{"id":626146,"date":"2023-04-06T09:50:11","date_gmt":"2023-04-06T14:50:11","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/06\/prioritise-automated-hardening-over-traditional-cyber-controls-says-report\/"},"modified":"2023-04-06T09:50:11","modified_gmt":"2023-04-06T14:50:11","slug":"prioritise-automated-hardening-over-traditional-cyber-controls-says-report","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/06\/prioritise-automated-hardening-over-traditional-cyber-controls-says-report\/","title":{"rendered":"Prioritise automated hardening over traditional cyber controls, says report"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/data-analysis-business-2-adobe_searchsitetablet_520X173.jpg\" data-credit=\"Vasily Merkushev - stock.adobe.c\"  width=\"520\" height=\"173\" alt><\/p>\n<p>Vasily Merkushev &#8211; stock.adobe.c<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>A report from strategic risk specialist Marsh McLennan advises security buyers to funnel their budgets towards automated cyber security hardening techniques, saying they have a much better chance of reducing risk in a meaningful way<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>06 Apr 2023 13:39<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p><a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/endpoint-detection-and-response-EDR\">Endpoint detection and response<\/a> (EDR), <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/multifactor-authentication-MFA\">multifactor authentication<\/a> (MFA) and <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/privileged-access-management-PAM\">privileged access management<\/a> (PAM) have long been the three tools most commonly required by cyber insurers when issuing policies, but a report compiled by the Cyber Risk Analytics Centre at professional services firm <a href=\"https:\/\/www.marshmclennan.com\/\">Marsh McLennan<\/a> suggests that automated hardening techniques are more effective than traditional tools by some margin.<\/p>\n<p>The report directly links the key cyber controls that insurers demand are put in place prior to issuing a policy to a reduced chance of a cyber incident, and by assessing the relative effectiveness of each, Marsh McLennan\u2019s analysts believe organisations can better allocate their scarce resources to the most effective tools, <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/365533533\/Cyber-insurance-carriers-expanding-role-in-incident-response\">better position their risk with insurers<\/a> and ultimately improve their overall resilience.<\/p>\n<p>\u201cAll of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organisations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,\u201d said Tom Reagan, US and Canada cyber practice leader at Marsh McLennan.<\/p>\n<p>\u201cOur research provides organisations the data they need to more effectively direct cyber security investments, which in turn helps favourably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.\u201d<\/p>\n<p>The report data comprises Marsh McLennan\u2019s own cyber claims dataset, and the results of a series of cyber security self-assessment questionnaires completed by its US and Canadian customers.<\/p>\n<p>Based on the correlation between the two datasets, it was able to assign a \u201csignal strength\u201d metric to each control method \u2013 the higher the metric, the greater impact the control method has on decreasing the likelihood of an incident.<\/p>\n<p>It found that organisations that used automated hardening techniques that apply baseline security configurations to system components such as servers and operating systems were six times less likely to experience a cyber incident than those that did not. Such techniques include, for example, implementing <a href=\"https:\/\/www.techtarget.com\/searchwindowsserver\/definition\/Group-Policy\">Active Directory (AD) group policies<\/a> to enforce and redeploy configuration settings to systems.<\/p>\n<p>Marsh McLennan said this was something of a surprise given the emphasis put on EDR, MFA and PAM, and while such tools remain important and useful, the report also revealed some insight into how they stack up in reality.<\/p>\n<p>MFA, for example, only really works when in place for all critical and sensitive data, across all possible remote login accesses, and all possible admin account accesses, and even so, organisations that implement it this broadly (which not all do) are only 1.4 times less likely to experience a successful cyber attack. The report authors said this clearly showed the benefits of a defence-in-depth approach to cyber security, rather than haphazardly implementing tools in some instances but not others.<\/p>\n<section data-menu-title=\"Prompt patching: a path to protection\">\n<h3><i data-icon=\"1\"><\/i>Prompt patching: a path to protection<\/h3>\n<p>Conversely, <a href=\"https:\/\/www.computerweekly.com\/news\/365532714\/Microsoft-patches-Outlook-zero-day-for-March-Patch-Tuesday\">patching high-severity vulnerabilities<\/a> \u2013 those with a high <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/CVSS-Common-Vulnerability-Scoring-System\">CVSS score<\/a> of between seven and 8.9 \u2013 within a seven-day window was markedly more effective than expected, decreasing the probability of experiencing a cyber incident by a factor of two, and yet only 24% of organisations that responded to the questionnaires were doing this.<\/p>\n<p>It said organisations that implement improved patching policies stood a good chance of not only increasing their own resilience, but in comparing favourably against others, could make themselves a much more attractive risk to cyber insurers.<\/p>\n<p>Note, however, that prompt patching of vulnerabilities with severe CVSS scores of nine and up were less effective at reducing the likelihood of a successful incident \u2013 likely because threat actors are much quicker to exploit them.<\/p>\n<p>The most effective controls out of the 12 studied were:<\/p>\n<ul>\n<li>Hardening techniques, which reduced the likelihood of a successful cyber incident 5.58 times;<\/li>\n<li>PAM, which reduced the likelihood 2.92 times;<\/li>\n<li>EDR, which reduced the likelihood 2.23 times;<\/li>\n<li>Logging and monitoring through a security operations centre (SOC) or managed services provider (MSP), which reduced the likelihood 2.19 times;<\/li>\n<li>Patching high-severity vulnerabilities, which reduced the likelihood 2.19 times.<\/li>\n<\/ul>\n<p>Some of the less impactful controls, besides MFA, included cyber security training initiatives and email filtering.<\/p>\n<p>Marsh McLennan\u2019s full report <a href=\"https:\/\/www.marsh.com\/us\/services\/cyber-risk\/insights\/using-cybersecurity-analytics-to-prioritize-cybersecurity-investments.html\">can be downloaded here<\/a>.<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on IT risk management<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/252529529\/UK-insurers-need-to-up-their-game-on-cyber-gaps-says-PRA\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/insurance-contract-legal-signature-deal-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/insurance-contract-legal-signature-deal-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/insurance-contract-legal-signature-deal-fotolia.jpg 1280w\" alt ><\/p>\n<h5>UK insurers need to up their game on cyber gaps, says PRA<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252529132\/Companies-warned-to-step-up-cyber-security-to-become-insurable\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe.jpg 1280w\" alt ><\/p>\n<h5>Companies warned to step up cyber security to become \u2018insurable\u2019<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Bill-Goodwin-CW-contributor-2022-140x180px.jpg\" alt=\"BillGoodwin\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Bill\u00a0Goodwin<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/opinion\/Cyber-insurance-The-good-the-bad-and-the-ugly\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cyber-insurance-adobe.jpg 1280w\" alt ><\/p>\n<h5>Cyber insurance: The good, the bad and the ugly<\/h5>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchenterpriseai\/feature\/Industries-leading-the-way-in-conversational-AI\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g667050642_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g667050642_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g667050642.jpg 1280w\" alt ><\/p>\n<h5>Industries leading the way in conversational AI<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/morgan_lisa.jpg\" alt=\"LisaMorgan\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Lisa\u00a0Morgan<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365534957\/Prioritise-automated-hardening-over-traditional-cyber-controls-says-report\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Lawanda Mayoral<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vasily Merkushev &#8211; stock.adobe.c A report from strategic risk specialist Marsh McLennan advises security buyers to funnel their budgets towards automated cyber security hardening techniques, saying they have a much better chance of reducing risk in a meaningful way By Alex Scroxton, Security Editor Published: 06 Apr 2023 13:39 Endpoint detection and response (EDR), multifactor<\/p>\n","protected":false},"author":1,"featured_media":626147,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30867,93242,46],"tags":[],"class_list":{"0":"post-626146","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-automated","8":"category-prioritise","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/626146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=626146"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/626146\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/626147"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=626146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=626146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=626146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}