Automated hardening techniques have the greatest ability to decrease the likelihood of a successful cyberattack, recent research by global brokerage Marsh McLennan has revealed.
The broker’s report – titled Using data to prioritise cybersecurity investments – found that key cybersecurity controls commonly required by cyber insurers are linked to a reduced chance of a cyber incident.
This means that now, by assessing the relative effectiveness of each control, organisations could allocate resources towards those that provide the best protection, better position their risk with insurers, and build their cyber resiliency more confidently.
Marsh McLennan analysts said: “Automated hardening techniques were found, by a wide margin, to have the greatest ability of any control studied to decrease the likelihood of a successful cyberattack.
“Organisations with such techniques in place, which apply baseline security configurations to system components like servers and operating systems, are nearly six times less likely to have a cyber incident than those that do not.”
The broker describes these findings as “surprising”, given that until now, the three controls most frequently recommended by insurers have been endpoint detection and response (EDR), multifactor authentication (MFA), and privileged access management (PAM).
The analysis also shows that MFA, a long staple among cybersecurity tools and recommendations, only works when it is in place for all critical and sensitive data, for all remote login access, and for administrator account access.
It noted that organisations with such broad implementation are 1.4 times less likely to experience a successful cyberattack than those that do not.
In addition, the report found that patching high severity vulnerabilities across the enterprise within seven days of the patch’s release ties as the fourth most effective control – decreasing an organisation’s probability of experiencing a cyber event by a factor of two, yet it is has the lowest implementation rate among organisations studied, at only 24%.
Tom Reagan, US and Canada Cyber Practice Leader, Marsh, said: “All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organisations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions.
“Our research provides organisations the data they need to more effectively direct cybersecurity investments, which in turn, helps favourably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”
For the report, Marsh McLennan paired its extensive proprietary dataset of cyber claims with the results from Marsh Cybersecurity Self-Assessment (CSA) questionnaires, which are composed of hundreds of questions and responses from individual organisations.
Based on the correlation, data scientists calculated and assigned a “signal strength” to each control. The higher the signal strength, the greater the impact the control has on decreasing the likelihood of an event, the broker explained.
Among the hundreds of cyber capabilities, tools, and implementation techniques analysed and measured, the report focuses only on those falling within the 12 key control categories commonly required by cyber insurers.
Hardening techniques was at the top of the five controls it determined were the most effective at reducing cyber risk. This was followed by privileged access management, endpoint detection and response, logging and monitoring, and patched systems.
The broker stated that additional insights from the research will be used as part of a forthcoming cyber event attritional loss model from Marsh McLennan that will inform insureds of potential losses they could suffer, and the potential savings benefit from increasing their cybersecurity posture.
Scott Stransky, who leads the Marsh McLennan enterprise-wide resource, said: “Marsh McLennan launched the Cyber Risk Analytics Centre in late 2021 with the goal of helping organisations make smarter investments in the ways they identify, prepare for, and recover from cyber risk.
“This groundbreaking report will be indispensable to Marsh McLennan clients as we work together to build society’s resilience to this critical and costly risk.”
