Marsh Study & Key Controls for SMBs

April 7, 2023

Marsh McLennan, together with Guy Carpenter and the cooperation of numerous cybersecurity solution firms, has recently published a fascinating study Using Data to Prioritize Cybersecurity Investments. This is a very useful study to help identify the specific solutions most useful to protect an  organization, as well as to model cyber loss and predict cyber risk in the context of insuring business clients. It’s critical to regularly evaluate the diverse data sets available and emerging regularly, and to rank their predictive utility to insurance underwriters in their daily role of evaluating cyber risks. To do this effectively, it’s key to understand what data insights are most useful in predicting risk, and how best to get visibility of them.   This study does an excellent job of categorizing the various controls and their usefulness. As a strong proponent of cyber risk assessments as a way to gain technographic inside>out data and insights on cybersecurity culture and overall wellness, it is with particular interest that Marsh’s own cybersecurity self-assessment data was able to provide significant value. 

However, this study is most useful for modeling loss and predicting cyber risks at companies with complex, sophisticated networks and larger budgets. It is not as directly relevant to many of the Small and Medium-sized Businesses (SMBs) who use less complex networks, have smaller staffs and much lower cybersecurity budgets.  In these organizations, the corresponding cybersecurity controls must be:

PRACTICAL, REALISTIC & DEPLOYABLE from both a cost and complexity standpoint.

In analyzing this study, we looked at the unique client data sets that TEKRiSQ captures through professionally conducted cyber risk assessments.  In comparing the Marsh study findings with this SMB client incident data, we identified how the key controls discussed apply to smaller clients.  These businesses often have simple networks using mainly cloud-based applications, remote employees, use personal devices, may not have internal IT staff, and do not have dedicated cyber security staff nor CISOs. Many times they outsource IT and don’t have the time, inclination, or expertise to address cybersecurity concerns. Here are a few thoughts;

  • Hardening techniques – Most of the issues with SMBs deal with employees’ computers used and managed in a Bring-Your-Own-Device (BYOD) fashion.  In this scenario there are not many controls and employees can really do what they want (i.e. they have administrative privileges on their computers). When we analyze employee behaviors, we see a very high percentage of incidents correlate to those employees who exhibit the following behaviors:
    • ANYTHING GOES: In almost all incidents, those employees have free reign over an unestablished wild west computer use policy, and have often downloaded documents from untrustworthy sites and/or free software.  These commonly  include free PDF editors, free zip applications, free antivirus software, free computer cleaning software, free VPNs, free Github utilities, etc. Employees are sometimes reluctant to ask for paid versions that are secure, and when allowed to do so make these mistakes. The issue arises when the employee inadvertently downloads that software from an irreputable site  infecting their machines.  
    • MIX n MATCH: In a high percentage of cases, employees carelessly interweave their personal business with the professional business.  They’re logging into personal sites and social media, using their work email to download games, gambling apps and more to the same computer that  they use for work.
    • BROWSER AMBIVALENCE: Employees mix work with personal credentials and save them in their browser profiles to automatically sync across their devices.  
    • SKIP ENCRYPT: Employees fail to encrypt their hard drives (roughly 30%).  In some  cases, BYOD PC users are using a Windows Home version (not a version designed for business) which does not offer Bitlocker.
    • UPDATES INGRATES: Software Updates & Patching – BYOD users often ignore this Although this can vary between  clients, we have seen over 50%+ of these computers using outdated versions  (over 30 days out of date).
    • Active Directory– Mostly larger organizations have an Active Directory domain where they can apply group policies to enforce password complexity, password age, etc. This requires a knowledgeable administrator. A third party IT support organization performing this can be more practical for use in SMBs.
    • CVEs – Common Vulnerabilities and Exposures often sit on computers indefinitely and are almost never addressed.
  • Privileged Access Management (PAM) – This is a robust solution that is almost never in place in small and medium sized businesses.   Most SMB businesses have simple networks and use SAAS based applications. PAM requires cybersecurity expertise and resources that aren’t available in many SMBs.  Good and proper use of Access Control solutions can help address this problem in a practical manner.


While quite useful in profiling what cybersecurity solutions have most impact and help to predict risk, this study somewhat overlooks an enormous part of the business market. Many SMBs find several of these profiled cybersecurity solutions to be simply out of reach. The more practical and realistic the controls are for SMBs, the more widely they can be implemented. For appropriate SMB cybersecurity control recommendations, the best place to start is with an independent, professional conducted cyber risk assessment.

Learn more about appropriate SMB Cybersecurity solutions and Cyber Risk Assessment Services by booking a quick discussion with a TEKRiSQ representative here.