Would you entrust your savings to a fund that boasts of channeling all its investments exclusively on the basis of press reports?

Credit rating agencies, Moody's, Standard & Poors, Fitch, and others not so well known, are hired by the main public and private organizations in the world to analyze and assess their financial soundness, so that the better the rating obtained in this analysis, it provides investors with more confidence and, consequently, the organization will have more ease in raising capital and better conditions for financing its debt.

To carry out this analysis, companies open their books of accounts to agencies, and for this reason, their ratings are widely accepted - which persists after the blow of the 2008 crisis - as the most reliable method of evaluating financial risk, and it is one of the fundamentals on which the most important funds in the world base the investment of billions of euros.

Entrusting the savings to a fund that bases its investment on press news would be the same as trusting that your providers operate with an adequate level of cybersecurity based on the results of an external rating, such as those provided by BitSight, MetricStream, RiskRecon, SecurityScorecard, ... or many others that proliferate in recent years with this activity, claiming that they offer the key to managing risks with suppliers.

I'm not going to say that press reports are useless, and neither are external cybersecurity ratings. In fact, all of these companies have been able to secure outrageous amounts of financing. Obviously with the speculative philosophy of venture capital that accompanies the trend. And the truth is that they are taking advantage of these capital injections very well to carry out excellent marketing campaigns and position themselves in the market as if they were the definitive solution.

However, these models cannot withstand the slightest analysis.

To begin with, the sampling base. And I'm going to put a real case on a provider: Telefónica. The external rating is based on the analysis carried out on the perimeter with Internet exposure, after the "discovery" of the IP addresses and domains that are associated with the main domain telefonica.com, and thus obtains thousands (or millions) of assets that Telefónica has all over the world, including the routers in its clients. It goes without saying how inappropriate this perimeter is to analyze anything about it.

In fact, and anecdotally, the CISO of an important company to whom Telefónica itself sells one of these solutions, told us that the results of the same for Telefónica itself advised against hiring it as a service provider due to the low rating provided by the company tool.

Without going so far, the inaccuracy in the basis of the analysis obtained in this way, for almost any type of organization, is evident. And not only because of the errors that can be made when establishing the perimeter on which to perform the analysis, but also because of the limitations that said analysis has when it is carried out solely and exclusively, in a non-intrusive way, from the outside.

Of course, it can provide us with good information about some vulnerabilities: improperly opened ports, email domains included in spam lists, outdated versions of web servers, databases accessible from outside ... Well, all this is important, and therefore these services are having a good level of acceptance. However, what is most important to determine the level of cybersecurity in an organization is within it, and cannot be seen from the outside.

We know that the vast majority of ransomware attacks cause the desired results because a reckless employee receives an email and clicks on a link that he should not, resulting in the hijacking of company information. How can the training and awareness of staff to avoid this situation be evaluated from the outside? And also, how prepared is the organization to recover from an attack of this type? Do they have backup copies and are they capable of restoring the information, so that your business is not affected?

How robust is the access control policy? And the use of antivirus systems? Are server and workstation updates being made to avoid vulnerabilities? Of course, these, and many other fundamental characteristics to determine the degree of cybersecurity and preparedness for incidents can only be answered by a “white box” type evaluation, in which the organization opens its doors for a rigorous audit to determine the real level security with which it operates. And even, being more precise, the one implemented in the different services, which, of course, may have different characteristics.

This is what we do at LEET Security: we evaluate from the inside all the factors that must be taken into consideration to determine the maturity and robustness in cybersecurity of the services provided, which we complete with an external evaluation similar to those mentioned before. Therefore, we are not wrong in saying that ours, LEET’s cybersecurity rating, is the only one that provides a real and reliable vision of the organization's cybersecurity level, and thus, also the only one that will allow you to contract the services, with total confidence, of the suppliers rated by us.

Recently, although I don't remember from whom, I heard this phrase: "Thinking that cybersecurity risks can be managed through these external ratings is like making the insurance of a building from a photograph from the outside." Would you insure your business with a photograph from outside of your suppliers?

All you need is LEET!

Subscribe to our newsletter here.

You can follow us on twitter.com/leet_security

28 de octubre de 2020