As a result of the surge in ransomware attacks, cyber insurance underwriters are raising the bar for renewals and purchases. A variety of security measures are now required of insureds, including Multi-Factor Authentication (MFA), Identity and Access Management (IAM), and Privileged Access Management (PAM). It is, however, not as easy as it seems to manage Service Accounts and MFA. Many insureds still struggle to stop ransomware threat actors from gaining access to their company’s infrastructure. The Cyber Insurance Academy has gathered industry experts from all corners of the cyber insurance industry to share insights on measures that cyber insurance professionals can take to prevent this risk from turning into a claim.
The Cyber Insurance Academy was delighted to host Industry Peers from Silverfort and Tokio Marine HCC as we dove into this topic during this month’s Fireside Chat. We spoke with Hed Kovetz, CEO and Co-Founder of Silverfort, and Simon Calderbank, Cyber Underwriting Manager at Tokio Marine HCC.
Read more about Service Accounts here.
The Importance of MFA and Identity Security to Insurers
In recent years MFA has become increasingly necessary for service accounts. In 2019, when ransomware was on the rise, insurers sought ways to reduce the likelihood of cyber claims. One of the areas of interest was access controls– how they were being managed and how users were getting access to them. In 2020, when COVID hit, companies had to provide fast-tracked solutions for access control from various remote locations and this led to a rise in concern from insurers because if the wrong people got access to usernames and passwords it could lead to major problems. As a result, the standard username and password became slightly obsolete due to the fact that, in general, humans use the same passwords for the same types of systems making these access controls much easier to hack. This led to the implementation of multi-factor authentication (MFA) for those requesting access from remote locations. As Simon explained, “The use of MFA has meant that companies are able to verify and authenticate those who are accessing the systems a lot easier… We’ve also then seen this introduction to privileged access which I think is equally important and if not more so.” Privileged access implies that there is one account for day-to-day and another for more privileged activities and ideally, both should use MFA.
From a more technical perspective, Hed added, “It’s very clear that identity is becoming almost the go-to attack surface for attackers. They know that if they have a compromised user identity or even better if they have a privileged identity they can access everything through the front door, they don’t need to find any vulnerability…Security controls such as multi-factor authentication and privileged access management are mitigating a lot of the risk. They are actually doing a great job defending against these attacks.” Companies have found the value in using MFA but the problem still remains: they struggle to implement MFA broadly and cover all of the systems.
MFA Barriers to Implementation
It’s not that solutions like MFA and privileged access are not secure, they are doing a great job, but they are only protecting some resources. The first challenge is modernization. A lot of systems were built using Legacy Authentication Protocols, which is an old protocol, and getting rid of that by modernizing all these different applications is not always feasible. The second challenge is related to privileged access and non-human identities. When a company on-boards a service account they have to modify it, not knowing what other applications use the same identity, this could lead the entire account to break. Hed added, “How do you protect these accounts without actually breaking anything? It’s very challenging, it takes a long time, but the problem is attackers know it and attackers are going after these blind spots intentionally.”
Implementing MFA and Privileged Access for Service Accounts
There are ways to help implement MFA and privileged access in service accounts, despite the challenges. It is paramount to understand where company deficiencies lie, to recognize them, and to put a plan in place to get to a certain stage of protection. Simon adds, “I think the one one area we are seeing it happen more is, as companies move to the cloud, we’re beginning to see more exclusion built into their networks and with that, more MFA.”
Both Simon and Hed offered key pieces of advice for both underwriters and brokers when they’re advising clients or considering their clients’ MFA and privileged access implementation. The first solution when helping customers get identity security is to make sure you are adding security solutions that cover more than one case. You don’t want to end up in a situation where you have a million different solutions, “finding a solution that really can bring MFA and identity security everywhere is very important,” says Hed. The second solution is to help them extend their chosen solution to as many places as possible. Help the company build that connective tissue to unify these different platforms along with MFA and privileged access. Otherwise, too many different tools expand the attack surface, and threat actors look for the weakest spot and take advantage.
In conclusion, Simon says, “MFA is not the end all be all of everything but it’s a very important step to getting the best terms you can from your insurers. I think particularly in a time when people are trying to buy more insurance, the more things you can stack in your favor to make you more attractive to underwriters the better.” So, all in all, although MFA is difficult to implement and takes time, this is an investment and it is going to result in a better insurance policy with better rates and lower deductibles.
Give Yourself The
Our CCIS certification is a mark of excellence that employers and recruiters want to see.