Advice from an expert on cyber insurance

Mike Foster has been keeping the “bad guys out” for 25 years.

Cybersecurity expert, CEO of the Foster Institute, and author The Safe CEO: How to Protect Your Computers, Your Company, and Your JobFoster has consulted with organizations across North America and speaks internationally on cyber security issues.

Foster’s mission is to “make the world a safer place to live and work.”

One of his consulting responsibilities is preparing business owners, CEOs, and IT professionals to implement and renew cyber insurance. Below is a discussion of common questions insurance companies may ask and Foster’s tips on how to answer them:

Why do insurance companies ask if an organization uses two-factor or multifactor authentication?

Foster said the main reason for multifactor authentication is to prevent an attacker from gaining access even after obtaining a user’s username and password.

Foster: The most important two-factor authentication method is text messaging. The user enters their username and password, then receives a text message with a code that they must enter to complete the login, which increases login security. Other options are more secure than texting, but texting is common.

One of the reasons we require multi-factor authentication is that some users have a tendency to reuse the same usernames and passwords on multiple sites.

When attackers get a username and password for one site or service, they try the same username and password on other sites such as LinkedIn, Facebook, and Microsoft 365. The attacker then starts linking the same username and password to all of these other applications. pages to see if it works, that’s called credential stuffing. Bad guys use this method to confuse people who have already used their passwords.

This is why multifactor authentication is so important. Even if the bad guy has a username and password for each user, the bad guy still can’t log in because he doesn’t have a second one. Attackers can bypass authentication for many things, but these security controls make access more difficult.

Why do insurance companies ask if an organization provides password management tools to users?

Foster: The beauty of a password manager is that users don’t have to worry about remembering passwords. Remembering passwords is the main reason people reuse them.

When users have different passwords for all their logins, authentication fails.

Why do insurance companies ask if an organization provides password management tools instead of being content with users allowing their browsers to remember passwords?

Foster: Most browsers now – such as Edge, Firefox, Chrome, or Safari – will ask you: Do you want to remember your password? That is not a password manager. So don’t forget to remember passwords. Using a password manager can be more secure than storing passwords in a browser because attackers often have simpler browsers than password managers. Attackers always try to get into the browser. That’s what they do.

A password manager is a separate piece of software, and often has a so-called plug-in to integrate with your browser. However, it can be more difficult for a hacker to find usernames and passwords in a password manager than in a browser. Although browser manufacturers do a great job of trying to keep browsers secure, insurance companies are encouraged if users have password managers.

Why do insurance companies ask if an organization uses geo-blocking or geo-filtering?

Foster said geo-filtering or access to country settings can block connections or authentication requests based on location.

Foster: If you have people logging in from other countries such as the United States, Canada, Mexico, and Europe, then set up all your systems to only accept logins from those countries. That way, if someone tries to log in from another country, they won’t get a chance. They are only hitable, which will defeat most threats.

Now there can be an attacker in another country, and they can use proxying, which means that the attacker can interfere with a computer in the United States, for example, and try to access it through a computer located in an authorized location.

Just because you surf countries X, Y, and Z doesn’t mean someone in that country can’t beat you up. It just means that the person must have a proxy in the computer in the United States or elsewhere and try to log in through the proxy.

Why do insurance companies want to know if users are local managers?

Foster: If you’re using Windows and Apple computers out of the box, which is what some small companies are starting to do, users have local administrative privileges, which can be a security risk because local administrators can install programs and execute general information. .

If an attacker compromises a login account, the attacker will have the same privileges as the compromised user. This is why users need to be given limited access to do their work. Chances are something you can change. Whether you’re logging into Microsoft 365, Windows, or an Apple operating system, you definitely want your users to be regular users.

By default, operating systems give users a huge advantage if it’s a family computer and people want to take their computer home from the store and install software. It is a deliberate step to create a second account to be an administrator and limit the user’s daily access. This method is defined as creating a default user or making him/her no longer an administrator.

It is important to have a local administrative account in case a user or IT professional needs to install software or perform other administrative tasks. But the user authenticates to an account with limited access to make it difficult for the attacker to compromise the system if the user makes a mistake such as clicking on an email link that connects to a server the attacker controls. Converting all users to group users can sometimes break apps. Therefore, making changes is not always easy, but it is necessary to investigate, and often users will not notice the difference. This topic can be another story.

– To comment on this article or suggest another article, contact Kevin Brewer at Kevin.Brewer@aicpa-cima.com.