/*

We value your privacy

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Cookie Policy

Customise Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

/*]]>*/
TEKRiSQ | Technology Risk Assessment Platform  

Marsh Study & Cyber Risk Prediction for SMBs

April 7, 2023

Marsh McLennan, together with Guy Carpenter and the cooperation of numerous cybersecurity solution firms, has recently published a fascinating study Using Data to Prioritize Cybersecurity Investments. This is a very useful study to help identify the specific solutions most useful to protect an  organization, as well as to model cyber loss and predict cyber risk in the context of insuring business clients. It’s critical to regularly evaluate the diverse data sets available and emerging regularly, and to rank their predictive utility to insurance underwriters in their daily role of evaluating cyber risks. To do this effectively, it’s key to understand what data insights are most useful in predicting risk, and how best to get visibility of them.   This study does an excellent job of categorizing the various controls and their usefulness. As a strong proponent of cyber risk assessments as a way to gain technographic inside>out data and insights on cybersecurity culture and overall wellness, it is with particular interest that Marsh’s own cybersecurity self-assessment data was able to provide significant value. 

However, this study is most useful for modeling loss and predicting cyber risks at companies with complex, sophisticated networks and larger budgets. It is not as directly relevant to many of the Small and Medium-sized Businesses (SMBs) who use less complex networks, have smaller staffs and much lower cybersecurity budgets.  In these organizations, the corresponding cybersecurity controls must be:

PRACTICAL, REALISTIC & DEPLOYABLE from both a cost and complexity standpoint.

In analyzing this study, we looked at the unique client data sets that TEKRiSQ captures through professionally conducted cyber risk assessments.  In comparing the Marsh study findings with this SMB client incident data, we identified how the key controls discussed apply to smaller clients.  These businesses often have simple networks using mainly cloud-based applications, remote employees, use personal devices, may not have internal IT staff, and do not have dedicated cyber security staff nor CISOs. Many times they outsource IT and don’t have the time, inclination, or expertise to address cybersecurity concerns. Here are a few thoughts;

  • Hardening techniques – Most of the issues with SMBs deal with employees’ computers used and managed in a Bring-Your-Own-Device (BYOD) fashion.  In this scenario there are not many controls and employees can really do what they want (i.e. they have administrative privileges on their computers). When we analyze employee behaviors, we see a very high percentage of incidents correlate to those employees who exhibit the following behaviors:
    • ANYTHING GOES: In almost all incidents, those employees have free reign over an unestablished wild west computer use policy, and have often downloaded documents from untrustworthy sites and/or free software.  These commonly  include free PDF editors, free zip applications, free antivirus software, free computer cleaning software, free VPNs, free Github utilities, etc. Employees are sometimes reluctant to ask for paid versions that are secure, and when allowed to do so make these mistakes. The issue arises when the employee inadvertently downloads that software from an irreputable site  infecting their machines.  
    • MIX n MATCH: In a high percentage of cases, employees carelessly interweave their personal business with the professional business.  They’re logging into personal sites and social media, using their work email to download games, gambling apps and more to the same computer that  they use for work.
    • BROWSER AMBIVALENCE: Employees mix work with personal credentials and save them in their browser profiles to automatically sync across their devices.  
    • SKIP ENCRYPT: Employees fail to encrypt their hard drives (roughly 30%).  In some  cases, BYOD PC users are using a Windows Home version (not a version designed for business) which does not offer Bitlocker.
    • UPDATES INGRATES: Software Updates & Patching – BYOD users often ignore this Although this can vary between  clients, we have seen over 50%+ of these computers using outdated versions  (over 30 days out of date).
    • Active Directory– Mostly larger organizations have an Active Directory domain where they can apply group policies to enforce password complexity, password age, etc. This requires a knowledgeable administrator. A third party IT support organization performing this can be more practical for use in SMBs.
    • CVEs – Common Vulnerabilities and Exposures often sit on computers indefinitely and are almost never addressed.
  • Privileged Access Management (PAM) – This is a robust solution that is almost never in place in small and medium sized businesses.   Most SMB businesses have simple networks and use SAAS based applications. PAM requires cybersecurity expertise and resources that aren’t available in many SMBs.  Good and proper use of Access Control solutions can help address this problem in a practical manner.

CONCLUSION

While quite useful in profiling what cybersecurity solutions have most impact and help to predict risk, this study somewhat overlooks an enormous part of the business market. Many SMBs find several of these profiled cybersecurity solutions to be simply out of reach. The more practical and realistic the controls are for SMBs, the more widely they can be implemented. For appropriate SMB cybersecurity control recommendations, the best place to start is with an independent, professional conducted cyber risk assessment.

Learn more about appropriate SMB Cybersecurity solutions and Cyber Risk Assessment Services by booking a quick discussion with a TEKRiSQ representative here.

Categories: Blog

Tags: , , , , , ,

 
Inaction After Cyber Risk Recommendations

© Copyright 2025 TEKRiSQ, INC. All rights reserved.
Website by: Colophon

TEKRiSQ BBB Business Review