The Marsh McLennan Cyber Risk Analytics Center Finds Correlation Between BitSight Analytics & Cybersecurity Incidents
“Are we secure?”
It’s a critical question that executives and board members around the globe ask, and for good reason. In addition to reputational damage and lost business, the direct financial costs of a cyber incident continue to rise. According to a federal report, ransomware payment costs have increased nearly 10% from the first quarter of 2022. And in 2021, U.S. banks processed roughly $1.2 billion in ransomware payments.
Amidst a challenging business environment that is beginning to impact IT budgets, security professionals now face unprecedented pressure to ensure their programs are measurably reducing cyber risk. For years, many pointed to compliance with cybersecurity frameworks, such as ISO 27001, ISO 27002, SOC2, NERC-CIP, HIPAA, GDPR, FISMA, and the NIST Cybersecurity Framework as a way of demonstrating the effectiveness of their program.
But now, a new set of data analytics has emerged that provides security leaders with objective, evidence-based insights about the effectiveness of their programs and the likelihood that their organization will experience a cybersecurity incident.
Cybersecurity analytics empower you to tangibly reduce the risk of a cybersecurity incident
Cybersecurity analytics help security professionals make better decisions about their cybersecurity programs, empowering them to better allocate funds, reduce risk, and maximize returns on investment.
Marsh McLennan, the world’s largest insurance broker, recently studied whether BitSight’s cybersecurity performance analytics are useful in understanding the likelihood of experiencing a cybersecurity incident. The findings were significant: Marsh McLennan found 14 BitSight analytics to be significantly correlated with cybersecurity incidents.
Marsh McLennan’s Cyber Risk Analytics Center leveraged proprietary cyber claims and incident data for the analysis, while BitSight contributed cybersecurity performance data across 365,000 organizations. BitSight’s objective data paired with Marsh McLennan’s vast cyber incident database made for a robust statistical analysis providing valuable insight to the market.
By leveraging BitSight’s objective and trusted analytics, security professionals can prioritize a list of actions to measurably reduce their organization’s risk of experiencing a cybersecurity incident. We’ll cover the top five BitSight analytics Marsh McLennan found to be significantly correlated with cybersecurity incidents, and we’ll also focus on the two main programmatic areas into which these risk vectors fall.
Top 5 cybersecurity analytics that deserve laser focus
According to Marsh McLennan’s independent analysis, the top five BitSight cybersecurity analytics most strongly correlated with incidents are:
- Patching Cadence: Measures how many systems within an organization’s network are affected by important vulnerabilities, and how quickly the organization remediates them.
- Desktop Software: Measures whether browser and operating system versions are kept up-to-date for laptops, servers, and other non-tablet, non-phone computers in an organization’s network with access to the Internet.
- Potentially Exploited Systems: Measures devices observed to be running potentially malicious or unwanted programs or software (e.g. greyware or adware).
- Mobile Software: Measures whether mobile software and associated devices such as phones and tablets are kept up-to-date.
- Botnet Infections: Measures devices on an organization’s network observed participating in botnets as either bots or Command and Control servers.
Focusing on these specific risk vectors is of vital importance. What is more actionable to security leaders is recognizing that these analytics are part of two main programmatic areas, which have greater implications for cybersecurity strategies.
This area of your overall cybersecurity program focuses on quickly, accurately, and efficiently identifying and remediating vulnerabilities within your systems. This goes for your own systems and the systems of your third parties; attackers are increasingly attacking a target’s vulnerable third parties to then attack that target. Patching Cadence, Desktop Software, and Mobile Software all fall under this programmatic area.
Most strongly correlated to cybersecurity incidents, Patching Cadence should be among the highest of priorities for your organization. Attackers are increasingly leveraging vulnerable systems to breach internal systems and access data like a trusted insider.
Endpoint Protection and Malware Detection
Potentially Exploited Systems and Botnet Infections belong to a programmatic area called Endpoint Protection and Malware Detection. This area of your cybersecurity program focuses on reducing your organization’s attack surface, thereby limiting the number of ways a threat actor can attack your systems. This means doing everything necessary to secure your “endpoints,” or entry points such as desktops, laptops, and mobile devices.
The other side of this area of focus is malware detection, or your ability to swiftly identify malicious software running on your systems and to effectively neutralize these threats. Machine infections like botnets have become a serious threat to organizations; an attacker may have enlisted your systems to engage in a variety of nefarious activities such as cryptocurrency mining, malware deployment, and data theft. It’s critical for your organization to prevent botnet infections, and to remediate any existing threats.
Leveraging these cybersecurity analytics to reduce risk
CISOs and other security professionals face a myriad of challenges ranging from budgeting to security performance to third-party risk management, and the increasingly complicated and unorthodox cyber threat landscape is not making anything easier. More than any time before, these professionals need actionable, objective, and trusted cybersecurity analytics to help drive better decisions.
When developing your organization’s security program, pay close attention to the top five analytics reported here. For example, when dealing with limited resources, security professionals should prioritize readiness and posture in the two main areas identified as having the most impact – vulnerability management, and endpoint protection and malware detection. Also consider these areas – and the underlying risk vectors – when interacting with third party vendors and suppliers.
The stakes have never been higher – cyber risk is on the rise, ransomware payments are skyrocketing, and threat actors continue to exploit supply chain weaknesses to attack high profile targets. Trusted cybersecurity analytics empower security professionals to take the guesswork out of their programs and answer the key questions posed by executives and board members.