SecurityScorecard assesses companies based not only on their security posture but also those of their partners and vendors etc, giving them a ‘security scorecard’. Similar to school reports, the companies and their third-party suppliers get a grade of A to F based on how secure the organisation is, also providing them with actionable data on where improvements can be made so they can increase their grade. Matthew McKenna, VP EMEA at SecurityScorecard, provides an overview of security ratings and what they are used for.
We’re all familiar with the concept of credit ratings. From individuals seeking loans and mortgages to organisations and even entire nations, credit ratings assess an entity’s stability, financials and assets and assign a score that reflects its ability to pay debtors. In the business world, the score is commonly shown as a letter grade, with the most-used standards from credit giants like Moody’s and Fitch Ratings generally topping out at AAA and tumbling down towards C or D.
While organised credit ratings have existed for over a century, a more recent development is the introduction of the security rating. In our increasingly digital world, an organisation’s ability to protect its assets from cyberthreats is now equally as important as its ability to remain financially solvent. Indeed, the two states are closely linked, as a company that suffers a major cyberincident will take a severe reputational and financial hit that will also heavily impact its ability to operate and pay debtors.
Just like the more familiar credit ratings, security ratings are generally boiled down to a graded letter and are based on an in-depth assessment of the company’s assets and exposure to risk. Assessments will provide the company with actionable insight into its security posture and where improvements can be made to improve its score.
How are security scores added up?
Establishing an accurate security score requires a comprehensive assessment of the security hygiene of an organisation’s entire ecosystem. The evaluation should quickly provide insight into the externally facing risks across the digital footprint, however also take into consideration internal factors concerning practices around susceptibility to spear-fishing, credential security and other indicators that may suggest the entity in question is at risk.
A large number of breaches are the result of companies using outdated systems, so a company’s diligence in patching its operating systems, services, applications, software and hardware is extremely important.
Network security performance is also very influential, as poor practices such as open access points, insecure or misconfigured SSL certificates or database vulnerabilities are commonly exploited by cyberattackers. Likewise, poorly secured laptops, mobiles and other endpoint devices frequently provide an easy attack route, so any device that can access the Internet must be factored in.
Looking beyond the business
Security should never be assessed in a vacuum and any assessment must include external elements to be truly accurate. Monitoring conversations on underground hacker forums for example can reveal if a specific organisation and its IPs are being discussed as potential targets. The development of new malware relating to systems used by an organisation can influence its security rating.
Closely monitoring both open and closed sources can also reveal if a company’s sensitive information has been exposed as part of a data breach or leak. Data can then be mapped back to the organisation to determine whether it is likely to influence further incidents.
Furthermore, a security rating extends beyond the organisation to include suppliers, partners and any other company that the organisation is connected with. Whereas the cost of cyberattacks continually decreases due to readily available tooling, cybercriminals can just as easily attack smaller and less well-equipped companies to exploit their connections to larger targets, so the entire supply chain should be assessed for crucial risk factors as well.
What does a security score represent?
Much like their financial equivalent, a security rating can be an important indication of how safe it is to do business with an organisation. A good score can be a valuable competitive advantage for securing new customers and partners, while a poor score can be a liability that costs business. It should be noted that companies can conduct non-intrusive analysis on others, for example assessing the reputation of its IP address and vulnerability to social engineering, in addition to hacker chatter and leaked credentials.
As cybersecurity continues to grow in importance, a prospective supplier or partner’s security score will be just as influential as its credit score. Companies which are shown to have poor security will begin to lose business in the same way as those that have a reputation for being financially risky. A security score and the accompanying reports and advice can also have a number of benefits across the company.
Getting attention in the boardroom
While the continued spate of high-level data breaches has helped to elevate the discussion of cyberthreats, security is still all-too-often neglected at board level. Even for the most diligent CISO, demonstrating the return on investment for cyberspending can be a constant struggle. The result of a good security programme is the absence of a security incident, which usually makes for less compelling proof than things like increased productivity and profitability.
Security ratings can help to change this by making cyberthreats a more tangible, visible issue as well as by demonstrating an ROI on ongoing security investment. An assessment can be used to produce a report card which outlines the company’s security posture and highlights its strengths and weaknesses. A good security rating will reinforce the value the CISO and security teams are bringing to the company and further reinforce argumentation for more investment and strategic focus.
Due diligence with partners and customers
As well as helping to improve the company’s approach to security, security ratings can lead to more efficient and thorough diligence when dealing with third parties. As mentioned, cybercriminals often target smaller and less well defended companies as a way of breaching the defences of organisations they work for or with. This means that it has become increasingly important for prospective service providers and partners to be able to prove they are well secured, just as they would be expected to verify their financial stability.
Organisations should ensure that their processes for taking on new vendors includes a thorough assessment of their security capabilities. The level of security required can be varied to match the level of risk associated with their function and access to company assets. A vendor that will be granted access to essential systems and confidential data for example should have a very high security score to ensure these assets are not exposed to unnecessary risk.
Because the relationship between companies and third parties is increasingly symbiotic and interconnected, the security assessment process should be very open. Transparency on both sides will help to establish a better working relationship.
Moving beyond the strategies of individual companies, security ratings are beginning to influence wider attitudes to cyber-risk, such as with cyberinsurance. Designed to provide financial protection in the event of a major security incident, cyberinsurance has become an essential part of enterprise risk mitigation strategies. One challenge encountered by cyberinsurance providers is the difficulty in understanding the cyberhealth of their clients however, which can lead to overly cautious policies.
Establishing accurate security ratings can help carriers, re-insurers, brokers and risk managers better manage risk and continuously monitor policy holders. The ability to thoroughly evaluate a company’s security posture enables insurers to more precisely measure how great the risk would be if they issued a policy.
The evolving market
The cybersecurity landscape has evolved rapidly in recent years and while security ratings are still an emerging standard now, they will soon become as commonly used as credit ratings. With both the volume and sophistication of cyberthreats continuing to increase, organisations must consider more efficient techniques of gaining insight into not only their own cyber-risk, but also that of their supply chain. Security ratings provide an independent and comprehensive overview of a company’s security posture that will help to take the guess work out of security strategies. Because scores can be actively updated to reflect changes within the organisation and the wider business and security landscape, organisations can confidently deal with new threats as they emerge.