Cybercrime is a growing, highly successful and profitable industry. According to Cybersecurity Ventures, cybercrime costs will grow by 15% per year to reach $10.5 trillion by 2025 – the third greatest “economy” in the world after those of the U.S. and China. The average ransom payment has also continued to climb, up 43% from the last quarter of 2020 to an average of over $300,000. Over the last 18 to 24 months ransomware attacks have skyrocketed in both frequency and severity, driving significant changes in cybersecurity practices and cyber insurance.
Cyber criminals have become very proficient in obtaining user IDs and passwords, which can provide a gateway into your network. Despite best efforts, including employee training and established security controls, you can assume that user IDs and passwords have been and will be compromised within your institution. The question is, if your codes have been compromised, what is preventing the hacker from accessing your system and your data? According to many industry experts, over 90% of ransomware attacks could have been prevented or the overall impact greatly diminished through the use of multi-factor authentication (MFA).
MFA is a security technology, or authentication method, that requires users to successfully confirm or present two or more verification factors (i.e., evidence) before a user is granted access to a system, network or application. The types of factors or evidence provided by the user are a combination of knowledge (something only the user knows), possession (something only the user has) and inherence (something only the user is). For example, users typically must provide a password or PIN, verify access by inputting a code or one-time password (OTP) sent to another device (e.g., smartphone or security token) or confirm access with biometric data such as a fingerprint.
Those hesitant to adopt MFA are often under the misconception that it requires the purchase of additional external hardware or are concerned about potential user disruption. While it’s true that MFA can require users to take an extra step or two at login, it’s not complicated and doesn’t always require buying new hardware. As a society, we accept controls when the cost of not having them becomes greater than the restrictions they impose, which has proven to be the case with MFA.
What Should Be Protected with MFA?
MFA protects businesses by adding a layer of security that will effectively prevent the vast majority of attacks stemming from compromised user accounts. For example, a phishing attack may obtain a user’s credentials but be unable to provide another “factor,” such as the fingerprint or security question response required for authentication. Because every attack begins at an endpoint, companies should also be utilizing endpoint detection and response (EDR), in collaboration with MFA, to maintain visibility into all endpoints. Employing MFA and EDR together will significantly minimize the threat of a breach, especially when combined with mature patching requirements, employee training and increased awareness.
MFA should be used whenever possible, but at a minimum, to protect the most sensitive systems and data, such as remote access to network and systems, email accounts and higher risk users (e.g., administrator or privileged account access). This prevents system intruders from breaching networks to deploy ransomware, erase valuable data or steal sensitive information for malicious purposes through a variety of commonly successful cyberattacks, such as phishing or keystroke logging.
In years prior, cyber insurance has been relatively easy to obtain and inexpensive and was offered by over 180 insurance carriers. Although the applications may have been extensive, underwriters focused on the applicant’s annual revenue and the number of personally identifiable records held by the company or organization. When it came to renewals, underwriters only required updates around major business changes. But times have changed and underwriters across the board are paying closer attention to the full application process—detailed information concerning the controls in place to prevent ransomware and other cybersecurity attacks and the overall information technology (IT) risk management approach for each organization. Before providing a cyber insurance quote, for most client accounts it’s now common practice to require insureds to have MFA in place, especially when it comes to email access. Without MFA, clients risk non-renewal or a retention hike of 100% or more.
Insurance brokers are seeing ransomware or social engineering claims hit almost weekly. Such claims can cost hundreds of thousands of dollars and require pricey forensic investigations that take several weeks to complete. Such attacks often start with compromised passwords, logins or user IDs. These credentials can be the weakest point of a company’s digital footprint because employees often use the same password for multiple systems, create passwords that are too simple, share credentials with others or inadvertently give information to cyber criminals via phishing campaigns.
Cybersecurity Best Practices
Before your company or organization can improve or enhance its security posture, the IT and operational environment must be documented, as well as the related threats and risks. Based on our experience in performing numerous cybersecurity risk assessments for clients of all sizes and across all industries, the key areas of focus and recommendations are:
- Implement a formal cybersecurity program, policies and procedures.
- Require multi-factor authentication.
- Conduct frequent cybersecurity training and awareness activities for employees, contractors and vendors.
- Regularly back up data, use segregated or air-gapped backups, and test offsite backups routinely.
- Perform periodic vulnerability assessment and penetration testing of external/internal networks and applications.
- Employ endpoint protection, including EDR, data loss prevention (DLP), encryption and file integrity monitoring.
- Strengthen network security controls.
- Monitor access to your systems and data, including third-party access and privileged users’ accounts.
Bringing a multidisciplinary approach to cyber issues, CBIZ tailors each client’s cyber solutions to match their operational environment, identified risks and available resources. A cyber service plan may include cyber insurance, cyber strategy, cybersecurity/vulnerability assessment, business continuity and data security. Should you have questions about your current setup or require additional information, don’t hesitate to contact Tiffany Garcia, Director, CBIZ Risk & Advisory Services and National Cybersecurity Practice Leader at Tiffany.Garcia@CBIZ.com or Kris St. Martin, Vice President, CBIZ Insurance Services at KStMartin@CBIZ.com.