What's In the Website Risk Grader?

Posted by UpGuard

From day one at UpGuard, we have been all about visibility. Before you can automate, validate desired or detect unwanted changes, you must first know what your infrastructure looks like; you must have a starting spot. We take the same approach to assessing cyber risk.

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile. While external assessments can only access a fraction of the information needed to understand a business' breach risk, they can provide a useful starting point to begin the process of becoming digitally resilient. External scans are like the blood pressure machine at CVS: it can't hurt, it might get you thinking about your health, but it's not replacement for a visit to a real doctor.

For simplicity of presentation, UpGuard groups external scan information into three categories: Business, Communications, and Website.


UpGuard Risk Grader

Business

Independent of a website's implementation, there are breach patterns associated with a company's size, location, and sector. Additionally, facts like past breach history and credentials lost in other breaches contribute to a business' risk of breach. We also look at employee satisfaction as an indicator of the risk of internal actors. All of these facts are collected from trusted data sources and aggregated into the scoring under the "business" heading.



Communications

Ensuring communication authenticity helps mitigate the risk of phishing attacks and reputational damage. Most of these checks originate in DNS checks and result in risk factors related to a company's ability to protect against fraudulent emails in their name. SPF records, DMARC, and DNSSEC are checked to validate that a company can protect its communications channels.

Website

The set of technical risks that are externally visible are diverse but, unfortunately, fairly shallow in terms of the protection they can guarantee. Hackers don't just "break in" and grab your data like a burglar taking your wallet, they work their through systems by exploiting a series of weaknesses. As a result, most of the technical risk factors can only be assessed internally, which UpGuard does with its internal scan. The "Website" category includes information on encryption, exposed server information, and domain expiration. 

See your website's faults before your competitors

Visibility and Accountability

In addition to performing checks on risk factors, the UpGuard scan includes information that is neither good nor bad but may be surprising for business leaders. For example, we do not mark down your score based on the third party scripts being used, but for domain owners it may come as a surprise to learn which providers are embedded on their site (and, by extension, whose risk they are assuming).



Managing Risk Together

Defending against cyber breaches is a war with many fronts against human adversaries. Most importantly, it is one that requires business and IT leaders to work together to understand and manage their risk. UpGuard's external scanner provides a way to start that conversation and find quick wins. For businesses serious about becoming resilient, however, the external scan is just the starting point, and will want to go beyond easily available data sources to the true health of their systems.

Get Started With UpGuard

 

More Blogs

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

The Need for Complete Risk Assessment

Improving the accuracy of cyber risk assessment has the same beneficial effects as in other branches of insurance.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: CSTAR, webscan

UpGuard Customers