April 7, 2023
Marsh McLennan, together with Guy Carpenter and the cooperation of numerous cybersecurity solution firms, has recently published a fascinating study Using Data to Prioritize Cybersecurity Investments. For cyber risk data prediction purposes, there are many contributors, but none touch the cyber risk assessment. This is a very useful study to help identify the specific solutions most useful to protect an organization. It helps to model cyber loss and predict cyber risk in the context of insuring business clients as well.
It’s critical to regularly evaluate the diverse data sets available and emerging regularly. Its useful to rank their predictive utility to insurance underwriters in their daily role of evaluating cyber risks. To do this effectively, it’s key to understand what data insights are most useful in predicting risk, and how best to get visibility of them. This study does an excellent job of categorizing the various controls and their usefulness. As a strong proponent of cyber risk assessments as a way to gain technographic inside>out data and insights on cybersecurity culture and overall wellness, it is with particular interest that Marsh’s own cybersecurity self-assessment data was able to provide significant value.
However, this study is most useful for modeling loss and predicting cyber risks at companies with complex, sophisticated networks and larger budgets. It is not as directly relevant to many of the Small and Medium-sized Businesses (SMBs) who use less complex networks, have smaller staffs and much lower cybersecurity budgets. In these organizations, the corresponding cybersecurity controls must be:
PRACTICAL, REALISTIC & DEPLOYABLE from both a cost and complexity standpoint.
In analyzing this study, we looked at the unique client data sets that TEKRiSQ captures through professionally conducted cyber risk assessments. In comparing the Marsh study findings with this SMB client incident data, we identified how the key controls discussed apply to smaller clients. These businesses often have simple networks using mainly cloud-based applications, remote employees, use personal devices, may not have internal IT staff, and do not have dedicated cyber security staff nor CISOs. Many times they outsource IT and don’t have the time, inclination, or expertise to address cybersecurity concerns. Here are a few thoughts;
CONCLUSION
While quite useful in profiling what cybersecurity solutions have most impact and help to predict risk, this study somewhat overlooks an enormous part of the business market. Many SMBs find several of these profiled cybersecurity solutions to be simply out of reach. The more practical and realistic the controls are for SMBs, the more widely they can be implemented. For appropriate SMB cybersecurity control recommendations, the best place to start is with an independent, professional conducted cyber risk assessment.