Practice One: Implementing Multifactor Authentication, the First Line of Defense
Multifactor Authentication
Relying on a username and password isn’t enough to protect your personal and work accounts. Not having an additional layer of protection leaves you, your organization and your bank accounts, among other things, vulnerable. What’s needed for organizations and individuals is a method that does not rely simply on what you know (e.g., username and password) but adds the requirement of verifying who you are in order to access online services and accounts.
To prevent an attacker from getting elevated permissions, an organization must lock down its admin accounts. How? According to Ken Morrison, Assistant Vice President of Cyber Risk Management at Travelers, the best way to start is by adopting a policy of never implicitly trusting a user’s identity (known as “Zero Trust”), especially if that user is trying to log in with a privileged account or trying to log in remotely. Requiring every user trying to connect with an admin account to prove who they are, or “authenticate,” with more than one piece of information is a technique known as multifactor authentication (MFA).
MFA requires a combination of something you know (like a username and password), something you have (like a one-time password from an authenticator app, linked to a specific device) and something you are, like a biometric (such as a thumbprint or eye scan), to verify the legitimacy of account access attempts.
MFA is usually a two-step authentication method but can require more. After providing a username and password, the next level of authentication might include a one-time passcode sent to the user’s smartphone or email account, for example.
“It’s usually cheap, it’s often easy and it’s very effective,” noted Tim Francis, Travelers’ Enterprise Cyber Lead, recommending that every company deploy MFA as their first line of defense. MFA is also the top security recommendation from the Cybersecurity and Infrastructure Security Agency (CISA) to prevent unauthorized admin access.
Val Cofield, Chief Strategy Officer of CISA, stressed the importance of using this layered approach to securing online accounts and the data they contain. While speaking at the Travelers Institute’s cybersecurity education program at the New York Stock Exchange, Cofield shared insights into the need for an increase in MFA use by individuals and organizations.
“While this basic security practice may seem elementary to many of those in the tech field, it is an action that is not being deployed by average, everyday technology users and critical infrastructure operators and owners. In today’s environment, technology consumers should not have to opt in but rather opt out to critical basic security like MFA,” she said.
According to Francis, “The overwhelming majority of cybersecurity insurance claims are things that could have been prevented and organizations had the means to prevent. Having MFA in place is No. 1. Other preventive measures include updating and patching systems and having backups. When these are not done, it shows up in the claims.”
In Their Words
Listen to experts talk about MFA during recent Travelers Institute programs.
More Steps to Stay Cyber Secure
This information is for general informational purposes only. None of it constitutes legal or professional advice, nor is it intended to create any attorney-client relationship between you and the author. You should not act or rely on this information without seeking the advice of your own attorney or other professional advisor. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists or guidelines will result in a particular outcome. In no event will Travelers or any of its subsidiaries or affiliates be liable in tort or in contract to anyone who has access to or uses this information. Travelers does not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state or local laws, regulations, standards or codes may change from time to time and the reader should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.
Cybersecurity threats affect businesses and organizations of all sizes... Our Cyber: Prepare, Prevent, Mitigate, Restore® initiative promotes dialogue and education to help leaders prepare for and respond to cyber incidents.
LEARN MORE