The Truth About Security Ratings — And How To Improve Them

Alright, we’ll say it — security ratings are old school.

Think of ratings as akin to credit scores. Modern businesses depend upon good scores and ratings. For credit scores, that means having access to loans and home ownership. For security ratings, that means qualifying for cyber insurance and earning your third parties’ trust.

Here’s what companies need to know about what they can do to make the most of their ratings — and improve them.

How Security Ratings Started — And How They’ve Changed

Improving your security rating starts with understanding how ratings came to be in the first place. That way, your organization can design security strategies based on the qualities ratings are meant to measure.

It All Started With Questionnaires

Ratings developed out of a distinct need for a standardized method to measure cyber hygiene. Prior to ratings, organizations had to create, send, and synthesize mountains of security vendor questionnaires. Managing and identifying risk from hundreds of questions overburdened security teams.

In the 2010s, BitSight developed the first iteration of modern ratings. At first, they were a much-welcomed change of pace within the cybersecurity landscape. Finally, there was a singular way for organizations to measure cyber health.

In an ideal world, ratings demonstrate how well an organization maintains its cyber hygiene by assigning an “objective” quantification of its efforts. These ratings often look like letter grades, with A indicating the highest level of cybersecurity hygiene and F indicating the lowest level of cybersecurity hygiene.

What the Rating Process Looks Like Today

The ease of implementing and growing popularity of ratings created a new industry around quantifying cyber posture. For example, multiple entities formed specifically to conduct research on and assign cyber ratings to businesses to grade their cyber hygiene.

Most rating companies will conduct external surveillance of an organization’s security practices and mine public data for insight, then come up with a rating from there. Additionally, security rating companies are for-profit organizations. Each company follows its own method of determining cyber ratings — and while the specific details of those methods are not publicly available, there are a few factors that most entities make clear they take into account:

• Patching frequency.
• Vulnerability to active gateways.
• Encryption processes.
• Leaked credentials online.
• Mentions in public hacker or dark web forums.

While this process can indicate a general idea of a company’s cyber health, it neglects to consider other critical factors regarding robust cyber hygiene. For example, security ratings might weigh some security practices or qualities too heavily when they might be irrelevant to an impending breach. Solely relying on these ratings can lead to significant security blindspots that eventually open organizations up for costly attacks.

Security ratings were originally meant to solve the issue of too many questionnaires. In actuality, ratings ended up perpetuating existing security issues around lack of context and insight into robust cyber hygiene. This also reintroduced the problem that ratings solved in the first place: Having too many different “ways” to prove good cyber hygiene.

The Best Way To Use Ratings

While ratings shouldn’t be treated as the only source of truth, they can be particularly helpful in supplementing an organization’s cyber intel when coupled with other tools or strategies. Those might include:

• An internal research team dedicated to keeping tabs on the latest breaches and incidents affecting your vendors or third parties.
• A third-party risk management platform that helps organize, aggregate, or (better yet) conduct that research.

Internal research teams can enhance the insights an organization gains from security ratings by following up on important incidents or vulnerabilities connected to potential vendors or third parties. For example, while a vendor with a B security rating might on the surface meet an organization’s threshold for risk, that rating might prove insufficient if a research team discovers the vendor uses software with actively exploited vulnerabilities.

Similarly, third-party risk management platforms provide greater context into security ratings by adding different metrics that measure risk for a fuller picture of a vendor’s cybersecurity health. For instance, Black Kite incorporates an automated tool called the Ransomware Susceptibility Index (RSI) that helps approximate the likelihood of a vendor falling victim to ransomware. A vendor with a good security rating might also have a high RSI, which could deter organizations from partnering with that business. This additional layer of intelligence can help organizations decide which vendors are and are not suited for their risk appetite.

These tools, when combined with a strong understanding of what ratings do and do not indicate about cybersecurity standing, can help organizations ultimately better maintain their cyber hygiene and acquire coverage under cyber insurance.

How To Improve Your Security Rating

Scoring processes are rarely transparent, meaning it can be hard to pinpoint where organizations might be lacking and what might be giving them a downgrade. However, there are a few clear-cut best practices that security teams can implement to strengthen their cybersecurity health and increase their chances of getting a good rating.

1. Identify Security Goals Based on Reliable (And Relevant) Frameworks

It can be challenging for security teams to know where to start when it comes to improving their organization’s rating. That’s because there are hundreds upon hundreds of recommendations online about what strategies to implement and what factors are needed for a healthy rating.

Organizations should take some time to look at reliable cybersecurity frameworks (i.e., ones that have been vetted or made by regulatory bodies) and identify only the strategies that are relevant to their security needs. NIST, CIS, and ISO are good frameworks to start with, but again — the key here is to get specific on the security needs of your organization.

For example, the NIST framework has several highly specific subsections, like Cybersecurity Framework for Liquefied Natural Gas. Adhering to this framework would be pretty impractical for organizations not dealing with liquefied natural gas.

It’s dangerous for organizations to lack specificity when implementing security strategies. Equifax, one of the major credit unions in the U.S., experienced a massive attack in 2017 that exposed over 140 million people’s information. While Equifax maintained an average “C” rating, its lax security practices were clearly much more severe and posed a significant risk to its financial and reputational standing. In this particular instance, Equifax’s more lenient approach to security led to inefficient and ineffective security strategies — which made the credit union a prime target for bad actors.

Equifax’s ongoing settlement has the potential to reach up to $425 million. What might cost the company hundreds of millions could have been prevented or mitigated with a strategic investment in the right frameworks.

2. Monitor Your Legacy Systems — And Move Away From Them

Bad actors are professionals at finding the attack vectors that people usually fail to secure properly. Organizations most commonly neglect to protect and monitor this favored vector in particular: legacy systems.

Much like security ratings, legacy systems are a necessary evil in many organizations. In high-volume, older industries (like healthcare and financial services), immediately upgrading these legacy devices would likely break servers or lead to significant data loss.

But mistakes get made and missed — and certain patches might be left unnoticed when organizations start to transition away from legacy systems. And when those legacy systems are left unpatched, it leaves them ripe for the taking by bad actors. Organizations must continuously patch and maintain these legacy systems until they can slowly and completely migrate over to newer, more flexible environments.

It’s essential to keep a close eye on both old and new CVEs. Security teams can track vulnerabilities by using CISA’s Known Exploited Vulnerabilities Catalog. Most importantly, organizations should identify which CVEs affect their legacy systems and scour the news for CVEs actively being exploited in breaches. That information will help teams prioritize and focus their resources where it matters most.

3. Ensure and Invest in Password Complexity

Leaked credentials are a major boon for bad actors looking to breach sensitive systems and assets. One of the most common ways organizations leave themselves vulnerable to stolen credentials is by setting up devices and environments with default settings.

Default settings use universal passwords and usernames. Malicious hackers have forums rich with these overly common passwords and usernames, making any systems left with those original settings perfect targets for their initial attack.

Even organizations with high security ratings can fall victim to attacks enabled by shoddy password security. Just look at the 2021 Colonial Pipeline breach. Even though the Colonial Pipeline had a high rating, it still fell victim to a disastrous hack that took down the U.S.’s largest fuel pipeline.

Keep In Mind the Bigger Picture of Risk

The first step in demystifying security ratings is understanding that they — although helpful — have their flaws.

Most of the actionable steps toward improving ratings are common sense cybersecurity practices. Keep up with patching your systems, make sure your passwords are complex and off the web, and develop cybersecurity strategies that suit your organization’s needs and goals.

Still, it can be tough to maintain robust cyber hygiene when security rating processes are kept under wraps. That’s why Black Kite uses the Open Factor Analysis Information Risk (FAIR) Model to identify probable financial risk — and why we’re adamant about staying transparent about how we calculate ratings.