Cyber Risk Ratings: How Would Your IT Environment Score?
Moody’s, one of the U.S.’s largest credit rating companies, recently announced their decision to incorporate cyber risk into their credit rating system. This decision goes a long way towards showing that cyber threats can have serious, long term consequences on the organizations that are attacked.
Though it will take some time before Moody’s puts this new policy in effect, organizations may want to start asking themselves, “how would we stack up if our security environment were evaluated tomorrow?” Like with any exam, the success is all in the preparation. It is critical for an organization to thoroughly assess itself before Moody’s or some other agency puts them to the test. Read on to find out the type of cyber threats that endanger organizations (and their ratings), and how they can protect themselves.
Establishing Cyber Risk Criteria
Moody’s has not yet announced how or what criteria it will use to assess cyber risk, but quantifying cyber risk isn’t new. For example, FICO launched its own Cyber Risk Score in 2017. Additionally, the National Institute of Standards and Technology and the Department of Commerce came out with a Guide for Conducting Risk Assessments in 2012 that thoroughly examines information security threats. This guide identifies four types of cyber threats that are a great foundation for organizations to begin with when assessing their cyber risk.
Cyber Threat 1: Adversarial
Adversarial threats are what most people think of when they hear about cyber threats – these are typically external threats from outside individuals or groups that seek to exploit an organization’s systems in some way.
These attacks often come in the form of malware, be it ransomware seeking to extort money from a company or cryptomining malware, seeking to utilize the numerous, powerful servers an organization has in order to generate cryptocurrency for a profit.
On the plus-side of adversarial threats is the fact that they have become so newsworthy that most organizations have some form of antivirus in order to block these attacks. However, it’s easy to develop a blind spot, failing to see that every endpoint is at risk—not just workstations.
Servers in particular, with their high processing power and large storage capacity can quickly become backdoors for malicious entities to sneak through. Deploying server-side antivirus ensures the corporate network and critical systems are also safeguarded from malware.
Cyber Threat 2: Accidental
With daily news alerts about data breaches committed by shadowy groups, it’s easy to forget that threats also lurk within your own organization. Insider threats from employees, and especially privileged users, can often cause more damage because insiders have so much more access. In fact, of those surveyed for the Ponemon Institute’s Study on Global Trends in Cybersecurity, 31% considered negligent employees to be the greatest risk to cybersecurity.
Though some insider threats can be adversarial, many are the result of unintentional actions of employees, enabled by clumsy policies. Unlike external threats, the solution is not as simple as closing all gateways to data – employees need to be able to have access in order to get their jobs done. However, many organizations allow for far too many privileged accounts, giving access to systems that can easily be misconfigured by negligent users who didn’t need that much privilege to begin with.
Privileged Access Management (PAM) solutions not only protect against insider threats by granting employees the appropriate level of access to do their jobs, they also help organizations detect potential insider threats by providing a complete audit trail of user activity.
Cyber Threat 3: Structural
The definition of a structural threat is multifaceted—it doesn’t simply mean the physical hardware, but rather all the components in creating a cyber infrastructure. It also isn’t just a matter of the physical pieces of hardware breaking down. Outdated equipment and software are not only slow, they also pose a serious security risk.
Updates typically include patches to known weak points that could be or already have been exploited. When hardware and software reach the end of life stage, they are no longer supported, and no further updates can be implemented, leaving the window for attackers permanently open.
Though it doesn’t seem tangible , the cloud also falls under structural threats. There is a general misconception that cloud providers are solely responsible for the security of the cloud. However, while cloud providers oversee the security of the cloud, cloud users are responsible for the security of the data that is placed in that cloud.
Cloud users need proper and consistent configuration across their cloud environments to ensure their security responsibility is met. Given the size of cloud environments, as well as how they are integrated with on-premise environments, preventing misconfiguration manually is no longer practical. Security auditing software helps by centralizing and automating security administration across all environments.
Cyber Threat 4: Environmental
When natural disasters like earthquakes, tornadoes, and hurricanes occur, everything is at risk, including cyber infrastructures. Companies that are located miles away from a fault line aren’t exempt – fires, old office buildings with faulty wiring, even sunspots can affect technology.
Before one of these calamities occurs, organizations need to establish emergency procedures and policies to ensure that such an event would not cripple their business altogether. What is necessary to stay running? Do critical physical files have digitized backups? With the cloud becoming more and more prevalent, data does not have to be tied to a specific location. However, this makes it all the more important to ensure your cloud is properly configured, as mentioned above.
Cyber Risk Management
See how your environment ranks by running our free security scan. One of our experts will walk you through your results and show you how to rate even higher.