Contact center specialist Afni reduces cyber insurance premiums by 30% with YubiKeys
Protect against targeted cyber attacks with phishing-resistant MFA
Customer engagement specialist Afni strengthens cybersecurity program with phishing-resistant MFA
Headquartered in Bloomington, Illinois, Afni has been in the business of customer engagement since 1936, building on its history in collections and insurance subrogation to include more comprehensive inbound, outbound, and digital channel services around the world. Afni’s service offerings cover the entire lifecycle of a customer relationship from sales and growth to customer care and retention. As with any business process outsourcing company, Afni is increasingly targeted with sophisticated attacks because of its role as a valued supply chain partner to other organizations, with access to customer data, including systems in telecommunications, insurance, and healthcare. As a result, Afni is constantly re-evaluating its cybersecurity programs to maintain customer trust.
A little over a year ago, Afni appointed Brent Deterding as their new Chief Information Security Officer (CISO) because he brings nearly 20 years’ experience with a leading cybersecurity organization in areas of threat detection, incident response and security strategy. Working closely with the CEO, Deterding’s approach to risk reduction is to focus on doing the simplest but most impactful things as early as possible to “catch the bad guys early in the kill chain.” For any organization, suggests Deterding, that should begin with multi-factor authentication (MFA).
Afni was already doing a lot of great things in its security program, including the deployment of MFA for almost all of its 10,000 global employees—but targeted phishing attacks continued to be a problem. Within his first three weeks at Afni, Deterding prioritized 100% adoption of MFA. Next, Deterding targeted the replacement of legacy authentication methods.
Legacy authentication such as mobile-based MFA introduces risk when users become conditioned to hitting ‘approve’ for every request to authenticate (MFA fatigue) or are tricked by attacker-in- the-middle (AiTM) phishing attacks. However, the fault for these risks lies not with the user, but with legacy authentication. When it came time to replacing legacy authentication, Afni knew that security keys delivered phishing-resistant MFA—and were immune to attackers intercepting or tricking users into revealing information.
The YubiKey is a modern, FIDO-based hardware security key that enables phishing-resistant MFA and passwordless authentication at scale. As the only solution proven to stop 100% of account takeovers in independent research, the YubiKey offers strong authentication with a fast and easy user experience and addresses the compliance needs of highly regulated data. Further, the YubiKey reduces risk associated with new ways of working that involve remote or hybrid work environments.
“With every user having a YubiKey, I don’t have to worry about leakage of credentials,” continues Deterding. “That’s a very, very good place to be as a CISO.”
“In the end, Afni received insurance at a 30% decrease from its previous level. When I’m going down by a third and others are going up by 20% or higher, that’s a really big win,” notes Deterding. “In fact, I estimate our premiums are nearly half of what others are having to pay.”
Cost-effectively meeting new cyber insurance requirements with YubiKeys
A key driver for Afni to consider phishing-resistant MFA with YubiKeys was the evolving cyber insurance landscape and requirements. The increased volume and severity of cyber incidents had led to increased cyber insurance premiums, as well as new sub-limits and exclusions. As
insurers better attempted to quantify and control for loss, no longer were passwords acceptable to qualify for cyber insurance. Increasingly, moving beyond passwords towards adopting MFA has become table stakes to qualify for cyber insurance.
In quoting for cyber insurance renewal, Deterding put together a presentation for a group of underwriters that painted the new picture of risk at Afni. In it, he listed 100% MFA coverage, modernizing MFA with YubiKeys to 100% of employees, 100% device posture management
through Microsoft endpoint access, 100% endpoint detection and response coverage, and all external vulnerabilities patched within 72 hours—the four pillars of Deterding’s comprehensive “catch the bad guys early” program. While not a comprehensive representation of all the efforts at Afni, these four pillars demonstrated a comprehensive reduction in risk.
In a market where premiums have been on the rise, not only did Afni secure coverage, but the underwriters were also willing to compete on price. “In the end, Afni received insurance at a 30% decrease from its previous level. When I’m going down by a third and others are going up by 20% or higher, that’s a really big win,” notes Deterding. “In fact, I estimate our premiums are nearly half of what others are having to pay.”
“I am all about making the adoption of technology as easy as possible. If I can hit the easy button using YubiKeys and also using their subscription model to ensure all my users have YubiKeys, that is a big win for me!”
Accelerated adoption of phishing-resistant MFA at scale with YubiKeys as a Service
The imperative for phishing-resistant MFA with YubiKeys was clear. Therefore, Afni devised an efficient deployment strategy to set the company and its users up for success. It chose to phase its YubiKey deployment, first to employees who had access to Microsoft solutions or elevated access to systems and customer data, and then expand to their global call center agents.
With a global network of operations centers and a large remote workforce, Afni wanted the flexibility of YubiEnterprise Subscription, a YubiKey as a Service subscription model that reduces the cost to entry, increases flexibility and helps accelerate the planned rollouts. Thanks to entitlements for replacement keys to cover business churn and the low-cost subscription model, Afni is able to remain agile to accommodate employee turnover or lost/stolen keys without any onerous serial tracking.
From start to finish, the goal was to ship out and enroll YubiKey 5C NFCs to both user groups with the first group by the end of 2022 and the second phase in 2023. The first phase of deployment helped refine processes and smooth things out around distribution, user training, key enrollment and use. Positive feedback was an enabler of wide user adoption.
To stick with the theme of “easy,” employee onboarding not only stressed the security benefits of the YubiKey, or that legacy authentication methods would be phased out, but also that work would be faster and easier. “Instead of a long password that you forget sometimes, you type in a four number PIN and touch the YubiKey,” shares Deterding, “It’s quick and easy. The feedback has been very positive.”
Moving forward, Afni hopes to improve the employee experience even more by removing the need to change application passwords or removing passwords altogether. Furthermore, every employee is encouraged to use their YubiKey for their personal accounts to help build secure habits and goodwill. “We’re helping employees be more secure in their personal lives as well as work, which benefits everyone.”
The YubiEnterprise Subscription advantages made sense to Deterding, as he looked at the turnover rates of his production employees, who mainly engaged with customers in call centers around the globe. “I am used to subscription offerings in the cloud and YubiEnterprise Subscription has some helpful benefits that just made sense for our needs.”
“A security key is the ‘Gold
Standard’ for authentication, something you physically have. For me, the YubiKey was the
only choice. I didn’t look elsewhere.”
Microsoft and YubiKeys work seamlessly together to reinforce security policies
The YubiKey is natively supported by Microsoft, enabling easy and secure access to OneDrive, SharePoint and Office365 for all non-production office workers. The YubiKey also secures remote access with phishing-resistant MFA for VPN remote workers.
After the effort to get users beyond passwords to MFA, and on the path raising the bar for security with 100% phishing-resistant MFA with the YubiKey, the next step for Afni was to enforce new MFA standards by deprecating legacy authentication and only allowing YubiKeys. Afni took advantage of Microsoft Azure AD’s new conditional access features to enforce YubiKey usage for all required applications. Deterding shared a lesson learned in that he should have forced the use of registered YubiKey users right out of the gate, rather than provide a transition period.
“The fact that I can ensure identity with a physical YubiKey, even for remote workers, is very beneficial for my efforts to reduce risk at Afni.”
Executive support and a trustworthy partner
Deterding’s vision would not be possible without wide executive buy-in, especially with Afni CIO Mike Schwermin. Mike is a 20-year veteran in the BPO industry and a demonstrated leader in delivering next-generation solutions for Afni. “I’m grateful for the extraordinary support of our efforts in increasing our cyber security from our executive team. Mike and I are in lockstep on enabling Afni to strengthen our security practices.”
Taking its security seriously and being transparent about its security practices has helped establish Afni as a trustworthy supply chain partner. Further, Afni has found that it has the same roadmap as many of its call center clients who were already deploying YubiKeys.