Ransomware – a demand for a monetary payment to regain access to one’s data or network – continues to rock the charts as cyber criminals’ go-to, get-rich-quick scheme. As we know, the pandemic spurred the work-from-home or hybrid movement that likely will continue for years to come. With more and more employees working from home, more data is being shared remotely, leaving the door open for missed or inadequate computer and technology security. Phishing and fraud schemes and social engineering methods used to demand ransom are particularly attractive as they target and take advantage of the number one security risk – a company’s people.
In light of the increased ransomware risk, there has been explosive growth for cyber insurance coverage resulting in insurance companies being obligated for massive payouts. In turn, prerequisites to obtain cyber coverage have also evolved, including but not limited to an internal security measure called multi-factor authentication (“MFA”). General single password-entry systems are no longer sufficient measures of protection. Password theft is common, as many individuals use the same password on every system they access and one of those systems has been compromised at one time or another.
Multi-factor authentication isn’t a new concept, but the topic has been hot and a sticking point as insurers evaluate the solutions and policies required for cyber insurance coverage in light of the exponential uptick in ransomware attacks.
What is MFA? Multi-factor authentication is an additional level of security to common passwords. When logging into a system, program, or device with a password, MFA requires the user to receive and enter a second form of authentication that can be sent via text, call, email, or some other code to gain access. My colleague Scot Ganow wrote about this years ago in his PDS blog post (he would call it a plea), “Multi-Factor Authentication (MFA). Please. Do it. Now.” Some may consider MFAs a bit of an annoyance, as it is an extra step in the login process. While that may be true, MFAs are relatively simple to use and implement, comparatively low cost, and quite effective in preventing threat actors from attempting to gain access to a system.
The cost-benefit analysis is a no-brainer as the average ransomware payout is in the millions, and MFAs reportedly block 99% of attempted attacks. Implementing an MFA is a simple and effective step to proactively prevent breaches when a threat actor strikes. And, in the end, let’s face it. Security is not supposed to be convenient. Trust us, the relatively few additional seconds it takes to log into an account is nothing compared to the days and weeks (and dollars) spent trying to recover from a security incident. And if that is not enough, how about you do it just to get or simply keep your cyber insurance? Indeed, carriers are requiring it to get insurance and may deny coverage if you don’t have it in place. Again, heed the plea: Multi-Factor Authentication (MFA). Please. Do it. Now.
Taft’s Privacy and Data Security attorneys and Intellectual Property attorneys can assist with questions related to implementing multi-factor authentication security protections and the best course of action for approaching cyber insurance coverage. Stay tuned to Taft Privacy and Data Security Insights, or download our PDS mobile app for more news and information.