With any luck, you’ve come across this post about saving money on cyber risk insurance as part of a proactive vendor selection or shopping process. Another probable scenario is that you’re already insured, and you’re simply exploring less expensive options. Either way, you’ve most likely thought to yourself at one point in time, “Why is this so expensive?” and “What can I do to lower the premium?”
Before we get into the best way to save on cyber insurance, let’s quickly explore why it actually costs so much. The major contributing factor is that breaches and claims have cost providers an obscene amount of money in recent history. In 2023, providers coughed up more than $8 Trillion that can be directly attributed to cybercrime. Not exactly pocket change, right?
The average cost of a data breach for businesses under 1,000 employees was close to $3 million, and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach. With liability limits ranging from $1 million to $5 million, cyber insurance policies can cover a good chunk of the damage caused by a data breach.
Remember, Insurance providers are accustomed to stacking cash. So, when they’re hemorrhaging money, they tend to significantly increase the cost(s) of service, if they haven’t decided to leave the market altogether. Fewer providers, more uncertainty about the true cost of risks, and the growing number of incidents are all also likely to be reasons that the cost is too damn high!
Most cyber insurance underwriters mandate that specific security controls be in place to qualify for a policy. These may include a firewall, antivirus/EDR software, employee training, backups at an offsite facility, and other elements such as secure account provisioning. Most notably, nearly all cyber insurance providers now require companies to implement passwordless multi-factor authentication to avoid facing penalties, sublimits, exclusions, or denial of policies.
This stance is echoed and supported by Governments around the world; from the US Executive order 14028 in America to the Cyber Essentials standards being implemented in the UK. Governments and Providers alike emphasize a distinct preference for passwordless MFA if companies hope to receive cyber insurance. Without question, removing the most risk-prone attack vector, passwords, is the best way to ensure you’re not going to pay an arm-and-a-leg for your coverage. Long story short, if the insurance providers see that you’re taking the requisite measures to reduce your attack risk(s), your rate will go down.
Passwordless MFA eliminates the need for traditional passwords, instead using methods like hardware keys, smartcards, biometrics, or mobile devices for user verification. Unlike legacy MFA, which typically involves a password as the first verification step followed by an additional security factor, passwordless MFA enhances security and user convenience by removing passwords from the process entirely. With Legacy MFA, you authenticate only once. In Passwordless and Unphishable MFA, the user is continuously authenticated, while also adjusting access based on risk. More on the difference between legacy and passwordless MFA here.
We suggest taking some time to read our post, “How to Go Passwordless in Entra ID – The Ultimate Guide”. Written by former Microsoft PKI Engineer and Keytos CEO Igal Flegmann, you’ll get a very granular and detailed look at the best way to go passwordless, regardless of your current infrastructure. Some of the key considerations that are explored in the post include which credential to select, on-prem vs cloud/hybrid deployments, hardware sourcing and distribution, user onboarding, conditional access, Linux, and much, much more.
While there are admittedly a lot of moving parts, we at Keytos strive to make things as smooth as possible for all businesses. Feel free to reference our docs for step-by-step instructions on how you can easily implement passwordless authentication for your organization using EZCMS. Trust us (or don’t…), once you go passwordless, you’ll never look back! We’ve been fully passwordless for over 2 years, and we absolutely love it! It’s not often that you can simultaneously reduce your cyber risk while saving your organization money. Schedule time to speak to one our experts and get on the road to zero trust today!