The numbers are difficult to ignore - multifactor authentication (MFA) typically blocks more than 99% of attacks by cyber criminals attempting to compromise a company’s systems. Traditional passwords on their own aren’t secure enough anymore; hackers have developed countless methods of stealing credentials and gaining unauthorised access to private accounts.
According to the Department for Digital, Culture, Media and Sport’s Cyber security breaches survey 2022, published in March this year, nearly one-third of businesses in the UK experience cyber attacks or breaches at least once a week. MFA, therefore, is being put to the test – successfully – with increasing regularity.
We have seen a distinct trend in insurance claims. As the industry saw a spike in claim activity towards the end of 2020, a clear correlation emerged between claims and insured businesses lacking MFA. In other words, these claims can be minimised or even prevented through MFA implementation. In fact, cybercriminals often differentiate between businesses on the basis of whether or not they have MFA.
MFA is a solid control that a business can put in place without a great deal of time or expense. There are three main types of MFA:
- Things you know (knowledge) – such as a password, or pin.
- Things you have (possession) – such as a key, or smart card, or smartphone app.
- Things you are (biometric) – such as the use of a fingerprint, or a retina scan, or voice recognition.
A straightforward solution
A fraudster who comes up against a multifactor check may be able to circumvent it, but it takes work. If the next company on their list isn’t using MFA, it’s that much easier for them to deceive an employee with a phishing email and breach the company’s systems.
Easy targets remain plentiful right now, so until everyone adopts MFA and criminals find another way into a company’s systems, MFA remains a strong layer of protection.
For this reason, we have begun asking more technical questions about MFA when businesses renew their cyber insurance or buy it for the first time.
Instead of asking simply if a company has MFA, we’re asking if they have it for email, or for administrative accounts, and if employees with elevated access privileges use it for internal access. When law firms and their brokers read our questionnaire and see the level of specificity we request, they may think implementing MFA will be a lengthy and costly process. But it’s a relatively straightforward fix and the firms that we insure have the benefit of a free consultation with our cyber security partner, which helps them develop an implementation plan.
Final layer of protection
Of course, while MFA is important, it isn’t the only cyber protection required. To put it in simple terms, just because you have locks on your home doesn’t mean you can’t be broken into.
A law firm should have multiple layers of security, including an email filtering system that catches as many malicious emails as possible, a training programme to help employees recognise phishing emails, and a software defence that includes firewalls and an advanced endpoint detection and response system to monitor cyber threats. MFA provides the final layer of protection.
Within the last six months, most insurers have begun requiring potential policyholders to have some level of MFA to provide a cyber insurance quote.
As MFA requirements become more stringent, law firms can present themselves to insurers as more attractive risks by taking proactive steps to improve their cyber protections prior to renewal. And, in the process, they can reduce the chances of falling victim to a cyber attack.
While MFA is not a silver bullet, it’s a critical piece of a multilayered plan to make a law firm’s security that much stronger.
This blog is based on the article 'Helping clients adopt MFA as a critical layer of cyber security – Travelers' on the Insurance Times website.