Here are some cybersecurity tips for your customers: It’s time to install multi-factor authentication (MFA).
In the future, this advice could change to: Please send us a scan of all your technology vulnerabilities, so we can see what cybercriminals are seeing.
From now on, telling your customers that only passwords are secure and that cybercriminals are unlikely to target their business is giving them a false sense of security, says one cyberinsurance expert.
Cyberinsurers now often require companies to implement MFA as a condition of obtaining cyberinsurance coverage. That said, it can be difficult for brokers to convince clients that MFA is now the norm, says Neal Jardine, global director of cyber risk intelligence and claims at BOXX Insurance Inc.
“Brokers can struggle to overcome the false sense of security around customer-held passwords because customers don’t understand the risks of not having MFA in place until they’ve had a breach. “, said Jardine. Canadian underwriter. “Brokers are insurance experts and help clients become aware of the risks they face and the opportunities to transfer that risk through insurance.
“It’s the customer who doesn’t understand the risks of operating without MFA that we, as an industry, need to make them aware of.”
People generally don’t see the need for MFA because they view passwords as secure, “not realizing that an eight-character password – with a mix of numbers, upper and lower case letters, and symbols – can be deciphered by a cybercriminal using automation in less than eight hours,” says Jardine.
A password without MFA is most vulnerable when used on multiple sites. This can lead to attacks such as “credential stuffing,” when a cybercriminal uses a stolen password and variations of the same username across multiple sites to try to gain access, Jardine says.
“We see this happen often after a major data breach involving usernames and passwords. Cybercriminals will use the credentials known in the data breach to try to breach other sites.
In the future, companies might start requiring end users to have minimum privileges, for example. Most companies have already adopted some form of the principle of least privilege by preventing users from installing programs, changing passwords or surfing the web, says Jardine. “It is likely that this control will continue and be used more in the future to limit the data users can access to only those areas that are needed, when needed.”
Users often have access to data across the organization for collaboration. But by restricting user access, it helps limit the spread of malware and reduce the risk of cyberattacks, says Jardine.
“Going forward, we may also see a requirement for companies that exceed a certain threshold or that have already suffered a cyber loss to demonstrate their security posture through internal analytics,” he said.
Currently, most cyberinsurers scan clients externally to see what cybercriminals see and secure areas that appear weak or unpatched, says Jardine. Internal scans would be similar to a property inspection report done for high risk property insurance clients.
“The analysis would show how backups are stored, password hygiene, software patches and other valuable underwriting criteria,” Jardine says. “Customers are always nervous when asked to launch in-house scanning software on their network, so adoption is unlikely to happen anytime soon for all customers. But for those who are high risk or have a bad history of losses, it will likely become common practice.
Featured image by iStock.com/filo