Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people, today released a report from its Cyber Risk Analytics Center that directly links key cybersecurity controls commonly required by cyber insurers to a reduced chance of a cyber incident. By assessing the relative effectiveness of each control, organizations are now able to allocate resources towards those that provide the best protection, better position their risk with insurers, and build their cyber resiliency more confidently.
According to the report, Using data to prioritize cybersecurity investments, automated hardening techniques were found, by a wide margin, to have the greatest ability of any control studied to decrease the likelihood of a successful cyberattack. Organizations with such techniques in place, which apply baseline security configurations to system components like servers and operating systems, are nearly six times less likely to have a cyber incident than those that do not.
The finding is surprising, the report notes, given that until now, the three controls most frequently recommended by insurers have been endpoint detection and response (EDR), multifactor authentication (MFA), and privileged access management (PAM).
The analysis also shows that MFA, long a staple among cybersecurity tools and recommendations, only works when it is in place for all critical and sensitive data, for all remote login access, and for administrator account access. Organizations with such broad implementation are 1.4 times less likely to experience a successful cyberattack than those that do not.
Additionally, patching high severity vulnerabilities across the enterprise within seven days of the patch’s release ties as the fourth most effective control – decreasing an organization’s probability of experiencing a cyber event by a factor of 2, yet it is has the lowest implementation rate among organizations studied, at only 24%, the report found.
“All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organizations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,” said Tom Reagan, US and Canada Cyber Practice Leader, Marsh. “Our research provides organizations the data they need to more effectively direct cybersecurity investments, which in turn, helps favorably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”
For the report, Marsh McLennan paired its extensive proprietary dataset of cyber claims with the results from Marsh Cybersecurity Self-Assessment (CSA) questionnaires, which are composed of hundreds of questions and responses from individual organizations. Based on the correlation, data scientists calculated and assigned a “signal strength” to each control. The higher the signal strength, the greater the impact the control has on decreasing the likelihood of an event.
Among the hundreds of cyber capabilities, tools, and implementation techniques analyzed and measured, the report focuses only on those falling within the 12 key control categories commonly required by cyber insurers. Among those, the top five controls determined most effective are:
| Key control category | Signal strength |
| Hardening techniquesSystem configuration management tools, such as active directory group policy, which enforce and redeploy configuration settings to systems | 5.58 |
| Privileged access managementManaging desktop or local administrator privileges via endpoint privilege management (EPM) | 2.92 |
| Endpoint detection and responseOperating advanced endpoint security | 2.23 |
| Logging and monitoringOperating a security operations center (SOC) and/or having an outsourced managed security service provider (MSSP) with the following capabilities at a minimum: a. Established incident alert thresholds b. Security incident and event management (SIEM) monitoring and alerting for unauthorized access connections, devices and software | 2.19 |
| Patched systemsPatching common vulnerability scoring system (CVSS) v3 high severity 7.0-8.9 vulnerabilities across the enterprise within 7 calendar days of release | 2.19 |
Additional insights from the research will be used as part of a forthcoming cyber event attritional loss model from Marsh McLennan that will inform insureds of potential losses they could suffer, and the potential savings benefit from increasing their cybersecurity posture.
“Marsh McLennan launched the Cyber Risk Analytics Center in late 2021 with the goal of helping organizations make smarter investments in the ways they identify, prepare for, and recover from cyber risk,” said Scott Stransky, who leads the Marsh McLennan enterprise-wide resource. “This groundbreaking report will be indispensable to Marsh McLennan clients as we work together to build society’s resilience to this critical and costly risk.”
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!
