Global Perspectives on Cyber Resilience From Marsh & McLennan’s 2018 Cyber Handbook

The demands of cybersecurity and cyber resilience are expanding at a clipping pace as attackers adapt to new defenses. To help navigate the shifting terrain, Marsh & McLennan released its “MMC Cyber Handbook 2018: Perspectives on the Next Wave of Cyber,” which presents a global perspective on cyberthreats.

According to the report, we have reached an inflection point regarding our global ability to address cybersecurity risks for three main reasons:

  1. Cyberattacks, malware and business disruptions are growing more and more sophisticated, which made 2017 a banner year for security incidents.

  2. We are increasingly dependent on technology and connected devices, which has raised the profile of cybersecurity and resilience in most organizations — not to mention security budgets.

  3. Governments, regulators, law enforcement and auditors are just beginning to effectively coordinate cyber risk strategies and share intelligence about the evolving and increasingly interconnected nature of the threat landscape.

Key Takeaways From the Report

The “MMC Cyber Handbook” is not your typical security report. It juxtaposes security statistics with short articles on topics such as the General Data Protection Regulation (GDPR), the many high-profile ransomware (such as WannaCry and NotPetya) and distributed denial-of-service (DDoS) attacks (such as the Mirai botnet) that befell organizations in 2017, and the need for improved cybersecurity across regions, sectors and even departments.

A few statistics stand out for their relevance to everyday internet users:

  • The average number of identities exposed per breach reached 927,000 in 2016, compared to 466,000 in 2015 and 805,000 in 2014. 2016 was also the first year to see 15 breaches with more than 10 million identities exposed — up from 13 in 2015 and 11 in 2014.

  • The number of ransomware families hit 101 in 2016, more than three times the number of families observed in each of 2014 and 2015. In 2016, the average ransomware amount was over $1,000, about three times as much as the previous year.

  • In 2016, the average number of cloud apps used per organization reached a staggering 928 apps, up from 841 the year before.

  • The energy, healthcare and retail sectors saw the highest numbers of cyberattacks in the past year, with reported attacks from 26, 25 and 25 percent of companies, respectively. Manufacturing came in fourth with 22 percent. Organizations in the power and utilities sector also found themselves in attackers’ sights, with 14 percent reporting cyberattacks.

  • In terms of managing, responding to and recovering from a cyber incident, only 19 percent of respondents said they were highly confident, 62 percent said they felt fairly confident and 14 percent said they were not at all confident. Meanwhile, 6 percent reported that they didn’t know.

Why Experts Are Forecasting a Cyber Hurricane

In case anyone still doubted the increasingly systemic nature of cyber risks, the report noted that conditions have evolved beyond data breach fatigue into what U.S. military officials dubbed “a potential ‘Cyber Pearl Harbor'” and one report author described as “early versions of cyber hurricanes.” This digital perfect storm is due to our increased dependence on technology, combined with the high number of vulnerabilities and continuing growth and specialization of the cybercrime market.

As the high-profile incidents of 2017 and 2018 have shown, a cyber incident can quickly spread beyond its initial vector of entry and wreak havoc with both IT and operational technology, seriously impacting an organization’s business activity. The report noted that this is especially concerning for manufacturing and logistics organizations, which are particularly susceptible to cyber risks due to the nature of their businesses — with little slack, lots of outsourced parts and dependence on just-in-time inventories.

How the Financial Sector Is Leading by Example

While the financial sector is often a leader in terms of improving cybersecurity, the report noted that the margin for error is getting smaller due to recent regulatory changes, including those from the New York Department of Financial Services (NYDFS) and the Office of the Comptroller of the Currency (OCC), as well as the 2017 updates to both the Federal Financial Institutions Examination Council (FFIEC)’s “Information Security Handbook” and its Cybersecurity Assessment Tool.

In its spring 2018 “Semiannual Risk Perspective” report, the OCC urged the banking sector to be aware of the evolving nature of cyberthreats and warned of bad actors that seek to exploit personnel, processes and technology.

“Failure to maintain proper cybersecurity controls can lead to material negative effects on banks, consumers, and national and economic security,” the report noted. The authors went on to advise banks to “have a well-established and tested response plan in case a cyber incident occurs.”

The OCC clearly stated its intention to pay close attention to cybersecurity and resilience in its “Fiscal Year 2018 Bank Supervision Operating Plan,” noting that examiners would “review banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience.” Coupled with GDPR and similar regulatory guidelines, the Cyber Handbook’s advice regarding broader coordination will come in handy to help security professionals consolidate data protection policies across sectors.

How Can Companies Across All Sectors Improve Cyber Resilience?

In the handbook’s mini-article, “Limiting Cyberattacks With a System Wide Safe Mode,” author Claus Herbolzheimer advised organizations to consider moving toward decentralized cybersecurity architectures that can automatically disconnect from an infected system or network to prevent further attacks or disruptions. The goal of such a mechanism is to reduce harm without completely shutting down and maintain a minimum level of healthy activity that can be sustained without further damage or compromise.

All in all, the “MMC Cyber Handbook” covers a lot of new ground, especially in terms of its global perspective on the evolving threat landscape. The bottom line is that as attackers grow increasingly sophisticated and their tactics more advanced, defenders will need to innovate and share intelligence on a global scale and across industries to keep their systems, data and personnel safe.

Never miss a new episode of the Security Intelligence podcast! Subscribe now on Soundcloud

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...