It was around 10:30 pm on a Saturday night when the email came in. One of the few on-duty employees read it and assumed it was a joke or some form of spam. The email said the network had been locked, and the company would need to pay a ransom of $400,000 to regain control of its system. Unfortunately, the email was not a joke. By Sunday morning, the company’s executive team realized the gravity of the situation. They had been hacked, and their network was now under the control of an anonymous bad actor.
The team contacted their insurance company and spent a tense 24 hours negotiating with the hackers. Eventually, a compromise was reached. The business paid $150,000 to regain control of its network. Fortunately, their network was still functional. An IT audit determined that no customer, vendor, or company information had been compromised, which was a lucky break. The audit also found that the hack had occurred when an employee clicked on a questionable link in a phishing email.1
If this story sounds unbelievable, think again. It’s one of the thousands of cyberattacks that are launched against American businesses every year. In fact, the annual damage from cyberattacks is expected to hit $10.5 trillion by 2025. That’s a 300% increase from 2015.2
The rise in cyberattacks has also led to a rise in cyber insurance. Not too long ago there was only a handful of carriers that offered cyber insurance, and most clients had to be convinced of the value in buying it. Now there are nearly 50 insurers available and clients know cyber coverage is necessary. Underwriting for cyber insurance has also evolved as cyberattacks have increased in frequency. There was a time when having a Virtual Private Network (VPN) alone was enough to not only qualify for cyber insurance but also compete for the best rates.
Today, utilizing only a VPN may not even be enough to qualify for a policy. Insurers want companies to have not only a VPN but also Multi-Factor Authentication (MFA) for remote network access and other key areas such as privileged user access or access to back-ups/cloud storage. Unfortunately, many clients don’t understand the need for both a VPN and MFA on the same network. However, if they’re overlooking the importance of MFA, clients will miss out on competitive pricing or be declined for coverage altogether.
WHY COMPANIES NEED BOTH VPN AND MFA
A VPN can be a powerful tool for protecting a private network. A VPN establishes a protected network connection when using public or external networks. VPNs improve network safety by encrypting internet traffic in real-time and hiding employee IP addresses by redirecting traffic through an appropriately configured remote server run by a VPN host. This makes it more difficult for third parties to track online activity and steal data because they cannot see which websites are visited or what data is sent or received online.7 Remote employees log in to the VPN and access the network securely as if they were sitting in the office. The VPN creates an encrypted tunnel between the remote user and the private network, ensuring security and safety. However, the weakness of a VPN is the entry point. Users have to log in to access the network. That means anyone who obtains an ID and password to the network can log on to the VPN. Once they’re in, they have access to the entire network. In fact, the FBI warned that attacks on VPNs steadily increased throughout 2022.3
The way to minimize this risk is with MFA. When a company uses MFA, the employee has to verify their identity when trying to log in to the network. MFA is an authentication method that requires the user to provide two or more verification factors to access an application, online account, or a VPN. MFA is a foundational component of any strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which significantly decreases the likelihood of a successful cyberattack. One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are 4-8 digit codes often received via email, text message, or mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted.8 The individual enters that code as verification before joining the network. MFA is vitally important because it greatly minimizes the single greatest risk to cybersecurity - human error. All it takes is one employee’s response to a phishing email disclosing their login information to put a company’s network and data at risk. MFA prevents that information from being used, even if an employee has made a mistake.
HOW INSURANCE COMPANIES VIEW VPN AND MFA
Insurance companies have been clear about the importance of MFA when it comes to obtaining cyber insurance. It’s now become table stakes for the vast majority of carriers. There was a time when insurers were flexible regarding the tools a business used to protect itself from cyberattacks. That’s no longer the case. For many insurers, MFA is a simple “yes or no” question on the application. Either you have it or you don’t. If businesses don’t require MFA when their employees log in remotely to the system, the business may struggle to qualify for insurance.
Out of the 40-50 insurers that now offer cyber insurance, there are likely less than 10 that will offer it to a company that doesn’t require MFA. It is considered vitally important because it protects the two most common cyber vulnerabilities - remote email access and remote network access. Hackers will often target lower-level employees with phishing campaigns in an attempt to obtain their IDs and passwords. If one employee responds to the phishing email, the entire network is vulnerable. MFA adds another level of protection.
Unfortunately, what it takes to maintain strong cyber security is often either misunderstood or low on the list of priorities for many U.S. businesses. The most recent usage statistics for two-factor authentication show a low number of both small and large businesses using multi-factor authentication tools. However, companies are now more likely than ever to be targeted by cybercriminals, so every layer of additional protection matters.6 Often, insurance applicants will report that they don’t need MFA because of other protections they’ve added through their VPN. The business may include information with their application that details other steps they’ve taken to protect their network. However, that information usually doesn’t influence the underwriting decision. From the underwriters’ perspective, they’re reviewing a myriad of applications and want a simple answer regarding whether or not a client has MFA in place for remote employees.
Not even VPN companies themselves are safe from cyber-attacks. In 2018, NordVPN, a widely-used VPN service, was the victim of a cyberattack. How did the hackers gain access? By obtaining login information for NordVPN’s remote network.4
Cyber risk is a reality for any company that allows remote access, even if using a VPN. Cyber insurance can help minimize losses and protect a business. However, cyber insurance is much like any other type of insurance. Underwriters want to see that applicants are taking appropriate steps to protect themselves and reduce exposure. Businesses that use both VPN and MFA are in the best position to qualify for optimal insurance and compete for the best rates. Contact your local CRC Group Producer today to learn how we can help your clients best leverage cyber insurance to protect their businesses.
- Dan Myer is a Director with the ExecPro Practice Group and a Broker with CRC Group’s Tampa, FL office.
- Small Business Hit with $150,000 Ransomware: Here's What Happened Next, PTG, June 15, 2020. https://blog.goptg.com/small-business-hit-with-ransomware-what-happened-next
- New Survey Reveals $2 Trillion Market Opportunity for Cybersecurity Technology and Service Providers, McKinsey & Company, October 27, 2022. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers
- FBI Warns Poorly Protected VPN Servers Are Under Attack, Blackberry Blog, October 31, 2022. https://blogs.blackberry.com/en/2022/10/fbi-warns-poorly-protected-vpn-servers-are-under-attack
- A Popular VPN Service Provider Announces Data Breach - What You Should Know, Norton, 2022. https://uk.norton.com/blog/emerging-threats/nordvpn-confirms-data-breach---what-you-should-know
- Cybercrime Damages To Cost The World $7 Trillion USD in 2022, Newswires, August 10, 2022. https://www.einnews.com/pr_news/585389499/cybercrime-damages-to-cost-the-world-7-trillion-usd-in-2022#:~:text=Cybercrime%20Damages%20To%20Cost%20The%20World%20 %247%20Trillion%20USD%20in%202022,-News%20Provided%20By&text=SAUSALITO%2C%20CALIF.%2C%20USA%2C,2022%2C%20according%20to%20Cybersecurity%20Ventures
- Two-Factor Authentication Statistics: A Good Password is Not Enough, DataProt, November 2, 2022. https://dataprot.net/statistics/two-factor-authentication-statistics/#:~:text=Only%2026%25%20of%20companies%20use%20multi%2Dfactor%20authentication
- What is VPN? How It Works, Types of VPN, Kaspersky, 2022. https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn
- What is Multi-Factor Authentication (MFA) and How Does it Work?, OneLogin, 2022. https://www.onelogin.com/learn/what-is-mfa