Blog of cyber
While a growing number of companies of all sizes have understood the importance of a controlled cyber rating, some still perceive it as an intrusion.... Julien Steunou, Associate Director - SOC CERT CWATCH at Almond, a Board Of Cyber partner, points out that "the whole business of cyber rating agencies is to sell ratings to whoever wants to buy them". The activities of these agencies do not, however, represent the entire world of cyber rating.
Whether it's used to determine the amount of an insurance premium, to award a public contract or to value a company prior to its acquisition, cyber rating, if not taken into account, can become a real handicap. A company that neglects its cyber posture today can suffer the consequences, as some potential customers or partners may consider it too risky to work with it.
"A company that neglects its cyber posture today may suffer the consequences, as potential customers or partners may consider it too risky to work with them."
So it's time to remove some of the obstacles and show organizations that objective knowledge of their own cyber performance is an opportunity that needs to be prepared for.
The origins of mistrust
Cyber rating is based on a combination of three activities:
A mapping of the company's technical assets accessible in open sources (domain names, set of public IPs, websites...) ;
The collection of public data on these technical assets to detect traces of possible malicious activity (e.g.: a website distributing malware) and the performance of simple tests to assess the rigor of configurations (SSL/TLS, SPF...);
A global analysis, using an algorithm, which produces a cyber score combining negative and positive elements associated with an organization's technical assets or more behavioral criteria, such as responsiveness to a cyber incident.
The main challenge is to ensure that the mapping enables the right perimeter to be rated. Fully automated asset mapping can lead to bizarre situations, such as a company discovering that its cyber rating is wrong, having been confused with a company of the same name. For several years now, these errors, even if anecdotal, have been damaging the image of cyber rating, which is all too often perceived as a mere rating, when it should be a path to cyber resilience for organizations, a new means of creating ecosystems of trust.
Finally, the scope of the tests carried out only covers public data, and does not allow us to discover all the types of risk faced by the company, or the measures taken by the company to strengthen its defense: implementation of strong authentication, configuration of a backup, deployment of EDR, etc.
It should be noted, however, that this "external" view of the cyber posture is the view of your ecosystem ... and that of the attackers to target the companies or organizations to be prioritized.
