Organizations are increasingly concerned about cyber risk — and they’re right to be.
The average cost of a data breach is $3.92 million, according to Ponemon’s Cost of a Data Breach report.
But according to a 2019 study from Marsh and Microsoft, businesses aren’t confident that they’re understanding or correctly assessing cyber risk — while 9% of businesses ranked cyber risk as a top-five concern for their organization, 18% weren’t confident that they were adequately assessing cyber risk. That figure is up by half from Marsh’s previous survey, which isn’t surprising: cyber risks, even tried and true attacks like phishing and spoofing, have become harder to detect.
Also, as companies rely more and more on third parties like vendors and partners, risk becomes harder to quantify even as the stakes are raised: if a third party causes a data breach, the cost of the breach rises by $370,000, according to Ponemon’s report.
Unfortunately, third party risk is difficult to measure: vendors may not disclose a previous breach, and you don’t have immediate access to their controls.
What is risk and how is it measured?
Risk is the acknowledgement that something bad can happen to your organization. In the case of cyber risk, it’s the acknowledgement that cyber criminals might either launch an attack on your organization, or take advantage of an employee’s negligence — if some data has been left open to the internet, for example.
Evaluating cyber risk means determining the likelihood of a cybercriminal attacking your organization.
The standard formula for calculating risk is:
Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
The tricky part is filling in the numbers in that formula. How do you understand what the likelihood of a breach is?
That part is usually left up to the organization. Even standards like NIST, CSF and SIG aren’t entirely helpful. While they offer guidelines for determining risk, and best practices for maintaining security, such guidelines leave the how of determining risk up to the organization.
You might also use frameworks like FAIR, which help to quantitatively determine risk. But while the FAIR taxonomy is open for any organization to use, you’ll need to pay for a license to use it to evaluate other organizations for financial gain — as with third parties, or if you’re issuing cyber insurance to an organization.
That can be baffling for companies new to cyber risk management. They may not know which KPIs to use to determine risk.
3 metrics for determining risk
Cyber risk can be thought of in another way: a hacker’s window of opportunity. How easy is it for a hacker to breach your controls or those of your third parties?
We suggest monitoring three important metrics when determining this window of opportunity:
- Level of preparedness: How many of your endpoints are fully patched and up to date?
- Time to detection: When a new version of software is released (for example, Google Chrome), how many days does it take to start the update to the next version?
- Time to respond: How many days does it take to achieve company-wide adoption?
These three KPIs can be used to measure your own risk and, because they’re observable from outside an organization, those of your third parties and they can be used to complement the findings of security questionnaires filled out by vendors and other partners.
Using these outcome-driven metrics you can measure a bad actor’s window of opportunity to attack your organization or a partner, and from there, take action to narrow that window.
How SecurityScorecard can help
SecurityScorecard’s Security Program Analytics module, which is located in the Reports section of your SecurityScorecard interface, allows you to automatically review all three metrics for your organization and your partner organizations. This lets you continuously monitor the efficacy of your third parties’ internal controls.
SecurityScorecard’s Atlas is another tool that helps you determine your third party-risk. Using our platform, organizations can upload vendor responses to questionnaires. Atlas’s machine learning compares those answers to previous questionnaires and the platform’s analytics, verifying vendor responses almost immediately, and assigning easy-to-understand security ratings for you.
Our security ratings use an A-F scale across ten groups of risk factors. As part of your vendor risk mitigation strategy, you can use these factors to set service level agreement (SLA) compliance requirements. Moreover, the easy-to-understand ratings scale enables you to provide your Board of Directors with the necessary documentation to prove governance over your vendor risk management program to meet increasingly stringent cybersecurity compliance requirements.