Tell us more about what SecurityScorecard does.
SecurityScorecard is a 10-year-old cybersecurity company that provides a SaaS solution. With a simple A to F graded system, we empower companies to understand the external exposure risks they face or those of third parties they are interested in. There are multiple use cases for creating a scorecard. Our scores are evidence-based, as we collect data from an external perspective and data breach incidents. An A to F rating doesn’t just indicate whether a company is good or bad; it also correlates to the likelihood of a breach. For example, if you receive an F rating, you are 14 times more likely to experience a violation than an A-rated company, indicating lower external exposure and higher security.
Does it mean a company with an A grade has never experienced a breach?
I would say that’s not entirely factual. While it’s true that breaches can occur due to various reasons, such as insider threats or zero-day vulnerabilities, from a threat actor’s perspective, they are more likely to target companies that expose the most vulnerabilities. Let me provide a simple analogy: Imagine a robber walking down a street where houses vary in their security measures. One house is securely sealed with no open doors or broken windows, while another house has open doors and a broken window. Which house do you think the criminal would target first? It’s simple math. Similarly, what you expose externally is an indicator of your cyber resilience and the level of cyber hygiene you maintain.
What is your methodology for rating companies’ cyber resilience?
Our methodology is highly transparent and evidence-based. For those interested in the technical details, we publish our methodology on our website for everyone to see. This transparency enables companies to understand and agree with our assessment, as it reflects everything they expose externally.
In terms of the technical process, we conduct scans of the entire IPv4 space, allowing us to observe all publicly available information. Additionally, we utilize passive scanning techniques, such as honey pots and sinkhole technologies, to gather malicious information. We also incorporate elements of cyber threat intelligence into our analysis.
The next stage involves identifying assets belonging to the company from an external perspective. We meticulously map out any assets, including external IPs, domain names, subdomains, and associated IPs. Once we have gathered this information, we correlate it and benchmark the company against similar-sized digital entities.
Our grading system ranges from A to F, reflecting the company’s external exposure and security posture. Furthermore, we evaluate companies across ten different areas, including network security, application security, patching cadence, DNS health, messaging security, cyber threat intelligence, and social engineering.
To delve even deeper, we offer additional products and modules, such as Attack Surface Intelligence, which correlates cyber threat intelligence with information on your assets.
Your report notes that 73 percent of the top 30 companies in the UAE have third parties that experienced a breach. Could you shed more light on this?
With the onset of digital transformation, people are moving to the cloud for scalability reasons and to cater to every customer due to heightened competition. As everyone shifts to the cloud, including third-party suppliers, for the same reasons, they become equally accessible to everyone. When we consider breaches, in 2023, over two-thirds of them – specifically 66% – occurred through third-party channels. For instance, a breach in Uber involved its lawyers, resulting in the leakage of Uber’s data. Thus, while relying on third parties for scalability and productivity, companies share critical data with them, making them vital for business continuity but also posing a risk to the organization’s reputation. Regulators, such as the DORA in Europe and SAMA in Saudi, emphasize the importance of continuously monitoring critical third-party supply chains. This is crucial because any breaches they encounter will directly impact the organization relying on them.
Bottom of Form
Discussion about this post