The major rating agencies, such as Moody’s and Standard & Poor’s, are well known to the general public—especially after the 2008 financial crisis. They now shape financial markets, de facto, through their generation of comparison grids, which are used, at global scale, to rate the solvency risks associated with companies.

And today, it’s clear that this approach of third-party organizations producing corporate ratings isn’t just limited to the financial sector: it’s gradually being extended into the sphere of cybersecurity.

Cyber rating agencies are now assigning “cyber scores” to companies which quantify the levels of cyber risk that companies are exposed to. The players doing this are mainly American (BitSight, Security ScoreCard, Panorays, and UpGuard, for example), but European start-up, Cyrating, also generates ratings by collecting and analyzing publicly available information, including:

• The vulnerabilities present on the company’s websites and the robustness of the TLS encryption in use;
• The reputation of the company’s public IP addresses, computed from a range of data, such as the number of complaints about spam, their appearance on blacklists used by internet and email service providers, bounce rates, etc.
• Whether corporate email address protection measures (such as DMARC, DKIM, and SPF) are in place;
• DNS analysis (whois, root and NS servers, verification of Start of Authority, MX records, etc.);
• Whether company data is present on the Dark Web.

Apart from this public-domain data, cyber rating platforms capture and analyze a large amount of exchanged data to determine, for example, , or the versions of browsers being used.

The algorithms used to do such analysis are particular to each cyber rating platform; and the platforms then monetizes the results by offering access to results as a subscription-based service.

Companies, then, get to know their rating by subscribing to a cyber rating platform service!

These scores are widely accessible, given that the rating can also be viewed by other players who subscribe to the platform. Firms can therefore compare themselves with competitors . Cyber insurers are also starting to take such ratings into account when calculating . But, more worryingly, it’s also easy to imagine that ratings might facilitate reconnaissance for cyber attackers, by helping them to target lower-rated companies—whose defensive measures are likely to be weaker.

Given all this, it seems essential that firms integrate the question of cyber ratings into their cybersecurity governance.

Some obvious limitations to the current cyber rating model

To put it bluntly, a large part of the cyber community has serious reservations about cyber ratings; this mistrust can be summarized in the following view:

“How much confidence can be placed in a security level assessment carried out by a third-party algorithm, using only a selection of the relevant parameters, and with no control mechanism for the quality of information collected? “

 There is still considerable work to do to perfect the model, which has a number of inherent flaws; these, if not addressed, risk rendering the rating irrelevant:

• doesn’t reflect a firm’s overall level of security. Many factors are ignored: internal network segmentation, system and data protection measures, detection capability, etc.;
• The rating can be “polluted” by false positives: IP addresses or domain names that do not belong to the company (registration errors), traffic originating from sandboxes considered to be malicious, etc. This therefore requires the to carry out a degree of detailed work (the sorting of IP addresses, excluding certain data) in order to obtain as accurate a result as possible;
• A lack of transparency about rating algorithms makes it difficult to evaluate the elements that have led to a given score, and to identify parameters where corrections are needed.

It’s misleading to reduce a company’s entire level of security to a single score. Moreover, in the future, it wouldn’t be surprising to see players like Qualys propose the taking into account of the results of internal tests conducted on a company’s IS, in order to refine its rating system.

A wide range of use cases

However, these limitations shouldn’t obscure the opportunities offered by subscribing to a cyber rating service.

The main argument advanced by cyber rating players is that a score represents a powerful and easy-to-understand indicator for senior management—a concept already well-established in finance but still lacking in cybersecurity. An improvement in the rating could also be used to justify and quantify the effectiveness of any corrective action plan applied to the company’s IS services.

In addition, cyber rating platforms make it possible to see how all the companies that have been assessed score, which enables a company to:

• Calibrate its performance against competitors on a common basis; and, potentially, to make an asset of cybersecurity for marketing purposes;
• Assess its suppliers’ levels of cybersecurity maturity on a more objective basis than that of questionnaires completed for a Security Assurance Plan.

Cyber rating: an essential issue for companies

Given the challenges firms face, and the opportunities on offer, it seems inevitable that cyber ratings will take off, something noted by ANSSI (the French National Cybersecurity Agency) in its strategic review of cyber defense: ” The major players in the field will therefore become benchmarks whose market position will be difficult to challenge.”

Despite the current limitations, it’s vital that companies—some of whom are already talking about giving countries financial-sector-type cyber ratings—identify how such ratings could be used as an asset increase awareness about cybersecurity among senior management, without, of course, stigmatizing .

Cet article Cyberating: more than just a rating, a vital aspect of governance est apparu en premier sur RiskInsight.

Addressing the need to know and the need for reassurance

Supported by the increased number of incidents and attacks on information systems, the cybercrisis has moved into the public realm. The democratisation of its vocabulary is a clear indicator of the place that this subject takes up in the media. Data leakage, ransomware, hacktivist, DDoS, phishing, whistle-blower, these terms have left the server rooms and specialist blogs to make their way into national newspaper columns and most people’s vocabulary. The cybercrisis is no longer a mere quality incident discreetly handled in-house but has become an event that arouses the interest of a broad audience. This interest transforms the cybercrisis into a communicational crisis. However, while this theme’s new popularity is logically transposing into an increase in coverage, other elements justify a significant increase in solicitations, whether internal or external to the organisation in crisis.

When the cybercrisis results in data leakage, for example, it is not only the subject of the crisis that is newsworthy, but its very object. In fact, when the data leaks or is stolen, its nature arouses curiosity, whether it is personal data, a State secret or simply a private conversation. This mechanic logically generates for many audiences both the need to know the unknown, and to make sure that they are not the victim. These two primary needs of curiosity and reassurance are the essential drivers of media coverage and more generally encourage the information consumer, the stakeholder, the client to fill that need and seek to obtain this information. The same logic assumes that the source of this information, in this case the legitimate data holder, addresses these requests and communicates on the incident.

Whether it’s strategic events such as presidential elections or everyday private conversations on digital media that are compromised, the crisis’ media effect is magnified by the extraordinary nature of the event. This is the result of both its supposed impossibility and the confidence that the public entrusts it. The sudden rupture of the trust placed in these “institutions” of major importance, erected in good stead in a 2.0 version of Maslow’s pyramid, then generates itself the interest and the need to know, translated into an explosion of the number of requests for information to the organisation in crisis.

Figure 1: Maslow Pyramid Example

Communication war between the attacker and the communicator

Cybercrisis communication is thus a specific exercise given the subject it deals with, but also by the nature of the actors present. In fact, when immeasurable sums of money are stolen without warning or institutions fall under “citizens” hacktivist attacks, opinion tends to sympathise towards the attacker perceived as a modern hero, a romantic pirate or a anonymous vigilante.

This public figure, aware of its image and the codes of the communication world, will of course be able to play this environment. Thus, the very methods of the attackers reinforce the central place of communication in the management of cybercrises. Attacks on political, ideological and militant grounds are no longer confined to the compromise of a system but send a message whose publicity must be maximised.

This obvious appropriation of the activists’ specific methods is illustrated in several ways: prior warning of a DDoS, defacing a website, publication over time of proofs of a theft on social networks, dissemination of information such as exchanges of compromising private mail conversations, etc. If the attackers have learned to maximize the reputational impact of their attacks, they also use this lever to disrupt their target’s crisis management and make a noise that will buy them time once their attack is discovered. While one of crisis management’s key success factors of is regaining control of this rhythm and the publication of new elements, the cybercrisis inevitably leaves this power to a malicious third party.

This third party can also, if the compromise goes deeply, alter the company’s means of communication. While it tries to respond to the need to express itself urgently and widely, this can severely hinder the fluidity of its communication. Without email, how to spread a message to employees? Without social networks, how to be close to the community and answer their questions?

Restoring the trust relationship through communication

Fascinated by the attackers and the magnitude of the attacks, the general public is nonetheless intransigent at a time when trust and data are the very value of a company. Intrinsically, preserving the first assumes the protection of the second. When the organisation fails to achieve this goal, crisis communication is the only one able to restore this relationship of trust on which depends the future of the relation with customers and partners, who will or will not continue to entrust their data or the management of their tools, as well as their services to an organisation.

This trust requirement also brings about, when it’s is broken, the search for whom to point the blame. Although the reality of the facts is much more complex, the general public will easily assume that information system attacks are made possible by exploiting a vulnerability and therefore a fault.

A data leak is thus not only perceived as an attack perpetuated by a malicious third party, but also as negligence in the defences of the company victim to the theft. The latter is automatically designated as responsible and its reputation is logically impacted. Even as the attackers have become professional, the attacks complexify and the absence of vulnerabilities is a myth, cyber-attacks are now a subject of crisis management and communication in their own right. Because of its potential impact on the general public’s daily life and therefore its newsworthy nature, it forces the victim, considered to be co-responsible for its loss, to express itself.

Try to Keep It Simple for Better Crisis Communication

Beyond defining a clear, shared and timely strategy, managing a cybercrisis with its particular rhythm and the obstacles caused by the attackers must be accompanied by a special communication which implies a final effort: keeping it simple.

Confronted by a cybercrisis, like any type of crisis, communicating implies being able to translate the events and corrective actions into clear impacts and to address them in a coherent manner. Of course, the complexity of the terms and the mechanics of a cybercrisis makes this exercise tricky and is another particularity to take into account.

In this context, through their ability to translate the technical cause into business consequences and more generally into layman’s terms, the CISO and their team’s role is central. During business as usual as well as in times of crisis, the CISO’s mission is the responsibility for translating the facts and technical components not only into business impacts but also into understandable and convincing impacts for diverse non-expert audiences. They may also have to conceive or even bear responsibility for elements of crisis communication language in the same way that a human resources representative is exposed during a social crisis.

Without presupposing their exposure on a major TV channel’s news programme, information security experts’ words will be expected on social networks, on professional networks, in the specialized press or in-house. In crisis communication, everyone is responsible for everything and everyone has to be prepared for it.

Thus, the subject of cyber carries a media power of its own; the immediate consequence of which is the considerable increase in expectations and requests to be informed from different divisions of an organisation as well as from the public. If the impending occurrence of an information security incident involves a specific defence and continuity of operations planning, it also requires anticipation of these requests and an active preparation for this overall communication effort.

Cet article Cybercrisis, a fully-fledged media topic est apparu en premier sur RiskInsight.