SecurityScorecard: Graded Ratings Help Companies Improve Server Resilience as Regulations Tighten

TL; DR: SecurityScorecard helps enterprises assess cybersecurity resilience for purposes ranging from self-monitoring to securing an insurance policy. Since its launch in 2014, SecurityScorecard has rated cybersecurity levels for more than 11 million entities across 17 vertical sectors and global industrial categories. It also offers a portfolio of supporting products and solutions. More than 22,000 organizations use SecurityScorecard’s proprietary rating technology, and the company supports its ratings system with educational resources.

Risk assessment has gained greater importance in cybersecurity practices after a recent spate of high-impact attacks that affected governments worldwide. Some attacks targeted IT service providers, critical servers, and trusted hosts, sending shockwaves through government and industry.

One hack compromised multiple hosted IT systems of governments and organizations worldwide. The incident compromised nine U.S. government agencies and more than 100 American companies.

Many hosted IT services have become a part of the nation’s critical infrastructure. The server connections between cloud service providers and their customers have unfolded to form an extended attack surface — and many enterprises falter when it comes to spotting vulnerabilities in that context.

IT security specialist SecurityScorecard has conducted risk assessments since 2014, but recent developments — and the COVID-19 pandemic — have given its objectives greater urgency. Rating organizational security has become vital as governments worldwide begin to enforce new processes and regulations — a move hastened by major attacks.

Security audits and penetration testing can help companies find weaknesses, but they are expensive, time-consuming, and not entirely reliable. SecurityScorecard aims to subject corporate entities to ratings-based scrutiny to quantify cybersecurity provisions and grade their posture. It also makes it easy for rated organizations to positively communicate cybersecurity risk considerations to internal and external partners and stakeholders.

“To refresh an old saying, ‘If you cannot measure it, you cannot improve it,’” said Bill Hogan, Chief Revenue Officer at SecurityScorecard. “We help our customers achieve both of those objectives.”

SecurityScorecard’s primary offering is based around three flagship products — Ratings, Atlas, and Data.

SecurityScorecard Ratings leverages those hosted tools to evaluate an organization’s cybersecurity risk using data-driven, objective, and evolving metrics that provide visibility into weaknesses and potential vulnerabilities in the supply chain.

SecurityScorecard Ratings offer grades on an A to F scale across 10 groups of risk factors. They include DNS health, IP reputation, web application security, server security, leaked information, hacker chatter, endpoint security, and patching cadence.

Atlas is designed to make routine tasks like cybersecurity assessments or responding to lengthy questionnaires fast, accurate, and more secure. According to SecurityScorecard, Atlas is the only fully integrated security ratings and vendor assessment solution available.

“Atlas’ centralized hosted platform leverages Machine Learning to align questionnaire responses with SecurityScorecard Ratings to provide an instant 360° view of cybersecurity risk and automatically validate of responses,” Bill said. “This enables our clients to objectively determine their points of risk.”

SecurityScorecard’s global security intelligence engine, Data, continuously collects and analyzes a broad range of highly relevant but non-intrusive cybersecurity signals from millions of digital assets across the internet.

“Organizations need fast, effective ways to leverage cybersecurity data — and actionable insights — across their enterprise and third-party ecosystem,” said Bill. “Hosted SecurityScorecard Data enables customers to tap into that data for millions of companies. It brings cybersecurity data to the heart of their business operations.”

Cybersecurity considerations extend beyond the confines of IT functions and now condition many additional aspects of business operation.

“Effective cyber hygiene is no longer just about keeping out the bad actors,” said Bill. “There are additional reasons why corporate entities would undertake a SecurityScorecard health check.”

According to Bill, clients typically have three motivations for seeking the rating. First, they want to improve their understanding of cybersecurity so they can self-monitor and determine whether they are investing in the most effective areas that deliver the best server protection and ROI.

Second, companies rely on SecurityScorecard’s hosted products and solutions to gain more insights into the security posture of B2B partners and their supply chains. Governments and commercial sectors understand the massive risk that vulnerable global supply chains can represent, especially during the COVID-19 pandemic.

Many potential vulnerabilities in those supply chains have been exposed. That is particularly concerning because IT products and services support the economy and keep people connected during a crisis.

“Cyber risk insurance is another driver because insurers are concerned with determining known risk, and supply chains too often constitute an unknown risk,” said Bill. “Therefore, there is a growing need for assessment tools like ours that provide organizations better visibility to protect both themselves, their supply chain partners, and customers.”

Cyber risk insurance became necessary in the early 2000s when the cyber threat landscape was markedly different from the one that confronts insurers today. What seemed to insurers like a profitable field of risk coverage two or three years ago has transformed into unforeseen liabilities, mainly driven by the rampant upsurge in ransomware attacks.

The recent increase in targeted attacks on hosted IT service providers has impacted the cyber insurance sector, causing the scope of policies to grow. Policies may include data loss and business recovery costs, reputational damage, and ransomware payouts.

Recent reports indicate that cyber risk insurers have fundamentally changed their positions on parameters. The significant ransomware strikes of 2021 have convulsed the insurance market, according to one report, and caused some year-on-year premiums to rise 27% over 2020 levels.

Another outcome is that cyber insurers have become more discriminating about the organizations they will accept for coverage. SecurityScorecard’s ratings can play a role in providing customers with credible evidence of server resilience that insurers want to see.

“Underwriters remain cautious when issuing cyber insurance policies because it can be difficult to easily gauge their clients’ cyber health — and understandably so,” said Bill. “The cyber insurance market has used SecurityScorecard’s risk assessment and security ratings capabilities to get a view into whether a prospective policyholder’s cybersecurity is fit-for-purpose. They correlate it with loss factors and build it into their risk and pricing models for cyber insurance.”

The disruptive nature of the COVID-19 pandemic raised the profile of SecurityScorecard’s value proposition, but not necessarily for the reasons the company anticipated.

“Even before March 2020, widespread Digital Transformation had already been causing many of our customers to radically reengineer their IT strategies, and that often meant their cybersecurity had to be rerated,” Bill said. “When the pandemic first hit, it put many of those DT programs on fast-forward. And with the rapid displacement of so many workforces, it caused massive changes to digital footprints. It took some time for the effects of this to filter down to the point where they needed SecurityScorecard’s support.”

SecurityScorecard ratings are now included in board reports and corporate statements, and even in some of their clients’ marketing materials.

“Many of our customers are using their SecurityScorecard cybersecurity rating as part of a marketing message — it becomes a sort of badge of honor,” Bill said. “Make no mistake, cyber threats are the toughest IT challenges that organizations have ever had — and probably will ever have — because typically in the history of IT, zeros and ones solved problems. But with this scenario, zeros and ones are just another part of the problem.”