With the growing numbers of data breaches and escalating cyber threats, cybersecurity scores – the better of which tells you how likely your organisation is to suffer from a data breach – have taken on increasing importance. Just as individuals have their own credit scores, Doug believes that, in order to gain public trust, businesses need a score that reflects their cybersecurity preparedness. Doug can explain the benefits of objective cyber risk measurement, and the questions organisations should be asking to get the right scoring solution.
Almost all companies have a supply chain of some sort, and the largest companies are often linked to tens of thousands of business partners. Each of these, in turn, may be connected to thousands more. This ‘extended enterprise’ is not a new concept, but in the current hyperconnected environment, it’s creating new challenges.
[clickToTweet tweet=”in the current hyperconnected environment, the ‘extended enterprise’ is creating new challenges.” quote=”in the current hyperconnected environment, the ‘extended enterprise’ is creating new challenges.”]
Business networks, large or small, have significant implications for an organisation’s cybersecurity position. Direct supplier relationships are often difficult to assess, but the risk posed by vendors of vendors is even more intractable. These ‘4th parties’ – the partners of partners – represent an additional threat, as they could bring a multitude of new dangers.
When these 4th-party threats are multiplied across the vast number of interconnected businesses across the UK alone, data breaches and malware attacks represent the hurricanes and earthquakes of the cybersecurity industry. A single large cyber attack could trigger a highly destructive chain of events that begins with a 4th-party organisation but spreads rapidly to impact your business.
In this hazardous cyber landscape, the question businesses must ask themselves is: How can I identify and quantify the aggregate risks I am facing?
A good starting place is cybersecurity scoring. Like credit scores that are used to underwrite loans, cybersecurity scores enable you to compare the risk of multiple enterprises and see at a glance where the risk lies. As an individual, a good credit rating is a mark of credibility that can help you progress with, for example, purchasing a dream house or car — as a business, a good cyber score will be an increasingly important mark of credibility that can help you ally with new partners and suppliers.
The best cybersecurity scoring solutions use empirically derived predictive analytics to profile business systems and the environment they operate in
The best cybersecurity scoring solutions use empirically derived predictive analytics to profile business systems and the environment they operate in – including inferred behavioural policy indicators – to derive a score. These scores are informative in two ways. Firstly, they’re an indicator of how likely your organisation is to suffer a data breach. Secondly, getting a good score will inspire trust in your business, as customers and suppliers will feel more confident that their data is as safe as possible.
Here are four factors to consider when exploring different cyber scoring solutions:
- Understand your starting point: In order to improve, you need to first understand your current position. A score enables you to set a benchmark against which future changes can be judged. That’s why it’s important to choose a solution that responds to shifting conditions but isn’t sensitive enough to change with the wind. All organisations suffer network issues or transient risk conditions. If these are fixed quickly, they don’t impact long-term risk factors. Your score must balance responsiveness to new risk conditions with the long-term score stability necessary to make decisions around, for example, investments and vendors.
- Determine what you want to achieve: While it’s straightforward to use a cyber scoring solution to get a snapshot of your current cybersecurity posture, this won’t necessarily help you understand how likely it is that a breach will happen in the next 12 months. Some scores on the market are not forward-looking but are simply point-in-time assessments. You need a solution with underlying analytics designed to produce a stable, forward-looking indication of security risk in a relevant future time window.
- Develop risk profiles for different parts of your business: It’s important to select a solution that gives you the transparency to understand the risk of constituent parts of your business. This may include different subsidiaries and locations. Understanding these in-depth insights is as important as getting an overall picture of your organisation. You won’t be able to act on your results unless you understand what needs to change in each area of the company.
- Make sure the score is explainable: You need a solution that expresses risk in an understandable way that informs action and justifies investment. Scores should help you to explain the likelihood of a breach at your organisation to your business partners and insurers. Cyber scores must also help you make decisions about suppliers – by understanding their score, you can better assess whether they are introducing you to risk. This is essential if they will be accessing your data or systems.
Much like the traditional credit score, cybersecurity scores provide a way of pulling together a range of risks and data sources to help generate measurable, actionable insights. This checklist will help businesses better understand what is achievable with the right scoring solution, and how this enables them to improve their relationship with both partners and customers.