To that end we use, in parallel, a number of complementary technologies. For the purpose of this article the most important one is an adaption of BitSight’s cyber risk rating service which we use to continuously monitor and rate our exposure to the internet. Similar to personal credit ratings, BitSight Security Ratings range from 250 to 900, with a higher rating equating to better overall security posture. A similar rating approach is used for all other risk vectors and sub-vectors.

In addition to BitSight, we use CyCOGNITO for attack surface testing to uncover blind spots and mitigate internet exposed attack vectors.

The CyW Team uses the CyberWatch online risk heatmaps (on our internal portal and on many strategically placed wall screens—see figure above for the “Cyber Hygiene: EXTERNAL”, for a hypothetical company “XPTO”, and based on BitSight’s cyber risk rating service) and comprehensive daily Excel reports that target all relevant stakeholder teams: internet exposed infrastructure, certificate management, desktop management, window server management, internal network management, clear attribution of responsibility, continuously updated and reliable metrics are key to sound governance.

We apply a similar approach on our inside infrastructure (Cyber Hygiene: INTERNAL) covering managed and unmanaged endpoints and servers, databases, network, and security assets. Like for the EXTERNAL case, we track metrics related to COMPROMISED SYSTEMS, TECHNICAL DILIGENCE and, when applicable, USER BEHAVIOR.

For each of the risk vectors (sub-vectors) tracked by CyberWatch, we follow an Ishikawa diagram aggregating basic metrics to the risk rating contributed by that vector (sub-vector). For example, the figure below shows the Ishikawa diagram for the sub-vector: Endpoints: Managed, with an aggregated weight of 15 percent.

As with the EXTERNAL Cyber Hygiene case the CyW Team has online heatmaps and focused reports to interact with all relevant stakeholders to put pressure on eliminating risks and, therefore, continuously improve our overall risk posture.

In the case of the “Cyber Hygiene: USERS” risk vector we follow a comprehensive program of cyber security awareness that include an eLearning program and periodic simulated phishing attacks. We keep track of progress and attribute a risk rating weighting 8 percent in our overall risk score. We handle high risk users (such as those with access to privileged accounts) differently from lower risk users (such as those limited to highly restricted sub-networks) being far more strict to the former.

Last but not Least

Even with all cyber risk inhibitors in place (even those with a high level of cyber hygiene), you cannot exclude the possibility, however unlike, of being seriously attacked! So you need to be ready for that event! Make sure that your network and IT infrastructure are not excessively homogenous to limit the impact of a future zero-day attack. If all your endpoints and servers are of brand “X” a competent attack on a zero-day vulnerability in brand “X”’s operating system could have serious consequences to the survivability of your company. Make sure that at least your BACKUP and MIDDLEWARE infrastructures are based on a different operating system!

And, in preparing your organization for a future severe attack, who are your “fire fighters”? Do you have your own CYBER SECURITY INCIDENT RESPONSE TEAM? Are they ready? Are they capable? Do you periodically test them in RED TEAM vs. BLUE TEAM exercises? If you don’t, how can you rate them within your overall cyber risk rating?

Finally, your BACKUP infrastructure must be SACROSANCT! And make sure you have the right metrics and KPIs to bring any potential problems to the attention of the right stakeholders.