Imagine the capability to obtain a more detailed view into your attack surface. Not only the vulnerabilities and risks associated to your own activities but also a way to visualise the external threats and security performance of your suppliers, customers and third parties. The capability to view aggregated risk assessment information within a cyber threat ratings and intelligence platform can be used to make more informed data driven decisions. Furthermore when shared, allow for trading partners to adopt an approach for increased levels of mutually assured protection.
Combining Vulnerabilities with Cyber Threat Intelligence
I’m currently working on a project to establish the resilience and cyber security posture of hundreds of financial sector organisations using the same methods of measurement.
These organisations are all FCA regulated and are (or should be) working within the parameters laid out within the CQUEST/CBEST assessment guidelines produced by the FCA & PRA.
2019 saw cyber-attacks increase across the financial sector and there is now firm emphasis on examining financial institutions and their resilience to cyber-attack.
The findings of my project so far are quite worrying. Having tested physical technologies and digital footprint for vulnerabilities then combined the results with threat information specific to the financial sector I am seeing a trend towards approximately 70% of the organisations evaluated scoring poor or very poor, which is a definite concern for an industry that is already confirmed as a prime target for cyber-crime.
Whilst this project is focused on the financial sector, the assessment method and tools used can easily be applied to measure the risks associated to any business. Again, using the same audit process it is therefore possible to evaluate the single or aggregated risks presented to your own business from any and all organisations you work with.
Cyber Ratings & Threat Intelligence Platform
The cyber ratings platfom I am using to perform the audits is extremely powerful. It combines the ability to identify technology vulnerabilities and configuration flaws with threat intelligence to produce an accurate and consistent cyber risk rating, and is a significant move forward for anyone trying to understand the complex relationships between businesses (think supply chain or linked organisations in a group of companies) from a cyber security perspective.
The results data produced within this exercise has been extremely insightful and it is very apparent there is a real need for a cyber ratings standard across all aspects of industry. This would drive us all towards improved cyber security and afford better & more informed decision making. For example, in the same way you credit check a new supplier or customer, why not also check their cyber security posture and assess the risks properly. There are also some obvious benefits for cyber insurance here, it would be hugely beneficial for both underwriter and policyholder to have a standard approach to measure risk and ensure pricing and cover are fair and adequate.
Due Diligence Benefits
There are huge benefits to be gained via the use of cyber risk ratings and it should probably form part of any due diligence process undertaken by businesses with a mature and inclusive approach to taking responsibility for the security of their organisation. The ability to have a consistent insight into the risks associated with your commercial partners and make better decisions quickly and efficiently is critical to a successful and healthy Information Security program and better protects it’s critical data and commercial reputation.
If you would like to understand how your business could be affected by threats unique to your industry or how the businesses you deal with treat the seriousness of cyber security please get in touch via our website and I would be delighted to provide an insight into the benefits of this technology.
Alternatively you can register for your free report via our contact page here; https://ng-it.co.uk/contact-us/
Blog written by Howard Johnson, Cyber Practice Lead – https://www.linkedin.com/in/johnsonhoward/
Further Reading;
The FCA, Building Cyber Resilience – https://www.fca.org.uk/news/speeches/building-cyber-resilience
Cyber Security in Supply Chain – https://www.ncsc.gov.uk/collection/supply-chain-security/assessing-supply-chain-security
What is Threat Intelligence? – https://www.crest-approved.org/wp-content/uploads/CREST-Cyber-Threat-Intelligence.pdf