Cybersecurity blog header

Security Ratings: An initial view of companies’ security status

Security ratings provide an initial, external view of a company's level of cybersecurity

Security ratings are used to conduct an external analysis of the security configuration of a company’s Internet-exposed infrastructure

Although sometimes a score does not accurately reflect a student’s knowledge, effort or worth, the education system relies on grades. Getting an A+ on an exam in the United States or a 9.5 in Spain is synonym of excellence. Although a priori, we may think that education and cybersecurity are distant sectors, cybersecurity is a field in which one never stops learning and where continuous training is essential.

Therefore, it should be no surprise that ratings have been transferred to cybersecurity through security ratings.

These indices are used to evaluate the security status of a company and represent this analysis in the form of a score. The higher the security rating, the more robust the company’s security systems are against cyberattacks. On the other hand, if the score is low, the security ratings will show that the company must allocate resources to remedy security deficiencies.

In this article, we will shed light on security ratings, analyze their limitations and highlight their usefulness when evaluating the security status of a company or its IT suppliers.

1. What are security ratings?

Let’s start with the foundations. What exactly are security ratings? Security ratings are indices based on automated tests of a company’s attack surface. In other words, those assets that are exposed to cyber criminals, such as websites or applications.

The security ratings test basic aspects of the security of the technological infrastructure, such as the security of applications or their vulnerability to social engineering attacks.

In this way, security ratings are used to graphically, synthetically and visually represent the health of an organization’s security systems. Whether it is the company that has contracted the service or the IT providers with which it works or is considering entering a business relationship.

By establishing ratings, it is easier to understand what needs to be improved. This makes it easier to make decisions to strengthen security measures and controls to protect business assets from potential cyber-attacks.

What do these scores look like? BitSight’s security ratings, for example, look similar to a company’s credit rating. Security Scorecard and UpGuard show their ratings using the U.S. education grading system. F is a resounding “F,” and A is an “A.”

2. Basic testing of the infrastructure that a company exposes to the Internet

The key to security ratings is that they are based on something other than an exhaustive analysis of a company’s security systems. Rather, they are based on basic tests and trials carried out on the infrastructure that the company exposes to the Internet.

In fact, as Manuel Santamaría, CIO of Tarlogic Security, points out, the companies that provide security rating services carry out «basic tests, but, in most cases, they are correct».

What is obtained is a basic and external view of the security status of the company being analyzed. This is a far cry from, for example, the broad overview provided by penetration testing services that run on a company’s entire security system.

This is why security ratings do not consider internal mechanisms and protocols. Neither do they take into account key issues such as, for example, the management of network users (access, permissions, removal of credentials of employees who have left the company, etc.) or the cybersecurity training given to all members of the organization.

Security ratings, unlike services such as pentesting, do not provide a comprehensive and in-depth view of a company's security

2.1. Does a high score mean a website or app is secure?

However, if a company’s website is evaluated and the score obtained in the security ratings is high, this does not mean the website is secure. Instead, this score indicates that the server configuration is adequate after verifying issues such as TLS configuration or DNS protocol.

Thus, the test does not analyze the website’s logic but remains on a more superficial layer. So getting an A+ rating does not mean that a website or mobile app is completely fortified and impossible for criminals to attack.

Given what we have just pointed out, security ratings do not provide an overall security assessment of a company but are a useful solution for analyzing its basic security configuration.

3. Protecting a company’s reputation

A company’s website or applications are often letters of introduction to thousands of customers. In the case of companies that have marketplaces, these are also a sales channel and, therefore, absolutely critical for their business model.

It is, therefore, essential that they are configured in an ideal way. In this respect, security ratings evaluate the basic configuration and correct serious security problems, which are visible at the first level and can therefore be easily exploited by criminals.

Otherwise, the company’s reputation can be damaged. And, if it suffers a successful cyberattack, the financial and legal repercussions can dramatically impact the viability of the business.

Thus, security ratings are a superficial indicator of a company’s level of security. If the score obtained is low, we would be dealing with a company with a high exposure to cyber-attacks, which reduces its legitimacy in the market.

On the other hand, if the external defenses are deficient, it is presumed that the company’s internal mechanisms and security controls will not be robust and effective either.

If we get metaphorical, we could say that security ratings show whether a house is well painted, offering the best possible image. So, if the house is badly painted, it is predictable that its interior will be even more neglected.

4. Who uses security ratings?

Can small and medium-sized companies that lack the resources to hire advanced cybersecurity services use security rating services?

A priori, this type of company could use security ratings to check that its technological infrastructure exposed to the Internet has the basic security configuration. However, this does not imply, let’s remember, that the IT infrastructure is fully secured against risks and threats.

However, the annual cost of security rating services can exceed $20,000. This shows that security ratings are not intended for small and medium-sized companies to test their security status or that of their IT providers in a basic way.

Nor are they solutions used by cybersecurity companies such as Tarlogic since the tests on which they are based lack the necessary depth to assess a company’s security comprehensively.

Rather, security ratings are tools used by large companies, which use them to undertake an initial security assessment of the IT suppliers they work with or those companies with which they are considering agreeing.

Security ratings are often used to enable a company to initially evaluate its IT suppliers

5. Implementing a global security assessment of an IT supplier

Let’s think of a bank interested in contracting a certain software. This tool will access sensitive data of the organization and its customers. Therefore, when deciding whether or not to purchase the solution, the bank needs to have a guarantee that its data will be safe.

This example allows us to outline a scenario in which companies use security ratings to initiate a security evaluation of their IT suppliers.

Thus, companies of a certain size and particularly aware of cybersecurity and data protection issues use security rating services to obtain an external view of the security of their suppliers.

In the event of a poor security rating, they can directly discard the evaluated supplier. On the other hand, if the score is optimal, they usually send the report to the supplier so that it either remedies the deficiencies found by the testing company or justifies that these issues are irrelevant to guarantee the protection and integrity of the data with which the supplier is going to work.

Are security ratings enough for a company to perform a security assessment of an IT provider? Manuel Santamaría, CIO of Tarlogic Security, argues that completing this basic and external testing with a checklist is necessary.

5.1. Checklist: delving into a provider’s security policies and mechanisms

The use of checklists has become standardized in the cybersecurity field. Employing these lists, companies with important cybersecurity requirements and subject to increasingly stringent regulations can evaluate in depth the security policies and procedures of IT providers.

A checklist of this nature can be made up of hundreds of items to probe key issues ranging from how the vendor manages its users’ credentials and accounts to whether it has signed confidentiality agreements with all its workers and suppliers.

As Santamaría warns, this checklist is not a mere formality; companies invest human and time resources in preparing it and analyzing suppliers’ responses.

Thus, if a potential supplier fails to comply with some key item for the company, for example, the signing of NDAs with the companies with which it works, a time limit can be set for the supplier to remedy the deficiency.

This also involves monitoring compliance with the checklist and optimizing a supplier’s security strategy.

5.2. Securing the supply chain

One of the main trends in cybersecurity in recent years has undoubtedly been the increase in attacks on companies’ supply chains.

Many companies have made great efforts to protect their assets and optimize their security systems. This has made it more difficult for cybercriminals to find vulnerabilities to exploit and breach existing defenses.

As a result, cyber-attacks have spread to the supply chain. If we go back to our previous example, a criminal may attack a banking organization by exploiting one of its suppliers rather than directly targeting that organization’s infrastructure.

What is the consequence of this trend? First, companies must consider their security status and the suppliers they contract. It is only possible to implement a solid cybersecurity strategy for the company’s systems, network, equipment and software if a supplier with access to your information is properly protected.

5.3. Safeguarding business and customer data

Supply chain attacks challenge nothing less than one of the most important business assets of any company today: its data and that of its customers.

If criminals have access to a company’s data, they can steal it, hijack it, sell it and use it to develop other attacks to commit fraud in which the victim can be the company and its customers.

The reputational, economic and legal consequences can be enormous and seriously blow the company’s business model and position in the market.

This is why companies commit to evaluating their suppliers and ensuring that their data will be safe when working with them. There is no point in a provider offering a highly useful technological solution if, by using it, the company is exposing its data to a landscape riddled with threats and risks.

In short, security ratings do not evaluate in depth the security status of a company or its suppliers. Still, they are useful for analyzing whether a company’s technological infrastructure exposed to the Internet has an adequate basic configuration. In this sense, they help protect a company’s reputation and, above all, function as a starting point for a security assessment of the company’s suppliers.