Zurich Resilience Solutions (ZRS) is a global business unit within the Zurich Group that provides risk management and mitigation services to Zurich customers and other companies worldwide. Due to the spread of cyber risks, ZRS has repositioned its efforts to help SMEs and uncover cyber vulnerabilities. A collaboration was initiated together with ETHZ professors Dr. David Basin and Dr. Martin Ochoa along with master's student Silvia La to determine which cybersecurity controls provide the best protection for small to medium-sized enterprises based on the origin and frequency of cyberattacks. Zurich cross-checked and validated the controls identified in the study with information from its customer questionnaire and benchmarking data from global customer ratings and claims. While there have already been attempts to prioritize controls based on attack data, the innovative aspect of this research is the additional consideration of threat analyses to take into account what types of attacks are most likely.
The result is the "Attach Technique Based Control Prioritization Model", which, despite its lofty name, has a simple goal. Used in conjunction with Zurich's optimized questionnaire evaluation, it can simulate the cyber risk for the company in question. It also helps with decisions on which measures should be prioritized to manage the risk and what budget is needed.
This means ZRS can help SMEs decide which services to use to respond to specific cyber threats. Zurich is currently preparing the further development of the tool under the leadership of Andreas Schmitt, Global Cyber Underwriting Manager, in order to optimally structure cyber insurance coverage for SMEs.
The ETHZ study identified a number of specific controls which, when combined, can mitigate hundreds of different types of cyberattacks. While cybersecurity awareness and governance are still the first layer of defense, staying abreast of changing risks and detecting breaches as they occur through systems monitoring is at the top of the technical list, Bilquez explained. "If you don't notice the attack, the inevitable consequences will escalate by the hour."
"Make sure your protection settings are properly configured, your patches are up-to-date, and your vulnerabilities are appropriately addressed," is the advice from the study. In addition, up-to-date malware protection helps repel this type of threat in case employees accidentally click a link that downloads malicious code.
"Employees should only be able to do what is necessary in any application," Bilquez explains. "Administrator privileges are not universal, as is common in some industries. Where this is the case, a hacker would only need to hack one person to become an administrator of the system and the entire IT infrastructure."
In total, the ETHZ and Zurich researchers identified five cyber controls that together can effectively mitigate the most probable 66 percent of cyberattacks, and ten controls that together cover the most probable 70 percent of cyberattacks. We can provide the list of cyber controls upon request to companies that would like to learn more.
The services ZRS provides include training to ensure employees are familiar with risks such as malware and phishing via email or social media. Zurich created an exclusive "Cyber Escape Game" that simulates an actual hacker attack, which employees must respond to. This makes them aware of the need to protect the company. The innovative and immersive awareness training offers employees a unique experience and is carried out in addition to the technical recommendations of the ETHZ study.
"We can also look on the dark web to see if any company credentials have surfaced there, because this potentially creates gateways that hackers could exploit," Bilquez explained.
Often, it is not the company itself that is responsible for the risk, but rather an uncontrolled supply chain. ZRS is able to assess and monitor risks from third-party providers to ensure that appropriate contracts are in place and that details of their data security practices are explicit. Organizations can check their third-party providers’ compliance levels in real time via a unique and easy-to-use platform.
"SMEs without their own information security officer or staff in a similar role should take steps to assign these responsibilities to someone, if possible," Bilquez recommends. "Where this is not possible, ZRS services could fill the gap or complement existing security efforts," he added. For SMEs that invest in cyber protection, the rewards can be impressively high, Bilquez said.
"If we identify the top priorities for an SME, we can model the risk to suit the company," he explained. "For example, if we find that a company has USD 20 million at risk in terms of ransomware, an investment of around USD 10,000 to put controls in place can reduce the risk by USD 10 million or more."