With the approach of cybersecurity month in October, the press will be full of horror stories about cyberbreaches and everything you need to do to keep your data safe. Not every agency needs to implement a multifactor authentication (MFA) to secure their agency. Yes, MFA is a simple and effective way to reduce your cyberthreat posture. But is it necessary?
It makes sense to use a risk-based, common-sense method to evaluate the need for increased cyberprotection by adding the MFA process. If you can answer “yes” to all the questions below, maybe the relative risk-reward benefit of an MFA process is not necessary for your agency. But as in all risk-based evaluations there is always the opportunity to reduce risk by taking additional action.
- Are your employees trained and aware? You should conduct cyber training for new employees and provide regular ongoing training for all employees. Training should be updated every six to 12 months to reflect the changing nature of cyberthreats.
- Do you monitor and run penetration testing for social engineering attacks? Tripwire, a company that has protected the world’s leading organizations against cyberattacks, documents six types of social engineering attacks. These are: phishing, pretexting, baiting, quid pro quo, tailgating and CEO fraud. They are both digital and physical methods to gain trust from an individual. Most attempts will fail, but the danger of social engineering attacks is it only takes one penetration to put the entire organization in jeopardy.
- Do you have an air-gapped network? To air gap means your network must operate in complete isolation — so your network computers must be physically disconnected from the internet and any other unsecured networks. An air gap, or digital isolation, is the only impenetrable barrier to unauthorized digital access.
It is unlikely, however, that you can air gap your systems and still operate a business. However, you should logically air gap and segregate your access points to prevent unauthorized access and intrusion. A logical air gap maintains a physical connection but also implements logical isolation from the network. This logical security configuration, often referred to as a DMZ, restricts connections to only authorized and secure access points. - Do you have a method for secure remote access? If your employees connect to your private network from a public location — like Starbucks, an airport or hotel — it is possible for nefarious individuals to “sniff” out security credentials and even data during that connection. A Deloitte article, “… over 80% of breaches involved the use of weak or stolen passwords.”
- Do you scan inbound email content, including links and attachments, for security? Security researchers identified a 48% increase in cyberattacks targeting email accounts in the first half of 2022. Deloitte validates the risk of email, reporting that “91% of all attacks begin with a phishing email” and “32% of all successful breaches involve the use of phishing techniques.”
- Are you meeting your regulatory, carrier contract, and cyber policy compliance requirements? The New York Department of Financial Services (NY DFS) adopted insurance-specific requirements around cybersecurity and data protection. The National Association of Insurance Commissioners (NAIC) has adopted some of these into a model law. Vermont was the 23rd state to pass a cybersecurity law based on the NAIC model law; H.515 (Act 139) took effect on January 1, 2023. Additionally, carrier contracts and cyber policy conditions may require use of MFA to protect against cyberbreach. Some cyber policies reduce or eliminate the coverage if the MFA requirements are not met.
If you are not able to answer “yes” to all six of the questions above, you should consider an MFA solution as the first step toward protecting your digital environment. Though not foolproof, MFA is a simple solution that prevents most cyberattacks.
Microsoft supports one of the largest cloud networks and reports that it receives over 300 million fraudulent sign-in attempts to its cloud services every day. Microsoft says, “MFA can block over 99.9% of account compromise attacks.”
Do you feel lucky?
The average U.S. business experiences 42 cyberattacks each year, according to the “2022 US Cybersecurity Census Report” from Keeper. When it comes to cybercrime, it’s more likely than not that your agency will be targeted. MFA creates an additional layer of security that can’t be easily compromised.
ID Federation is a nonprofit organization, founded by insurance industry peers, to help insurance partners improve cybersecurity with operational efficiency. You don’t need a different MFA sign on with each of your carrier partners. Use your management system credentials to securely access carrier agent portals. This is in production today with the two primary management system providers — Applied Systems and Vertafore — and with carrier partners like The Hartford and Nationwide.
Encourage your carriers to participate in ID Federation to make the industry more secure with operational efficiency for independent agents.
ID Federation is a member of the Agents Council for Technology (ACT), under the Big “I” umbrella. For help in protecting your agency, refer to the ACT Agency Cyber Guide 3.0 — developed through a collaborative process with technology providers, agents and carriers.
Alvito Vaz is executive director of ID Federation. He is a long-time participant in AUGIE and has held business and technology leadership roles at Progressive and Travelers. He can be reached at alvito@idfederation.com.
