could be fingerprint recognition.

MFA is sometimes referred to as two-factor authentication (2FA), which is a subset of MFA. As the name suggests, 2FA only requires two factors for account access, where MFA can require more.

The Link Between Multi-Factor Authentication and Cyber Attacks

Multifactor authentication is a simple solution for deterring many possible outcomes of a cyber attack. In fact, Microsoft states that MFA can block over 99.9% of account compromise attacks. Given that password habits are generally not good among most people, this extra security measure is one to consider.

Gaining access to an account can open up endless opportunities for cyber attacks and cause extensive damage to companies in the process. For example, business email compromise (BEC) is a growing threat to organizations—global losses increased 100% between May 2018 and July 2019, according to the FBI's IC3 (Internet Crime Complaint Center). And the agency braced for impact as it fully expected the pandemic to increase this type of criminal activity.

And they were right: Business email compromise attacks are up 67% from 2019 to 2020, according to Coalition's 2020 Cyber Claims Report.

Just some of the things a bad actor can do once they have access to an email account, for instance, includes fraudulent wire transfer requests, redirecting funds (like payroll funds) or company goods to their own financial accounts, exposing corporate data or personally identifiable information of customers and employees, or deploying ransomware.

The fact that most companies have been adjusting to new work-from-home procedures has only exacerbated their cyber risks. For instance, brute force attacks are on the rise (which systematically try all username and password combinations).

With all these looming threats, are businesses actually adopting MFA? Sort of. Adoption is up 12% from 2018 to 2019, according to LastPass, but still, only 57% of businesses are actually doing it.

In many cases, businesses feel like they have to choose between user experience or security. Past research has shown us that employees would often rather forego cyber security for convenience. But that could be changing.

Impact on Insurance

It's critical that businesses today consider multi-factor authentication as part of their cyber security health—especially as a remote workforce becomes the new norm.

As the cyber insurance market hardens, insurers are scrutinizing their portfolios and looking for clients with security controls that more closely align to a higher standard.

Insurers view MFA as a best practice, and are starting to ask more questions around MFA when placing or renewing cyber insurance.

That's not to say that enacting MFA across your organization is going to guarantee you a premium discount. Insurers rarely provide a substantial discount based on a single security control, preferring to assess the combination of controls a company deploys against cyber threats in addition to the company's industry, size, and specific risks.

Rather, enacting MFA will benefit your insurance program in two potential ways:

1. Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and,
2. Qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.

And while MFA has many use cases across a company, one area in particular where insurance carriers are looking for MFA is when accessing cloud backups.

By requiring MFA for access to cloud backups, companies can prevent attackers from infecting their backups before deploying ransomware on the network, thereby mitigating one of the leading attack styles of 2020.

While MFA is a good solution, it's not always easy to deploy. Microsoft gives guidance on how to implement MFA at your organization and what you need to consider as you do so.

It may prove to be an annoyance to some employees, but MFA remains a key tool for almost any organization facing cyber threats today. And in this case, security should be prioritized over convenience.