The cyber risk industry is swarming with vendors who evaluate an organizations cybersecurity posture using a mix of subjective audit questionnaires, and “outside-in” scanning, like penetration tests, vulnerability scans, dark-web searches, etc. None of these cyber risk assessments give visibility into the asset behavior behind corporate firewalls. This lack of internal cyber visibility, through the use of questionnaires and scanning, has left a huge cyber risk visibility gap that can only be filled through an “inside-out” view of the network.
Questionnaires have been used for over a hundred years to evaluate property insurance risk, but in those cases the questions were easily verifiable with public records. The business address, size of the building, when the building was constructed, distance from a fire hydrant, nature of the business, etc. are all recorded as part of the local building code. Unfortunately, business networks are not like static buildings, they are dynamic and ever-changing. Cyber network policies and controls are updated continually, core assets are being added, removed, or migrated between zones, and at the same time staff assets are moving between home, mobile, and office. The management representative who has to sign that the questionnaire responses are “true and complete” is put in a really tough spot. In the end, cyber risk can’t be effectively measured by asking a host of questions at a single point in time.
Outside-in scans are limited to identifying vulnerabilities in an organization’s externally facing services, so the entire scope of the corporate internal network is not included in the assessment. These external penetration-tests are great at checking for open ports and patch status on external IP addresses, detecting known vulnerabilities, and identifying the use of any deprecated services, but they are unable to ensure an organization has an enterprise data protection program in place, like actively using multi-factor authentication, endpoint protection, secure protocols, modern encryption, least-privilege access, and proper network segmentation. These scanning technologies use signature and rule-based technologies to check for known vulnerabilities on internet-exposed systems, but do nothing to identify vulnerabilities on systems inside the firewall or combat new vulnerabilities that are uncovered every day.
‘Cyber risk’ is defined by PwC as "any risk associated with financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems." Not properly managing cyber risk poses a major threat to all types of organizations. Information exfiltration is rapidly becoming more prevalent. Organizations increasingly face new exposures, resulting in first-party and third-party damages, business interruption and regulatory consequences. It is now more important than ever for organizations to understand their cyber risks within the organization. Given the shortcomings of assessments based on both questionnaires and outside-in scanning, organizations need a risk solution that evaluates risk from the inside-out. A solution that assesses cyber risks inside the network, based on objective evidence of vulnerabilities seen on-the-wire, and continuously monitors to ensure risks have been effectively mitigated. To find out if your business is exposed to excessive cyber risk, email firstname.lastname@example.org for a free cyber risk assessment score.