Study highlights 10 Cyber controls reducing 70% most frequent attacks

That’s a situation that Zurich is determined to change.

Recognizing the vulnerability of small and medium-sized enterprises (SMEs) to cyber risk and the lack of resources to help them strengthen their resilience against it, Zurich, together with researchers at ETH Zurich (ETHZ), has set out to study how business owners can easily pinpoint areas that need attention and implement quick-win solutions to keep digital intruders at bay.

This collaboration was carried out in the context of Zurich’s long-term partnership with ETHZ and the ETH Zurich Foundation for the Zurich Information Security Center, in the interest of research-based innovation. This is an industry-supported research center of ETHZ.

The result of the study by ETHZ researchers and the insurer is a model that prioritizes cyber security controls, and, together with an assessment that quantifies a company’s exposure with financial impact. This allows companies to effectively budget and prioritize actions to address critical vulnerabilities.

It’s a daunting task for most SMEs to confront cyber risk, said Vivien Bilquez, Principal Cyber Risk Engineer at Zurich Resilience Solutions. It’s far more complex than simply installing anti-virus software and making sure firewalls are in place, he noted.

“When an SME starts to approach cyber risk, they are often lost,” Bilquez said. “They don’t understand how to prioritize the risks and they are hesitant because of the cost. In the end, they don’t do anything because there is no one to support them in this effort.”

It is not uncommon to find companies riddled with cyber vulnerabilities and intrusions that they are unaware of, Bilquez said.

Tackling the problem through Zurich Resilience Solutions

Zurich Resilience Solutions (ZRS) is a global business unit within the Zurich Group, dedicated to delivering risk management and mitigation services to Zurich customers and other businesses around the world. Concerned about the scope of cyber risk, ZRS set out to revamp its own efforts to help SMEs uncover cyber vulnerabilities. Together with ETHZ’s professor Dr. David Basin, Dr. Martin Ochoa, and master thesis student Silvia La, a collaboration was initiated to identify the cyber controls, based on cyber attack sources and frequency, that work best for small to medium-sized companies. Zurich cross-checked and validated the controls identified by this study against information gathered from its customer questionnaire and benchmarking data from global customer assessments and claims. Although there were previous attempts to prioritize controls based on attack coverage, the novel angle of this research was to additionally consider threat intelligence reports to integrate a notion of most likely attacks.

The result was the Attach Technique Based Control Prioritization Model, and while it carries a lofty title, it has a simple aim: used with Zurich’s streamlined risk assessment, it will model a company’s cyber exposure, help prioritize actions to manage it and determine the budget needed to get the work done.

This means ZRS can help determine which services can be designed to address the company’s specific cyber threats. Zurich is on the way to further develop the tool to provide underwriters, led by Andreas Schmitt, Global Cyber Underwriting Manager at Zurich, with the information they need to help structure cyber coverage for SMEs.

How the study helps manage the risk

The ETHZ study identified a number of specific controls that used together can mitigate hundreds of cyberattack techniques. While Cyber Awareness and Governance remain the first level of defense, system monitoring to stay on top of the changing risk and recognize breaches as soon as they occur is at the top of the technical list, Bilquez noted. “If you don’t know you are under attack, the inevitable impact grows hour by hour.”

Make sure protection settings are properly configured, patches are up to date and vulnerabilities are properly addressed, the study advises. In addition, up-to-date protection against malware will help thwart that threat if an employee mistakenly clicks on a link that tries to download a malicious code.

"Working on a project that has the potential to aid organizations in managing cyber risk and satisfying security and privacy requirements in a threat landscape that is constantly changing was extremely interesting", said Silvia La. "We quickly learned that our solution must be able to model the diverse requirements organizations have, since each is unique in terms of controls already in place and resource constraints", she adds.

The study also points to “least privilege” as a top practice to keep systems safe. “Employees should be able to do only what is needed in an application,” Bilquez explained. “You don’t give administrator privileges to everybody, as is the case in some industries. A hacker would only need to hack one person to become administrator of the system and the whole IT infrastructure.”

In summary, the ETHZ researchers and Zurich identified 5 cyber controls that together help mitigate efficiently the most likely 66% cyber attacks and 10 controls that together covering the most likely 70% cyber attacks. This list of cyber controls can be disclosed upon enquiry from businesses who would like to understand more.

Reinforcing cyber protection

Among the services ZRS provides, once the threat is known, is training to ensure that employees are aware of risks such as malware and phishing tactics by email or through social media. An exclusive “cyber escape game” simulates an actual hacking that requires employees to respond, building awareness around keeping their company safe. Such innovative and immersive awareness training, creating unique experience among employees, is in addition to technical recommendations in the ETHZ study, according to Bilquez.

“We can also look at the dark web to determine whether a company’s credentials have been leaked,” which can create pathways for hackers to exploit, Bilquez said.

Quite often, the risk is not coming from the company itself but by the uncontrolled supply chain. ZRS is able to assess and monitor the risk from third-party suppliers, making sure proper contracts are in place and details on their data security practices are spelled out. A unique and simple platform allows a company to check the level of compliance of their third-party vendors in real time.

SMEs without a dedicated security information officer or someone in a similar role should take steps to assign those responsibilities to someone, if possible, Bilquez advised. But for those who cannot, services provided by ZRS can fill that gap or augment an SME’s existing data security efforts, he added.

The payoff for investing in cyber protections can be impressive for SMEs, Bilquez said.

“If we identify the top priorities for an SME, then we can model the company’s exposure,” he explained. “If we find that a company has an exposure to ransomware of $20 million, for example, an investment of around $10,000 to put controls in place has the potential to reduce their exposure by $10 million or more.”

More information on how ZRS can help SMEs manage their cyber risks is available by contacting cyber.resilience@zurich.com