Canadian Underwriter

The future of cyber-security: MFA and beyond

June 17, 2022   by Jason Contant

Print this page Share

Here’s some cyber security advice for your clients: time to install multi-factor authentication (MFA).

In the future, that advice may morph to: Please send us a scan of all your tech vulnerabilities, so we can see what cybercriminals see.

As of this moment, telling your clients passwords alone are secure and that cybercriminals won’t likely target their business is tantamount to providing them with a false sense of security, a cyber insurance specialist says.

Cyber insurers are now often requiring businesses to implement MFA as a condition for obtaining cyber insurance coverage. That said, it can be difficult for brokers to convince clients MFA is now standard, says Neal Jardine, global cyber risk intelligence & claims director with BOXX Insurance Inc.

“Brokers might find it difficult to overcome the false sense of security around passwords held by clients, as clients don’t understand the risks of not having MFA in place until they have had a breach,” Jardine tells Canadian Underwriter. “Brokers are experts in insurance and helping clients become aware of the risks they face and the opportunities to transfer that risk through insurance.

“It’s the client who doesn’t understand the risks faced operating without MFA that we as an industry need to make them aware of.”

Cybersecurity and two-step authentication

In general, people don’t see the need for MFA as they view passwords as secure, “not realizing that an eight-character password – with a mix of numbers, uppercase letters and lowercase letters and symbols – can be cracked by a cybercriminal using automation in less than eight hours,” Jardine says.

A password without MFA is at its most vulnerable when used across multiple sites. This can lead to attacks such as “credential stuffing,” when a cybercriminal uses a stolen password and variations on the same username across multiple sites in an attempt to gain access, Jardine says.

“We see this happen often after a large data breach involving usernames and passwords. Cybercriminals will use the known credentials in the data breach to try and breach other sites.”

In the future, companies may start requiring that end users are given the least amount of privilege, for example. Most companies have already adopted some form of the principle of least privilege by restricting users from installing programs, changing passwords, or surfing the web, Jardine says. “It’s likely that this control will continue and be further used in the future to limit data that users can access to only the areas needed, when needed.”

Users are often given access to data throughout the organization for collaboration. But by restricting user access, it helps to limit the spread of malware and decrease the chances of cyberattacks, Jardine says.

“Looking forward, we may also see a requirement that companies over a certain threshold or who have had a previous cyber loss demonstrate their security posture through internal scans,” he says.

Currently, most cyber insurers scan clients externally to see what the cybercriminals see and secure areas that appear weak or unpatched, Jardine explains. Internal scans would be similar to a property inspection report performed for high-risk property insurance clients.

“The scan would show how backups are stored, password hygiene, software patching and other valuable underwriting criteria,” Jardine says. “There is always a concern by clients when asked to launch internally scanning software on their network, which is why we are unlikely to see this adoption occur anytime soon for all clients. But for those that are high-risk or with a poor loss history it’s likely to become standard practice.”


Feature image by