Cybersecurity Hygiene: Not a Dirty Little Secret for Long
In October 2018, FICO (a consumer credit scoring specialist) began scoring the cybersecurity of companies based upon a scan of internet facing vulnerabilities. FICO grades companies using the same scoring that is familiar with consumer credit. These metrics are then used to compare security risks against competitors.
This announcement has the potential to be a sea change event in cybersecurity. In the same way that credit scores are now influencing decisions as diverse as dating suitability and employment eligibility, publicly available security scoring has the potential to leak out of the IT department and contaminate a wide range of corporate interests.
Many companies treat their woeful lack of security hygiene as a dirty little secret that they hope will never see the light of day.
A recent survey was conducted of 126 security professionals by Trustwave. Despite having security professionals on staff, 20 percent of companies are doing no testing for vulnerabilities. Sixty-six percent test more than never but less than every six months. Best practices recommend scanning somewhere between monthly and daily. These companies take the position that cybersecurity is akin to cookies dropped onto a grimy floor. If nobody is looking, the five-second rule can be very flexible. The move by FICO to make cybersecurity publicly visible shines a spotlight on previously questionable practices.
Consider a series of examples of how security scoring is likely to affect business operations well beyond the IT department.
In the services industry, remote contractors that perform remote maintenance and support have the potential to act as vectors for the spread of infection. After touching somebody else’s infected network, the contractor’s systems also become infected. And now they are ready to probe into the problem that you reported.
Before hiring a contractor, wouldn’t it make sense to look at an unbiased metric (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Stephen Wood. Read the original post at: https://www.tripwire.com/state-of-security/risk-based-security-for-executives/cybersecurity-hygiene/
