Identity has been a trending topic for security for some time now, whether it’s in looking to get a Privileged Access Management project off the ground, implementing best-practice password policies, or a full-blown review of Identity Governance. What is most interesting right now is the amount of conversation on this subject being driven by cyber insurance mandates. These insurance criteria commonly require MFA as a bare minimum, but specifically focus on those accounts with privilege, or access, to critical and sensitive systems.

What does this mean? Will you be refused cyber insurance?

I have seen several organisations that have had rigid, and imminent, time pressures put on them by their cyber insurers, to mitigate the assumed risk that the lack of these controls poses to their businesses. From here, organisations (perhaps like yours), tend to go one of two ways:

• Address the immediate requirement and satisfy this by implementing an MFA solution (of which there are dozens) to improve defences at point of access for your admin users
• Read between the lines of the insurance criteria to use this as an opportunity to generate a keen interest from the business to implement PAM tooling to better control access, credentials, auditing and recording of privileged sessions.

Both are valid decisions whereby the outcome to the business is that cyber insurance is approved, and security is improved along the way. However, I would usually argue that option 1 avoids the bigger risk of privileged user access and is frequently referred to as a ‘box ticking exercise’ (in this case, quite literally ticking the box for the cyber insurance requirement…).

One of the best things about modern PAM tools is how they accommodate a phased approach; it’s not all about the big bang. Take this cyber insurance MFA requirement: why not start with MFA and utilisation of a PAM platform for access to critical systems to begin with? From there, you can push these same controls out to less critical systems, less privileged users, whilst building on your own identity security maturity (try saying that three times fast!). The point here, is to build a program, a project roadmap, that suits you and accelerates at a pace you’re happy with, while allowing for future growth. Therein lies the danger of simply ticking the MFA box, there’s little room for growth. Take a step back, take in the view, and let’s build the path that’s right for your organisation.

How can Bytes Help?

Bytes can assist in multiple ways, including:

• Workshops: our security team run a multitude of these to cover all core areas of security. If a you have a project on the horizon that you would value independent advice on, get in touch.
• Specialist resources: we have an ever-growing security team, dedicated to helping you overcome the latest security challenges
• Technology: hand-picked, best-of-breed technologies with a proven track record covering all core areas of security

If you would like to find out more about any of the above, please reach out to [email protected] or give us a call on ​​​​​01372 418500.

Toby Noble

Security Business Manager

Bytes