Marsh Wants to Help You Make Sense of the Crowded Cyber Security Marketplace
New cyber security solutions are coming to market weekly, using automation, machine learning and artificial intelligence to mitigate the risks from malware, ransomware, phishing and DNS attacks.
But with thousands of products on the market, finding the right mix isn’t as simple as it sounds. Marsh and several major cyber insurers are responding to clients’ concerns about identifying the best solutions and recently announced an initiative to analyze and rate cyber security products.
It’s a move signaling an era in which technology will be increasingly used to manage technology-related risks. Experts say while having the right technology can go a long way in reducing the risk, the best practice will be to support solutions with a mix of people and processes.
While IoT, cloud-based solutions, mobile applications and new technologies are fostering growth in every industry, they are also opening new vulnerabilities.
Decades ago, criminals needed sophistication and physical proximity to perpetrate crimes, but nowadays even amateurs can orchestrate complex digital attacks from across the globe.
In an age of instant and ubiquitous data transfer, cyber risks are becoming increasingly difficult to address, said Mark Greisiger, president of NetDiligence, a Pennsylvania-based cyber security company.
“The risks are continually expanding, and information is now the key asset being protected by risk managers. That means [securing] the actual computer networks, supply chain systems, intellectual property and everything in between,” Greisiger said.
Organizations must now protect not only their own information, but also that of their customers and those they do business with, Greisiger added.
“Humans can’t respond in nanoseconds, but technology can. If there’s the right rule base or logic base in place, you can react with speed in the way these attacks are happening.” — Kevin Richards, managing director, global head of cyber risk, Marsh Risk Consulting
According to the Internet Security Threat Report by Symantec, cyber criminals grew more ambitious with more targeted attacks in 2018. In particular, supply chain attacks, formjacking and use of malicious PowerShell scripts skyrocketed.
In the whack-a-mole game of security, criminals constantly use new strategies the minute they’re discovered.
“Every month there are new threats. Criminals are smart and always one step ahead … It’s daunting because your information in a company resides in so many different nodes and the company must protect that information in thousands of places,” Greisiger said.
It’s nearly impossible for organizations to prevent every attack. They must assume they will get hit at some point and work to reduce severity. The best course of action is to identify and implement the right security solutions then create a plan to respond in the event of an attack.
“The question isn’t whether you’re going to get hit; it’s the severity of it. Can you control it and make it a nuisance event rather than a catastrophic event?” Greisiger said.
Many organizations are now looking to machine learning and automated solutions to address the risks, said Meghan Hannes, cyber product head at Hiscox USA.
Large commercial cloud applications can identify malware within minutes and use the cloud to secure all tenants immediately rather than having to rely on antivirus update files.
According to the 2018 BDO Cyber Governance Survey, nearly three-quarters of public companies now use third-party vendors to meet certain cyber risk requirements, up from 30 percent in 2016.
Cyber security is so complex because attacks can now come from all directions, said Kevin Richards, managing director and global head of cyber risk at Marsh Risk Consulting.
Most organizations now need a layered approach to security that can protect across connected devices, systems, cloud infrastructures and data centers.
This often requires multiple products and solutions from different vendors that all must perform different tasks yet work together.
In addition to basic antivirus and firewalls, organizations now also need things like identity and access management, compliance management, data loss prevention (DLP), intrusion detection systems (IDS) and disaster recovery. By one estimate there are more than 3,500 cyber security solutions on the market.
It’s a daunting task to identify and select the right products as many are similar and can have comparable track records. The average organization may need up to 30 tools to cover all their bases, Richards said.
Despite the continuous investments and solutions coming to market, security breaches are only growing worse, Richards added.
The 2019 Official Annual Cybercrime Report by the Herjavec Group predicts cyber crime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015.
“It’s a paradox because in every other part of business when we spend money it gets better, but in cyber, we increasingly spend more and it only has become worse,” Richards said.
Because insurers are writing checks for the claims, they have a vested interest in ensuring their clients have the best protection.
Marsh’s new rating system, Cyber Catalyst, aims to address that. It brings together leading insurers to evaluate and identify the most effective solutions in reducing risk.
Solutions will be rated on their security performance in major risk areas such as data breach, business interruption, data theft and extortion. Top-rated solutions will earn the designation of “Cyber Catalyst” and may trigger more favorable terms with some insurers.
“Organizations big and small struggle to evaluate everything that is out there,” said Thomas Reagan, cyber practice leader for Marsh.
“Clients ask for our perspective on a daily basis. It’s a way for us to use the expertise of some of the largest cyber insurers in the world.”
An Aggregation of Capabilities
Proponents of the idea say the ratings could leverage insurers’ expertise to foster greater adoption of security tools and to reduce risk.
While it may seem tempting to pile on security products and solutions to be safe, taking measures that are too heavy handed can bog down systems, impede operations and make it hard for employees to do their jobs, Greisiger said.
As there is no ‘magic silver bullet,’ the real solution will be an “aggregation of capabilities,” he said.
Technology will play a primary role, because it is impossible for humans alone to respond quickly enough. Many attack methods now have self-augmenting routines that can almost instantly change the footprint of an attack once it is discovered.
“Humans can’t respond in nanoseconds, but technology can,” Richards said.
“If there’s the right rule base or logic base in place, you can react with speed in the way these attacks are happening,” he added. &