In October 2018, FICO (a consumer credit scoring specialist) began scoring the cybersecurity of companies based upon a scan of internet facing vulnerabilities. FICO grades companies using the same scoring that is familiar with consumer credit. These metrics are then used to compare security risks against competitors.
This announcement has the potential to be a sea change event in cybersecurity. In the same way that credit scores are now influencing decisions as diverse as dating suitability and employment eligibility, publicly available security scoring has the potential to leak out of the IT department and contaminate a wide range of corporate interests.
Many companies treat their woeful lack of security hygiene as a dirty little secret that they hope will never see the light of day.
A recent survey was conducted of 126 security professionals by Trustwave. Despite having security professionals on staff, 20 percent of companies are doing no testing for vulnerabilities. Sixty-six percent test more than never but less than every six months. Best practices recommend scanning somewhere between monthly and daily. These companies take the position that cybersecurity is akin to cookies dropped onto a grimy floor. If nobody is looking, the five-second rule can be very flexible. The move by FICO to make cybersecurity publicly visible shines a spotlight on previously questionable practices.
Consider a series of examples of how security scoring is likely to affect business operations well beyond the IT department.
In the services industry, remote contractors that perform remote maintenance and support have the potential to act as vectors for the spread of infection. After touching somebody else’s infected network, the contractor’s systems also become infected. And now they are ready to probe into the problem that you reported.
Before hiring a contractor, wouldn’t it make sense to look at an unbiased metric of their security practices? Without doubt, if you ask directly, they will give you the glossy vacation brochure version of their policies. But looking at how well they manage their own systems would be far more insightful into the kind of caution they will exercise with you.
In a 2017 investigation of 1600 federal contractors by BitSight, eight percent of health care contractors reported breaches. Additionally, law firms are being requested to increase their cybersecurity in order to protect their client data.
In the manufacturing industry, imagine that you are relying on a supplier to deliver goods to you just in time for your assembly line. But your shipping partner is focused on transportation and is paying very little attention to cyber hygiene.
That is exactly what happened when a container shipping company was overrun by the NonPetya ransomware in 2017. As a direct result, the company had to replace 4000 servers and 45,000 PCs before they could restore operations. This heroic effort took 10 days. During that time, they and their customers were dead in the water.
Imagine a turn of events where every prospective supplier is considered not only on the merits of their business but is potentially disqualified by their security score. The potential for bad actors from nation states down to latch key high schoolers to take down a multi-national company is simply too great to be left to chance.
And finally, there is the issue of litigation. To date, bringing legal action on behalf of investors in cases where cyber breach has been extremely expensive. Only the most well-funded legal teams could realistically pin the blame of a breach on the management. But the task of determining executive negligence becomes much easier when the results of an independent security audit can be had for a very affordable price.
Imagine a situation where there is a breach or ransomware attack that materially undermines the stock price of the company (think Target, TJ Maxx, Home Depot). If the company had a below average security score and the company had purchased insurance against cyber instances, it would be easy to demonstrate that the executives were aware of the risk and elected not to respond.
But there is good news at the bottom of this barrel. Pay FICO for your company’s score and for those of your major suppliers. This information can be used to build the case for your internal program as well as making the case that your suppliers need to up their game as well.
Tripwire can help. Our tools can be used to help identify vulnerabilities and can be instrumental in setting up a program of cyber hygiene that can address this issue. The Online Trust Alliance produced a report in 2018 claiming that 93 percent of all breaches could be prevented with effective cyber hygiene. Tripwire can help you get started.