- I’m too big to be a target because I have a whole department responsible for cybersecurity.
- I’m too small to be a target because cybercriminals don’t attack small companies.
If you think either statement is accurate, you are wrong.
The recent cyberattack at MGM Resorts shows how a large company, even with extensive cyberprotection, can be vulnerable. Although MGM has yet to confirm, it appears that simple vishing (by phone call, as opposed to phishing by email) reportedly defeated expensive security at MGM. Verizon’s 2023 Data Breach Investigations Report indicates 74% of breaches involved a human element which includes social engineering.
According to Reuters, a group called Scattered Spider is responsible for the attack. Reportedly the hacker looked up information on LinkedIn and then called the MGM support desk to change a password.
The cost of not using MFA
If multifactor authentication (MFA) had been active, the hacker would have needed more than just an ID and password to perpetrate this incident. Analysts estimated that MGM would lose $8.4 million a day while recovering from this hack.
Small businesses don’t have the extensive resources to monitor, respond and survive cyberattacks. Nefarious actors are aware of this and disproportionally target smaller businesses. The average U.S. business experiences 42 cyberattacks each year, according to the “2022 US Cybersecurity Census Report” from Keeper. Dr. Jane LeClair, COO of National Cybersecurity Institute, has said, “50% of small to medium-sized businesses have been the victims of cyberattack and over 60% of those attacked go out of business.”
Human error continues to be a significant vector for cyber targeting. For access control and authentication, MFA is a simple but effective way to mitigate the risk. OneLogin Inc., a cloud-based identity and access management provider, says, “In addition to combating common cyberattacks, MFA is also effective at preventing ransomware attacks.” MFA requires more verifying information than just a login ID and password, which keeps most attempted cyberattacks out of your system.
MFA fatigue?
ID Federation is an organization created by peers in the insurance industry to help agents be both cybersecure and improve their operational efficiency. Using a different MFA process to connect to each of 10 to 12 carrier partners is operationally inefficient for an agency user. ID Federation has created a Trust Framework — SignOn OnceTM — to share credentials from your agency management system with carrier partners without having to re-enter the information. ID Federation supports MFA for improved security. Working together, agents, carriers and technology providers — can achieve ID Federation’s goal to enable agencies and carriers to maintain the highest level of cybersecurity with operational efficiency.
Encourage your carriers to participate in ID Federation
Help make the industry more secure. Agents don’t need a different MFA for each carrier partner. Use your management system credentials to securely access carrier agent portals. This is in production today with the two primary management system providers — Applied Systems and Vertafore — and with carrier partners like The Hartford and Nationwide. If your preferred carriers do not yet participate, petition them with our automated request letter here.
Alvito Vaz is executive director of ID Federation. He is a long-time participant in AUGIE and has held business and technology leadership roles at Progressive and Travelers. He can be reached at alvito@idfederation.com.
