A new service from Australian research and consultancy firm Security in Depth aims to help enterprises minimise risk through a new ‘credit score’-style rating that assesses the security maturity of suppliers that integrate with their systems.
The new service is essentially “a cyber credit score,” CEO Michael Connory told Computerworld.
“If you’re looking at working with organisations that are going to be linked into you, from an integration perspective – it could be your HR system, it could be your finance system, or you could be sharing project files with an external organisation – we do a review on those organisations to see where the biggest risks are. That way, the organisation can make a better decision whether or not they want to share their data.”
The service is called CARR — for Cyber Assurance Risk Rating — and Security in Depth offers three different layers of service.
The basic service assesses an organisation based on their size and industry. For example a local plumber with three employees might not have any real cyber security, but the likelihood of them being a risk to a major bank is fairly minimal, so they may have a medium score.
“You might have a not-for-profit organisation that has thousands of members and has half a dozen staff. They’re providing services to thousands of members on a daily and weekly basis but their ability to understand and manage cyber security might be very weak, so they might get a lower score,” Connory said.
A low score gives an organisation an opportunity to discuss how they should work with a particular supplier.
The second layer involves a security audit of a supplier.
Connory said that could include probing whether an organisation adheres to an information security framework such as ISO 27001 or NIST and asking for evidence to show that's the case.
“If necessary we’ll go in and actually ask to see evidence — have they done penetrating testing before, who did they do their test with, when did they do the test,” the CEO said. “We don’t necessarily need to see the results — but the fact that they’ve done it shows a level of maturity that a lot of organisations might not have.”
The most in-depth level of service involves a continual vulnerability scan and auditing of systems that handle critical data.
Connory said that Security in Depth has a CARR algorithm that takes a range of factors in consideration and then produces five scores relating to different areas as well as an overall score: “So their governance might be really good or their governance might be really weak; their ability to detect might be really good or it might be really weak; their ability to respond might be really good or it might be really weak,” the CEO said.
“It gives the organisation requesting the information the ability to say, ‘Well we have a little bit of concern here — if you’re looking after all of our data we would like you to be able to make sure that these areas are more thoroughly managed.’”
The company started offering the service a few months ago and it is currently being used by several major Australian financial services organisations.
State of cyber security
Security in Depth today released its first State of Cyber Security in Australia research report.
The report is based a survey of 722 organisations across Australia. Among the findings are that 41 per cent of respondents did not have any ICT security framework, 47 per cent of the companies covered by the survey had never conducted cyber security awareness training and only 17 per cent of companies are prepared to respond to a data breach.
The responses to the survey highlighted the significant gap in the security maturity of large Australian enterprises and SMEs, Connory said.
“Once you hit the around the 2000-seat mark and smaller, which is a significant amount of Australian organisations, almost half of them have no cyber security awareness whatsoever,” he said. “It’s very scary.”
In many of those organisations the IT department “is generally very aware that they’re vulnerable,” the CEO said. “Especially in the smaller organisations they’re very aware that they’re vulnerable, they’re very aware of the challenges they face and they’re also aware that they don’t necessarily have the skills to be able to manage everything.
“When we ask the same questions of the executives – CEOs, CFOs and board members – they honestly believe that their organisation is secure and that they’re doing everything that they’re supposed to be doing.”
“So you’ve got a significant gap in understanding of risk and what’s actually occurring at an IT level compared to an executive level, especially in those medium sized businesses,” Connory said.
The survey found that in close to 70 per cent of organisations, cyber security budgets were static year-on-year. Increased security headcount and larger budgets were cited by around 69 per cent and 65 per cent of respondents, respectively, as key measures that would boost organisations’ security levels.
“The medium and the smaller sized organisations only have smaller IT teams and those IT teams are generally focused on keeping the lights on – making sure the network is up, making sure email is running, making sure that their servers are humming away okay,” Connory said. “But they don’t really have the necessary skills or knowledge or experience to be able to handle or manage security.”