Report: Key controls linked to decreased risk of cyber incidents

New research by Marsh McLennan has revealed a direct link between key cybersecurity controls and a reduced chance of cyber incidents. 

The report found that evaluating the relative effectiveness of each cybersecurity control enables organizations to allocate resources to those that provide the best protection, which allows them to better position their risk with insurers, while also helping them build their cyber resilience more confidently. 

Automated hardening techniques were found to have the greatest ability to decrease the likelihood of a successful cyberattack. 

According to the report, organizations that use such techniques, which apply baseline security configurations to system components like servers and operating systems, are nearly six times less likely to have a cyber incident than those that do not.  

Marsh McLennan stated that this finding was particularly surprising, given that the three controls most frequently recommended by insurers have been endpoint detection and response (EDR), multifactor authentication (MFA) and privileged access management (PAM). 

The analysis also showed that MFA only works when it is in place for all critical and sensitive data, all remote login access, and administrator account access. Organizations with such broad implementation are 1.4 times less likely to experience a successful cyberattack than those that do not, the report noted. 

Meanwhile, patching high severity vulnerabilities across the enterprise within seven days of the patch’s release was deemed the fourth most effective control. It was found to decrease an organization's probability of experiencing a cyber event by a factor of two. However, it has the lowest implementation rate among organizations studied, at only 24%. 

For the report, Marsh McLennan paired its proprietary dataset of cyber claims with results from Marsh Cybersecurity Self-Assessment (CSA) questionnaires to calculate and assign a “signal strength” to each control. 

It specifically focused on the cyber capabilities, tools and implementation techniques that fell within the 12 key control categories commonly required by cyber insurers. 

Among these, the top five controls determined to be most effective were: hardening techniques, privileged access management, endpoint detection and response, logging and monitoring, and patched systems.