From day one at UpGuard, we have been all about visibility. Before you can automate, validate desired or detect unwanted changes, you must first know what your infrastructure looks like; you must have a starting spot. We take the same approach to assessing cyber risk.
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile. While external assessments can only access a fraction of the information needed to understand a business' breach risk, they can provide a useful starting point to begin the process of becoming digitally resilient. External scans are like the blood pressure machine at CVS: it can't hurt, it might get you thinking about your health, but it's not replacement for a visit to a real doctor.
For simplicity of presentation, UpGuard groups external scan information into three categories: Business, Communications, and Website.
Independent of a website's implementation, there are breach patterns associated with a company's size, location, and sector. Additionally, facts like past breach history and credentials lost in other breaches contribute to a business' risk of breach. We also look at employee satisfaction as an indicator of the risk of internal actors. All of these facts are collected from trusted data sources and aggregated into the scoring under the "business" heading.
Ensuring communication authenticity helps mitigate the risk of phishing attacks and reputational damage. Most of these checks originate in DNS checks and result in risk factors related to a company's ability to protect against fraudulent emails in their name. SPF records, DMARC, and DNSSEC are checked to validate that a company can protect its communications channels.
The set of technical risks that are externally visible are diverse but, unfortunately, fairly shallow in terms of the protection they can guarantee. Hackers don't just "break in" and grab your data like a burglar taking your wallet, they work their through systems by exploiting a series of weaknesses. As a result, most of the technical risk factors can only be assessed internally, which UpGuard does with its internal scan. The "Website" category includes information on encryption, exposed server information, and domain expiration.
Visibility and Accountability
In addition to performing checks on risk factors, the UpGuard scan includes information that is neither good nor bad but may be surprising for business leaders. For example, we do not mark down your score based on the third party scripts being used, but for domain owners it may come as a surprise to learn which providers are embedded on their site (and, by extension, whose risk they are assuming).
Managing Risk Together
Defending against cyber breaches is a war with many fronts against human adversaries. Most importantly, it is one that requires business and IT leaders to work together to understand and manage their risk. UpGuard's external scanner provides a way to start that conversation and find quick wins. For businesses serious about becoming resilient, however, the external scan is just the starting point, and will want to go beyond easily available data sources to the true health of their systems.