More Help on Key Cyber Controls

Some interesting news for internal audit and cybersecurity professionals: new research has identified five key controls deemed to have the greatest effect in reducing the chance of (and damage from) a cybersecurity attack.

The research comes from insurance giant Marsh McLennan, which operates a Cyber Risk Analytics Center that helps Marsh understand how to price its cyber-insurance policies. Analysts at the center compared data from cyber claims submitted to Marsh against answers from the cybersecurity self-assessment questionnaires that Marsh sends to customers. 

Based on that correlation, Marsh data scientists calculated a “signal strength” to each of 12 well-known security controls. The higher a control’s signal strength, the greater the effect that control has on decreasing the likelihood of an event.

So which controls topped the list? In order… 

  • Automated hardening techniques, such as running antivirus scans upon starting up a computer or blocking the installation of keylogger software.
  • Privileged access management, which controls who can be an admin or super-user with the ability to create new users, copy data, change applications, and so forth.
  • Endpoint detection and response, to identify threats on each individual machine connected to your network. 
  • Logging and monitoring, where the company runs a security operations center to track unauthorized access across the enterprise and alert response teams as necessary.
  • Patching procedures, and specifically patching high-severity vulnerabilities across your whole enterprise within one week of a patch becoming available. 

To be clear, none of the above controls would be news to IT audit or security professionals; every large enterprise has them in place at least to some extent. What’s interesting is that Marsh’s cybersecurity thinkers managed to assign values to the importance of these controls. See Figure 1, below. 

In other words, automated hardening techniques are the most effective cybersecurity control a company could implement, by far. That might catch many IT audit and security people by surprise, since the conventional wisdom has always been that multi-factor authentication, endpoint detection, and privileged access management were the three most important controls to implement. According to Marsh, however, companies with hardening techniques in place are nearly six times less likely to have a cyber incident than those that don’t.

Putting This Research to Use

Well that’s easy. You can compare this hierarchy of security controls to the ones you currently do or don’t have in place at your own organization. The resulting gap analysis can then guide any remediation efforts you might then want to implement. 

For example, you might go through every application employees use to confirm whether those apps are configured correctly; or audit your company’s patch management system to confirm that, yes, you really can implement patches for high-severity vulnerabilities in a timely manner

Some of those remediation steps might be something the security team could do itself, such as configuring Office365 for the whole enterprise to whatever setup you need, or tightening the approval process to grant privileged access to users. Other steps might be more along the lines of developing strong policies that employees will need to follow themselves — say, guidelines on which apps are or aren’t permissible to install on company-issued tablets. 

You could also use this Marsh research to guide your compliance efforts more thoughtfully. For example, if you need to comply with a NIST cybersecurity standard for government contracting or PCI-DSS for credit card security, those frameworks include a long list of controls your organization will need to implement. You might even already use a tool of some kind to perform the gap analysis and identify which remediation steps you’ll need to take. 

The Marsh research could inform which remediation steps you should take first, since it helps you understand which steps are most likely to have the biggest benefit to your overall cybersecurity. It’s just one more way to get better perspective on the work you’ll need to do, which certainly can’t hurt if you want to defend your plans to the CISO, the board, external auditors, or some other group.

Obviously we should note Marsh McLennan’s commercial interest in publishing this research. It sells cyber insurance policies, and the more effective your cybersecurity program is, the fewer claims Marsh will need to pay out. Still, that doesn’t invalidate the basic findings in today’s report or the ways you might put it to use for better cybersecurity.

We should note that the five key controls identified above aren’t the only key cybersecurity controls out there in the world. Marsh identified 12, shown in Figure 2, below. The more of them you have in place at your enterprise, running well, the better.

Source: Marsh McLennan

Leave a Comment

You must be logged in to post a comment.