28th August 2019
If you bank online, check your credit card statements online, or even use Paypal then you will be aware of the increased use of Multi-Factor Authentication (MFA) where as well as being asked for a username and password, you will also receive a one-time passcode, often sent to your mobile phone or another email account. MFA (sometimes called two-factor authentication) allows an organisation to double-check you are, who you say you are, before sharing access to sensitive details and diminishes risks arising from weak or compromised passwords.
MFA uses 2 out of 3 pieces of data to corroborate your identity- taken from
- Something you know, such as your password or characters from a passphrase.
- Something you have, such as a passcode.
- A physical attribute, such as a fingerprint, facial recognition or voice signature.
Insurers are increasingly requiring MFA before insuring businesses against cyber losses / IT security breaches; This relatively simple step toward increased security significantly reduces exposure to the majority of claims for business email compromise.
How can MFA protect an organisation?
We know of a case involving a public school in the UK where the Bursar received an email, apparently from Microsoft, requiring him to validate his log-in details. He clicked through to a Microsoft-branded page and entered his username and password and saw a confirmation message. Sadly, the page where he entered his details was NOT a Microsoft page and he had just volunteered his password to some hackers. They were now able to use his password to gain access to his email account and parent data and they used this information to request early payment of tuition fees from parents in return for an attractive discount. A handful of parents made the payments and over £50,000 was lost to the hackers before the scam was detected. Had the school’s email system had Multi-Factor Authentication in place, the initial theft of the password would have been quite insignificant with the hackers unable to progress any further than the school email log-in screen.
Is it complicated to implement?
The good news is that there are a number of very straightforward MFA solutions and if you speak to your IT department or adviser they should be able to recommend how best to roll this out for your business. Quite frankly we would be very surprised if this type of security did not become very commonplace, if not mandatory (by Insurers at least), in the near future.
As we have outlined in our article Your Guide To Cyber Risk, this kind of security is just one element to what should a dedicated cyber-risk strategy for your business; another key element being Cyber Insurance to help you limit damage in the event of an IT security compromise.
Please call Ian Burgess on 0117 325 0641 to discuss your requirements and understand the steps you can take to protect your company.