Increases in Cyber Attacks Make Cyber-Resilience Controls a Must

As cyber attacks grow more common and more costly—and as insurers grow increasingly cautious in taking on cyber risks—it's becoming increasingly essential that organizations take steps to improve their cyber security.

While there are risk controls organizations can implement to help better manage their risks, some are finding it difficult to adopt them, a new report from Marsh suggests.

Though the controls have been considered best practices for several years, many organizations have been unable to justify the cost of implementing them, Marsh says. In other cases, organizations failed to deploy them comprehensively or simply didn't recognize the value of the controls.

"In many regulated industries where cyber-resilience controls have been required for years, the effort was often more about checking a box than enhancing security," Marsh says.

Marsh notes that the increase in cyber attacks—and subsequent insurance claims—allowed insurers to become well acquainted with cyber controls and steps organizations can take to enhance cyber resilience. As those insurers have faced greater losses, they've tightened underwriting terms and are more closely scrutinizing cyber-insurance applications, asking more questions about applicants' cyber-operating environments and the extent of their risk controls.

"The adoption of certain controls has now become a minimum requirement of insurers, with organizations' potential insurability on the line," Marsh says. "Organizations are undoubtedly placing more emphasis on controls than ever before to help mitigate their ransomware risks and improve their overall cyber-security position and resilience."

In its March 2022 report, titled Cyber Resilience: Twelve Key Controls To Strengthen Your Cyber Security, Marsh outlines a number of essential cyber-security controls organizations can employ to manage cyber risks and better position themselves as they transfer risks to cyber insurers.

Multifactor Authentication (MFA) for Remote Access and Privileged or Administrator Access

Marsh explains that MFA is an additional log-in security layer verifying the identity of a user seeking access to a computer resource. The user must provide two or more pieces of evidence in order to gain access.

The Marsh report notes that with cyber incidents frequently starting with compromised user credentials, MFA is an essential part of a strong identity access management strategy, preventing unauthorized access to computer systems.

"MFA should be enabled in all systems, applications, and accounts that are accessible remotely, for all access by privileged and administrative users, and for all access to critical or sensitive data," the Marsh report says.

Email Filtering and Web Security

Email filtering software scans inbound or outbound emails for undesired content, the Marsh report says. That content can range from less harmful spam emails to phishing emails that pose serious cyber-security threats.

Detected emails are automatically filtered out, never reaching the user, or are flagged, making the user aware of their potentially malicious or unwanted content.

"Web and email filtering is seen as a 'first line of defense' in defending against email- or web-browsing-related cyber attacks, even before the users—the 'second line of defense'—can fall victim to a phishing attack or enter websites with malicious content," the Marsh report says.

Secured, Encrypted, and Tested Backups

"Secure, available, and accurate backups are essential to ensure business resilience," the Marsh report says. "Backups should be secured, preferably by isolating them from the network, or by implementing multifactor controlled access and encryption. Regular testing is also critical to enhance the integrity and availability of data."

Viable backups allow organizations to recover more quickly from attacks, Marsh says. Regular testing of those backups is essential, the report notes, and can provide valuable insights into the restoration process.

Privileged Access Management (PAM)

Privileged access management offers elevated levels of access to protect accounts, credentials, and operations. Privileged access can allow security or maintenance functions, system- or application-wide configuration changes, and the bypassing of established security controls through "super user" access, Marsh says.

Marsh notes that PAM tools run on the principle of "least privilege," meaning users only receive the minimal level of access required to perform their job functions.

"Components within a typical PAM solution monitor sessions that are used by administrator accounts and generate alerts for any anomalous session usage," the Marsh report says. "Anomalies may include an account trying to access areas outside of its responsibility domain or outside of its window of operations."

Endpoint Detection and Response (EDR)

Endpoint detection and response focuses on threat detection and response at endpoints—remote devices such as desktops, laptops, mobile phones, servers, or the Internet of Things—that communicate with an internal network, Marsh says.

"As endpoints are the entry points for virtually any type of malicious attack on a network, their monitoring is vital to detect and stop a strike before it spreads to the wider internal network," the report says. "An EDR solution continuously monitors endpoints, collects data from devices, and provides a response based on defined rules."

The Marsh report suggests that monitoring endpoints is critical to detecting and stopping attacks before they spread to wider internal networks.

Patch and Vulnerability Management

Vulnerability management identifies vulnerabilities in software and hardware likely to be used by attackers to gain a platform from which to compromise a network, Marsh says. Meanwhile, patch management is the systematic notification, identification, deployment, installation, and verification of an operating system and application of software code revisions, known as "patches."

"Not all vulnerabilities have related patches. Therefore, a proper vulnerability management process will consider other methods of remediation, or temporary workarounds—such as software configuration change and employee training—to limit or isolate the exposure," the Marsh report says.

"A proper patch and vulnerability management function will reduce, or eliminate, the potential for exploitation and involve considerably less time, effort, and money than the response following an exploitation," Marsh says.

Incident Response Plans

According to Marsh, incident response plans document a predetermined set of instructions or procedures to detect, respond to, and limit the impact of a cyber attack. Such response plans must be aligned with an information technology disaster recovery plan and the organization's business continuity plans.

Because incident response only functions smoothly when all relevant stakeholders are familiar with the plan, regular testing of the plan is essential, Marsh says.

"An up-to-date incident response plan and a trained team provide efficiency, speed, and quality in response to cyber incidents," Marsh says.

Cyber-Security Awareness Training and Phishing Testing

Cyber-security awareness training can educate employees on cyber risks and threats, helping them recognize various types of attacks and equipping them to protect themselves and the organization, Marsh says.

A component of that training is phishing testing, which simulates phishing attacks and tests the effectiveness of the security training by evaluating employees' reactions to realistic phishing-type emails, the Marsh report says.

"In order to establish a secure culture, make people part of the cyber-security program, comply with regulations, and ultimately protect an organization from the impacts of a possible cyber incident, cyber-security awareness training and phishing testing have become extremely important," Marsh says.

Remote Desktop Protocol Mitigation and Other Hardening Techniques

The Marsh report explains that hardening involves applying security configurations to system components such as servers, applications, operating systems, databases, and security and network devices that are in keeping with best practices.

"Through hardening techniques, companies can minimize their attack surface by disabling unused or insecure services, mitigating vulnerabilities, and improving weak configurations that could be used by malicious actors to compromise their systems," Marsh says.

Logging and Monitoring

Strong logging and monitoring capabilities can help organizations react to cyber attacks in a timely fashion by enabling them to identify any suspicious activity on the network, Marsh says. Such capabilities require specific knowledge, tools, and processes to be able to detect malicious activity.

"The current global threat landscape requires companies not only to implement a set of controls in order to protect their organizations from a cyber attack but also to identify any suspicious activity that may indicate a potential attack in progress in a timely manner and that could trigger a cyber-incident response plan," the Marsh report says.

Replacement or Protection of End-of-Life Systems

End-of-life or end-of-support products are those that have reached the end of their life cycles and are no longer updated by their creators or vendors, Marsh says. "These products create risk because patches and other forms of security support are no longer offered by the vendor," the Marsh report says. "Once the technology is unsupported, it will be exposed to unfixable vulnerabilities."

Cyber criminals can exploit vulnerabilities in unpatched systems, Marsh notes. "The only fully effective way to mitigate this risk is to stop using the obsolete product and replace or upgrade it with a newer solution that continues to provide support," Marsh says. If that's not possible, those systems must be protected by other means, such as restricting access to them, ensuring that they're not connected to the Internet, and isolating them from other systems.

Digital Supply Chain Cyber-Risk Management

The digital supply chain presents a growing cyber-risk challenge, Marsh says. Digital suppliers can offer ideal entry points for cyber criminals into companies and their sensitive data.

"By successfully breaching a vulnerability within one single digital supplier, cyber criminals can gain access to a multitude of their clients' networks and devices," Marsh says. "A robust framework for managing digital supply chain cyber risk is required," Marsh says.

Taking Steps Toward Prevention and Response

Organizations implementing such controls can either prevent or be equipped to respond to cyber attacks, the Marsh report says.

"Given the current cyber landscape and the increasing threat to every organization, cyber resiliency can no longer be an afterthought or tick-the-box exercise—it has become a minimum requirement," Marsh says.