Organizations that implement automated hardening techniques will have the best opportunity to prevent cyberattacks, according to a report released Thursday by Marsh McLennan. Those that apply baseline security techniques to servers, operating systems and other components are six times less likely to suffer a security breach.

Insurers have historically recommended three major controls to reduce cyber risk: endpoint detection and response, multifactor authentication and privileged access management. 

However, the report shows multifactor authentication only works when it is implemented across all access points for critical and sensitive data, including remote access and administrator account access points.

Organizations using these methods are 1.4 times less likely to suffer damage from an attack. 

Companies currently implement MFA at many different levels, however the report shows the technique only works if it is broadly applied, according to Scott Stransky, managing director and head of the Marsh McLennan Cyber Risk Analytics Center. 

“Many companies will implement MFA on some systems or for some use cases so that they can rightfully say they have MFA, but now that we have this study, we have data-driven justification for our clients to make the spend to implement it more broadly,” Stransky said via email.

Another key control is patching highly-severity vulnerabilities within seven days of the initial patch release. More than half of organizations are patching critical vulnerabilities within the first seven days, but only 24% of organizations are patching high severity vulnerabilities — rated with a CVSS score of 7.0 to 8.9 — in that same time period.