Internal and External cyber risk score for enterprise: A comparison

With the advancements in technology, such as the rapid increase in computer systems, Internet, and wireless systems, cybersecurity is now of growing importance. Cyberattacks have gradually transformed from being theft-driven to meticulously planned hacks of a greater magnitude that have the power to manipulate organizational data, causing severe disruptions. Many companies have recently been targets of crimes such as the WannaCry ransomware, which impacted businesses in about 100 countries.

For enterprises, all this poses new challenges related to collaborations, vendor risk management , continuous assessment of their IT assets, etc.

As a result, enterprises are on the lookout for third-party providers that develop a quantitative analysis of their cybersecurity posture that is accurate and easy to understand. A variety of products having numerous distinct features deliver in this domain. All of them aim to make the IT infrastructure of an enterprise cyber-resilient.

However, they differ in their approach. While some apply intrusive methods, i.e., scanning an enterprise’s internal IT assets for vulnerabilities, others rely on non-intrusive methods such as collecting data about the externally available enterprise. Both kinds of data are then consolidated and analyzed to produce a comprehensive cyber risk posture of the enterprise .

This analysis is then reported to the enterprise in the form of a security metric that could be a rating/score/grade/percentile signifying the enterprise network’s preparedness against cyberattacks or a measure of any other aspect of cybersecurity. Some vendors also use graphs or heatmaps in their reports to determine the severity of the vulnerabilities in their client’s network.

Internal Cyber Risk Scoring (Intrusive)

This process could be divided into various steps to obtain maximum efficiency. It is a cycle, which should be continuously followed to stay protected from the attacks.

First, the network devices of a network are scanned. This could be done with the help of third-party systems. It gives the connection overview of the entire network and the devices connected to them.

  1. Next, the vulnerabilities found are prioritized according to their severity, i.e., the more critical vulnerabilities are given priority over the less critical ones.
  2. These vulnerabilities are assessed and assigned a security metric (rating/score/grade/percentile), and this analysis is reported to the enterprise.
  3. After reporting the security flaws, some providers also suggest steps to remediate them. The list of remediations may also be prioritized.
  4. Finally, tests may be carried out to verify whether the patches were successful.
  5. The process may repeat itself to provide enterprises with a continuous and real-time assessment of their cybersecurity posture.

External Cyber Risk Scoring (Non-Intrusive)

“ 65% of companies that reported sharing customer data with a partner also reported subsequent breach through that partner.”

Security practices in large organizations are challenging to assess. It is an even more significant challenge when organizations turn to third-parties to provide technology and business services, which typically requires tight network integration and sharing of confidential data, thereby potentially increasing the organization’s attack surface. Hence, there is a need for an approachto the problem of understanding and mitigating security risks in organizations.

This non-intrusive approach addresses the need by presenting a rigorous, data-driven method for assessing organizational risk vectors. The technique can inform an organization about the risks posed by its third-party vendors. It can help it better understand its risk profile, ultimately guiding on improving the security of its internal networks.

Risk Factors

This method uses risk vectors that can be measured externally and objectively and show how they correlate with actual security incidents. Most risk vectors may not be able to cause malware infections directly; instead, they are indicators of conditions in an organization that may lead to malware infection or other security problems.

Breach disclosures, configuration parameters, email viruses, user behavior, underground hacker groups, etc., are data sources that may indicate any malicious activity happening in an organization’s network. The final reports may include the cyberhealth of an organization across these risk factors.

Observations and Conclusion

Both internal and external methods of data collection and scoring aim to evaluate a company’s potential risk. Companies would go for external evaluation providers, usually to know about their third or fourth party vendors’ cybersecurity posture to decide whether to join hands with them for business.

This is similar to a credit score. But companies who want to understand their cyber health and don’t have the means to do it themselves turn to providers that perform internal assessments. Such providers may also suggest a prioritized list of remediations for any vulnerabilities found.

However, the key differentiator is that the external analysis identifies statistical correlations rather than analyzing direct causation, which happens during the internal assessment of the IT assets of an organization.

Providers of an external score argue that correlating security ratings with actual outcomes yields information sufficient to assess an organization’s security maturity using only externally available data. However, it is apparent that if tools are placed inside the firewall of a network to collect more data, the score could be more accurate.

Nevertheless, it has been seen that both these methods of evaluation produce almost the same results.