Organizations often assume that simply deploying popular security tools will keep them safe. But Marsh’s latest Cyber Risk Intelligence Center report tells a different story: the real winners are the firms that go beyond adoption and invest in depth, practice, and integration (Marsh, 2025).
Here are five standout insights from the analysis of thousands of companies and how leaders can put them into action.
1. Incident Response Planning Strengthens Every Layer
Organizations that excel in incident response preparation tend to perform better across their entire security ecosystem. Those that conduct tabletop simulations, stress-test their playbooks, and maintain active contracts with response vendors experience fewer breaches. These exercises sharpen team coordination, expose hidden gaps, and generate a culture of continuous improvement.
2. Full Endpoint Coverage Creates Measurable Gains
Endpoint Detection and Response (EDR) is now almost everywhere: Marsh reports an increase from 82% to 91% adoption between 2023 and 2025. Yet the difference lies in coverage. Organizations that push EDR protection across all endpoints (laptops, desktops, servers) experience significantly fewer breaches than those with partial deployment. The data shows that every additional 25% of deployment yields further risk reduction, a reminder that “some protection” is not enough. Comprehensive rollout, rather than selective application, creates a more resilient attack surface.
3. The Gap Between Using MFA and Doing It Well
Multi-factor authentication (MFA) enjoys broad adoption, reaching up to 100% in many organizations. The critical difference lies in the type of MFA used. Teams that deploy phishing-resistant solutions (e.g. hardware-based tokens or biometric factors) achieve stronger protection than those using entry-level options. These advanced methods create a higher barrier for attackers and enhance trust in authentication systems.
4. Advanced Monitoring Beats Generic Controls
Basic monitoring and alerting help, but advanced security monitoring, with threat intelligence integration, real-time analysis, and continual fine-tuning, yields the greatest difference. Marsh found that companies with truly mature Security Operations Center (SOC) capabilities: 24/7 operations, threat feed incorporation, continuous process improvement—outperform peers relying on patchwork or manually monitored systems. It’s not enough to “have a SOC”, the depth of its work defines its impact.
5. Realistic, Hands-On Training Trumps Awareness Campaigns
Employee training remains a frontline defense—but the effectiveness is dictated by its realism and relevance. Marsh’s analysis shows that organizations offering up-to-date, simulation-based training see better outcomes than those relying on generic awareness sessions. Modern threats evolve quickly and defense should evolve faster. Employees guided through red-team–style exercises develop reflexes that matter when the attack comes
The Bigger Picture: Integration Over Checklists
Taken together, these findings point tell us quality matters more than quantity. Simply checking boxes, deploying tools without integration, running training without realism, planning for response in isolation, falls short. The organizations that fare best tightly implement prevention, response, monitoring, and training into one living, breathing ecosystem.