What are Cyber Security Ratings?

By Susanne Gurman

Posted on Mar 14, 2018

As the economy moves from a physical to a digital environment, businesses need to change the questions they ask when considering working with vendors, partners, and others in their supply chain or ecosystem. 

Historically, companies referred to Dun and Bradstreet asking, "What is a good credit score?"

Now many companies are asking the question, "What is a good security score?"

What are cyber security ratings?

Security ratings grade your security performance by how well it protects information. In a digital world, data and your company's protection of that data parallels your income and protection of financial assets.

Consumer credit reporting agencies review a company's financials and assign a credit score by evaluating whether the company can protect its financial assets and keep from going into debt. Similarly, a security ratings organization reviews a company's security posture and assigns a security score by evaluating whether the company can protect its data assets from data breaches.

In both of these cases, the ratings organization compare assets and liabilities to provide a score that others can rely on and factor into their decision-making process.

A good security rating is an organizational asset that can open business opportunities and partnerships and provide assurance to existing customers. A poor security rating places can indicate that an organization's data is at risk. Just as credit ratings provide insight into organizational financial stability, cyber security ratings provide insight into the cybersecurity health and practices of an organization.

What can a security rating do for service providers?

Service providers need to prove information security controls and security performance to prospective customers. While SOC reports and certifications offer prospects and customers some information about corporate security posture, these point-in-time assessments have limitations.

A strong security rating offers your customer base up-to-date, objective, and continuous validation that your cybersecurity posture and practices are structured to keep data safe. Organizations can leverage security ratings to help increase profitability. In 2017, news of the Equifax and Kaspersky data breaches put customers on high alert for poor cybersecurity. Providing potential customers independent, validated proof using security ratings offers organizations the opportunity to build the confidence that generates customer loyalty and, thus, profitability.

What does a security rating do for third-party risk management?

Companies looking to hire vendors need security posture assurance often as a part of the procurement process. There is a widespread understanding that outsourcing work does not translate to outsourcing risk and that vetting of cybersecurity posture of a potential vendor is a requirement, and increasingly a compliance mandate.

The highest security rating is an “A,” indicating a low number of vulnerabilities, threat indicators, and issues; the ratings descend as the severity and number of threat indicators increases. Companies with a “D” or an “F” rating are 5.4 times more likely to be victims of data breaches than those with an "A" or "B" rating.

Utilizing security ratings can help enable prioritize remediation amongst existing third parties, define mandatory thresholds for cybersecurity for new vendors, aid in making decisions in the procurement process, and help define the level of assessment required for each vendor. For examples, vendors with an A or B rating provide greater safety to your organization, so organizations may feel more comfortable moving forward with these vendor contracts compared to those vendors with lower grades. 

While other sources of information such as references, audit reports, and certifications provide some indication of cybersecurity, these data points are an incomplete picture and cannot provide insight into the strength of day-to-day cybersecurity practices. 

What high severity vulnerabilities put businesses at risk?

Security ratings incorporate daily activities such as security monitoring, network security, and endpoint security.

SecurityScorecard technologies rate companies across 10 Risk Factors including application security, network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering. Our platform enables you to drill down into specifics within each factor, giving you the most granular view of how your ecosystem is performing.

A closer look at network security

SecurityScorecard's security rating platform incorporates a review of network security. SecurityScorecard reviews a company's password strength and firewall rules when creating its security rating. Password strength is one of the most common vulnerabilities that are exploited by hackers.  

A closer look at endpoint security

As more employees bring devices with them or work remotely, endpoint security becomes a higher risk. Employee connected devices, such as smartphones or tablets, that access public internet environments (as employees work remotely) may become infected with the Mirai IoT malware and allow unauthorized access to secured data.  Malicious actors increasingly target endpoints with new threats including both file-based and file-less techniques.

SecurityScorecard security ratings provide transparent information not only about potential weaknesses in endpoint security but also specify which IP addresses are impacted. This allows vendors to easily investigate, address, and remediate the concerns. This path takes them to an improved risk rating, which can be leveraged to attract new customers.

For companies looking to hire third-party vendors, SecurityScorecard security ratings give insight into how well potential business partners manage third-party risk and internal risks.

How do a company's cybersecurity capabilities stack up against its competition?

Service providers seeking business growth need to understand how they compare to others in their landscape. Using SecurityScorecard's platform to review not only your own business but also those in the same space can provide insight into how potential customers view your cybersecurity posture. If your rating is below that of your competitors, taking steps to secure your IP footprint can help you become a more attractive option to potential customers. When your organization's security rating exceeds that of you competitors, you have an opportunity to leverage that in business negotiations.

Companies seeking to hire vendors need to prove to their Boards of Directors that they have thoroughly vetted new business partners with a data-driven, reliable analysis. Performing this analysis with SecurityScorecard's platform assures the Board, C-suite, and your auditors that they are seeing up-to-date, accurate information, bring confidence in your due diligence process. 

How can organizations leverage their security rating to their Board of Directors, management team, and customers as proof of improvement?

Data and reporting underlie informed decision making. One weak audit impacts customer, board, and regulator confidence. Since most audits occur annually, a weak report can impact an organization's profitability for a year.

Security managers can utilize security ratings between audits to prove that new security measures work. SecurityScorecard technologies continuously scan the internet for vulnerabilities and risk signals. This continuous monitoring means that as you incorporate new protection measures, the data analysis engine recalibrates the score.

For smaller organizations, SecurityScorecard security rating platform’s instantaneous insight provides confidence for customers and Boards of Directors. Liquidnet, a broker-dealer handling trades that average $1.4 million, shared,“When it comes to security, Liquidnet is a 350-person company that is expected to act like a 35,000-person company.” As a fintech organization heavily regulated by the  U.S. Securities and Exchange Commission (US SEC), Financial Industry Regulatory Authority (FINRA) and a variety of other governing bodies, Liquidnet needs to respond not only to customers but to regulatory authorities who can potentially levy fines for noncompliance. The SecurityScorecard security rating platformprovides them a one-touch solution providing independent data showing compliance, not just questionnaires asserting compliance.

Companies hiring third parties can incorporate the same review to gain confidence in a vendor. If your vendor is at risk, you are at risk. However, if you cannot break that contract immediately, then you might be worried about your organizations’, and your customers', security. Using SecurityScorecard allows you to prove your ongoing due diligence to your customers, Board of Directors, and regulators.  Mike Belloise of Trinet, a SecurityScorecard customer, noted, “The first thing I do when a new vendor or partner is going to be onboarded is pull up the SecurityScorecard dashboard, type in the url, and we view the quick and accurate assessment.” Whether occurring during the onboarding process or as a part of the ongoing monitoring, third-party risk management using security ratings provides organizations with the insight needed to prove your due diligence.

How do security ratings help organizations during acquisitions?

Both parties to an acquisition need assurance that assets will be well-protected. Poor cybersecurity is a liability, and corporations seek to understand the scope and size of this potential liability. 

If you're looking to sell your company, you need to know what prospective buyers know. If your potential buyer is looking at your security rating, you need to know it, too.

As you work to acquire a new company, you may make requests for certain cybersecurity standards to be met, similar to requesting mitigation work on a potential home after the initial inspection. By monitoring potential acquisitions with SecurityScorecard, organizations can track progress on vulnerabilities, set expectations about the level of cybersecurity required, and help enable potential acquisitions with information that will help them pinpoint security flaws.

How does your company rate?

Since any company can access their security rating profile at no cost, your can review your cyber security rating today. The SecurityScorecard security rating platform meets the specific security rating principles published in the Principles for Fair & Accurate Security Ratings. Understand your security performance easily to protect your business from hackers.


Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!