The key controls that reduce organisational cyber risk

What happened?

New research from Marsh McLennan has assessed the effectiveness of key cybersecurity controls to determine which ones are most effective in reducing cyber threats

What does it mean for risk managers?

The research gives risk managers data that can help them more effectively direct cybersecurity investments within their organisation. 

Improving their cyber risk protection can also help favourably position the company during the cyber insurance underwriting process, reducing premiums.

Key controls to consider

The research found that automated hardening techniques have the greatest ability of any control studied to decrease the likelihood of a successful cyberattack, by a considerable margin.

Automated hardening applies baseline security configurations to system components like servers and operating systems. Organisations with these techniques in place are nearly six times less likely to have a cyber incident than those that do not.

The analysis also shows that multifactor authentication (MFA), a staple among cybersecurity tools and recommendations, only works when it is in place for all critical and sensitive data, for all remote login access, and for administrator account access.

However, firms that have broad MFA implementation are 1.4 times less likely to experience a successful cyberattack than those that do not.

Patching high-severity vulnerabilities across the enterprise within seven days of the patch’s release tied in fourth place for the most effective control – decreasing an organisation’s probability of experiencing a cyber event by a factor of two.

Despite this, patching has the lowest implementation rate among the businesses studied, at only 24%.

To calculate the results, Marsh McLennan paired its extensive dataset of cyber claims with the results from its Cybersecurity Self-Assessment (CSA) questionnaires, which are composed of hundreds of questions and responses from individual companies.

Based on the correlation, data scientists calculated and assigned a “signal strength” to each control. The higher the signal strength, the greater the impact the control has on decreasing the likelihood of an event.

From  the hundreds of cyber capabilities, tools, and implementation techniques analysed and measured, the report only focuses only on those falling within the control categories commonly required by cyber insurers.

Among those, the top ten controls determined most effective are:

• Hardening techniques - (signal strength 5.58): system configuration management tools, such as an active directory group policy, which enforce and redeploy configuration settings to systems.
• Privileged access management (PAM) - (signal strength 2.92):  managed desktop of local administrator privileges via endpoint privilege management (EPM).
• Endpoint detection and response - (signal strength 2.23):   operating advanced endpoint security.
• Logging and monitoring - (signal strength 2.19): operating a security operations centre (SOC) and / or having an outsourced managed security provider (MMSP) with the following capabilities at a minimum - a) established incident alert thresholds b) security incident and event management (SIEM) monitoring and alerting for authorised access connections, devices and software.
• Patched systems - (signal strength 2.19):  patching common vulnerability scoring system (CVSS) v3 high severity 7.0-8.9 vulnerabilities across the enterprise within seven calendar days of release.
• Cybersecurity training  - (signal strength 1.76):  conducting internal phishing campaigns at least annually.
• Endpoint detection and response -  (signal strength 1.67):  network intrusion detection/prevention systems (IDPS).
• Patched systems - (signal strength 1.57):  patching common vulnerability scoring system (CVSS) v3 critical severity 9.0-10.0 vulnerabilities across the enterprise within seven calendar days of release.
• Email filtering - (signal strength 1.56): email attachments are evaluated in a sandbox to determine if malicious prior to delivery.
• Logging and monitoring - (signal strength 1.56): In addition to the capabilities above, the SOC/MSSP capabilities include, but are not limited to: a) 24x7 operations b) mix of signature and heuristic-based detection c) incident response, containment, and remediation capabilities d) active threat intelligence and analytics delivering rapid alerts/notification and/or countermeasures e) processes are continuously improved

What next?

The adoption of cybersecurity controls is increasingly a minimum requirement for risk managers looking to secure cyber coverage.

This means that those firms without the right protections in place could find they’re uninsurable or that premiums escalate and become prohibitive.

Despite this, while an array of cybersecurity controls have been established as critical for years, many organisations are unsure which ones to adopt, leading to delays,

Prioritising can help inform how your organisation allocates limited budgets, ensuring that resources go where they will provide effective protection.

Marsh McLennan says its data can help risk managers navigate the variety of tools and techniques available. Tom Reagan, US and Canada Cyber Practice Leader said: ”All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance.

“However, many organisations… rely on expert opinions rather than data to make decisions… [Our research] is another step toward building not only a more resilient cyber insurance market but also a more cyber resilient economy.”