Cyber Insurance, Vendor Risk Management & the black magic of risk rating (Part 3 of 3)

I will start off by saying that this article is completely written from my experience as a cyber security consultant, talking to customers, and doing research on my own. The views in this article represent mine and only mine. This industry is rapidly moving and I am NOT in the insurance business. I welcome comments from those in that business, as its a great business!

The last two articles covered how third party risk rating companies determine another company's cyber risk (Part 1), and these risk rating can affect things like your cyber insurance rates and if another company wants to do business with you as a vendor. I wrote about some of the ways risk rating companies use data available to the public internet to rate a company. To pick up where a I left off in Part 2, I am going to explain 3 ways how a company with the ideal security posture, who is doing everything RIGHT, can still have a bad risk rating.

A) You own a block of internet facing IP addresses - your corporate traffic flows to the internet through these IP address, but, guess what, you also have a GUEST network using these IP addresses. You have all the proper security controls on the corporate networks, but the guest is wide open, as there is no need to invest in security controls for devices you don't even manage. Endpoints on the guest network have external devices infected with malware, using P2P, infected with BOTNETS, etc. (can you imagine the risk shown on your local coffee shop?) So, your corporate traffic is mixed in with the guest traffic as all of it flows out of your IP addresses, making it appear to an external risk company that your organization has bad traffic. Yuck, and you thought you were doing coffee-sipping lobby guests a favor.

B) You use a cloud hosting company or CDN for your internet facing web app (who doesn't nowadays?) You use a great, reliable company (like Akamai, Cloudflare, AWS, Azure) and your Domain Name is pointing to a web app that is using shared infrastructure sitting behind an IP addresses. Unless you pay for a dedicated IP, there are several entities that sit behind that same IP address. (inbound traffic is routed to the correct entity using host header values). If any one of the other entities has malicious traffic behind the same IP address, your organization is tagged along with them as being high risk, as that IP address has appeared in BOTNETS and DDOS attacks, for example. The risk rating company has no way of distinguishing between you and someone else. You are guilty by association!

C) Your customers (and your users) have accounts throughout the internet. They use a set of credentials; usually a username in the form of an email address and a password. This is used for partner portals, the corporate coffee service, order online for team lunches, etc. One of these places is hacked, credentials are stolen and sold on the underground. It is well known that people use the same password at multiple online accounts, so you now have risk as the chances one of your users or employees using the same credentials is high. So, if joe@abc_company.com has an account setup at his local library and they get hacked, now abc company's risk rating is affected. Social engineering or social misdirection? You decide, but the risk rating company has already given you a bad wrap.

So now the obvious question becomes, what does a company do? Fear not, the above examples and the many other ways you can be rated incorrectly can all be remedied using common-sense security practices, security conscious network design, and a few smart security vendors. By making some tactical changes, you can get your risk-rating low and put your company in a position to look better to the insurers as well as to other companies who are looking to do business with you.

So, do you want some cost-effective pointers? To find that out and continue your company's story, you can contact me directly. Thanks for reading!

Hal Overman works as a National Account Manager for ConvergeOne, a vendor agnostic IT, Security, and UC consultant.