For as much as "cyber risk" sounds like a 1990's board game involving robots, cyber risk is actually serious business—in fact, it is continually becoming more important as organizations old and new find themselves relying on a variety of connected technologies and services. And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
So what is cyber risk, and what can be done about it?
Put simply, cyber risk is the risk of damage or interruption to your IT systems. And that damage can take a number of forms such as service outages, unplanned work, and more noticeably, data breaches involving customer records or other important business information. Any one of these situations can have catastrophic results, not only in capital spent recovering from the damage, but in the loss of trust in your company going forward. In particularly massive breaches such as the infamous Target breach of 2013, the lasting brand damage and loss of business over time may make the true cost of the breach incalculable.
But contrary to what many vendors may tell you, there’s no silver bullet for cybersecurity, and there’s no cure-all you can deploy to make cyber risk a non-issue. The best professionals know this already and attempt to acknowledge the risk that comes with being connected, understand where risk exists and why, do their best to remediate and defend against incidents, and have an insurance policy in place if the worst happens. Understanding that risk and its causes is the cardinal idea behind our CSTAR scoring mechanism.
We didn’t invent the concept of quantifying cyber risk, but we are the only solution that bases our calculations on living, internal, policy-based assessments of the systems directly powering your business.
Cyber Risk, Then and Now
At the time of Target’s breach, the company had $100 million in cyber risk coverage with a $10 million deductible. They tried to acquire more insurance but couldn’t—the problem being insurers couldn’t accurately gauge the amount of risk in such a large and ever-changing infrastructure.
Gut Feelings and Tapping On the Window
Previously, cyber risk was assessed using a few indicators, the first being contextual information. This is publicly available information such as the business’ size, location, and sector. Retail, finance, and healthcare businesses are known to have a greater likelihood of breach than, say, a lasertag arena. Several products take this approach and spice it up with machine learning and programmatic gathering of additional data such as breach history among industry peers. Contextual information is useful, but not nearly enough data to make a fair and accurate determination of risk.
Another source of information is the employee survey. Believe it or not, multiple choice surveys given to employees about their perception of the company’s cybersecurity efforts are used by some to determine risk. And while a large number of employees reporting a lack of faith in their cybersecurity is a red flag that must be addressed, it is still simply conjecture and by no means an accurate risk measurement tool for the entire organization.
The third method insurers have used is external testing. This involves hiring a firm to attempt to “break in” to a company’s infrastructure from the outside, as an intruder might. Certainly, glaring security holes will be found and addressed through this method, but this type of penetration testing should happen anyway in any well-cared-for infrastructure, and isn’t a reliable indicator of potential future risk.
What the Game’s Been Missing
Even when the above three types of data are combined, insurers still don’t have the complete picture. Think of the organization applying for cyber insurance as if it were you applying for personal health insurance. Contextual information is the neighborhood you live in and your living situation, the survey is “How’s your diet? Feeling okay?” and external testing is banging on your knee a couple times to test your reflexes. What we’re missing is what’s happening inside.
UpGuard bases its CSTAR calculations on thorough internal configuration and vulnerability scans of the devices and servers that run your business.
The CSTAR formula is a one-of-a-kind weighting of known software vulnerabilities present on your systems, the rate of configuration change on those systems, the number of those changes which were anticipated and acceptable (as well as those which were not), and the frequency of scans. The result is a single, easy-to-understand score that represents in the simplest of terms your ongoing cyber risk posture, and has the added benefit of bringing CEOs, CROs, and CFOs into this pivotal discussion. And just as importantly, insurers for the first time have an accurate picture of the state of an organization’s infrastructure and can price their policies accordingly.
The UpGuard dashboard displaying the CSTAR score
The wheel and accompanying menus around your CSTAR score allow you to drill down into the factors that constitute the total score. There are no secret attributes or guesswork when it comes to determining your CSTAR rating—your executive team can view the dashboard at any time and understand exactly which aspects of your infrastructure contribute to your risk rating, enabling you to make smart decisions about how to manage your risk going forward. This is complete visibility from the 30,000-foot view of the organization as a whole, all the way down into the individual configurations of every device under your preview.
A “group diff” identifying anomalies across many servers at once
The full report can be broken down into individual data points or even tasks, and then used by IT teams to remediate potential risk points identified by UpGuard and improve your CSTAR score. As time progresses and your organization lessens your risk potential and improves your score, that change will be reflected in lower insurance costs.
The threat landscape has changed, and businesses must be vigilant in preventing unplanned outages and data breaches that could stop business in its tracks. UpGuard's CSTAR is the only scoring mechanism of its kind—one which evaluates your infrastructure from the inside out. See how it works and get started today.