Cyber security

Risk-based approach instead of checklists


RiskNET [Editor-in-chief]
Cyber security: Risk-based approach instead of checklistsInterview

Cyber security is an ongoing issue in all areas, including the banking world. How are things looking in the industry? What role do analysis methods play? And where do people fit into all the security requirements and considerations?

These are all questions that are answered by Patrick Steinmetz, Head of DACH Sales at BitSight, in our interview.

Mr Steinmetz, the many reports we hear about supposed or actual IT security challenges in the banking environment do not bode well. How do you think IT security is looking for banks and insurance companies?

Patrick Steinmetz: Particularly the heavily regulated companies from the financial sector are investing increasing amounts in their IT security every year. They are also putting in place tough requirements in terms of the security posture of third parties they work with, because they give some of them access to sensitive data. Nevertheless, the frequency of cyber attacks is on the rise.
As a result, many managers are constantly asking how appropriate their own IT security actually is, and how efficient their expenditure on it has been. Also, how do they get a valid assessment of their suppliers' and partners' IT security? Or that of potential policyholders? Conventional methods of measuring IT security include checklists, audits, certifications, penetration tests and vulnerability scans. These methods are time-consuming, cost intensive and only provide a snapshot of IT security. They are not comparable or standardised. What's more, these conventional methods on their own are not sufficient to assess IT security, as the growing number of data leaks demonstrates.

Supplier cyber risk in particular is a huge challenge. In the study produced jointly by BitSight and CeFPro entitled "Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices", we highlighted the problems in greater detail. The study investigates current and future methods and challenges in risk management for cyber risks emanating from the supply chain. The study is based on a survey of experts in financial services.

It shows that experts consider risk management of supplier cyber risks to be business-critical. However, there is often a lack of continuous monitoring and standardised reporting of supplier cyber risks. Along with other weaknesses, this makes organisations susceptible to data protection violations and other consequences.

Many companies work with hundreds or even thousands of suppliers. This results in new risks that companies need to be proactive in dealing with. Especially in the financial industry, there is a huge business ecosystem made up of legal organisations, auditing and human resources companies, consultants, outsourcing companies, and IT or software providers. Each of these providers represents a potential weakness for cyber defence if the risk they cause is not actively managed.

Only active cyber risk management can ensure that the exchange of data and other sensitive information with suppliers is protected.

On its website, your company promises a world-leading security rating platform. Without giving us a sales pitch, what do you think makes it world leading?

Patrick Steinmetz: I don't need to give a sales pitch – the facts speak for themselves. There are a number of reasons why BitSight is the market leader in IT security ratings. First among them is our high quality data. BitSight collects its data from more than 120 comprehensive and diverse data sources. The data used by BitSight is "publicly accessible" data, in other words it is not obtained from within the company being rated. The data is theoretically publicly accessible, although in practice it would be very difficult to obtain – otherwise anyone could easily copy what we are doing.

I'd like to illustrate this with an example: Through our subsidiary AnubisNetworks, BitSight operates the world's largest sinkhole. This enables us to analyse communication between computers infected with malware and the command and control (C&C) servers contacted. As a result, BitSight can identify precisely which computers in a company are infected with malware. Strictly speaking, the simple presence of malware in a company is a breach and a significant indicator that security controls have failed. Infected computers and C&C servers communicate via the public Internet, and the data is public in that sense, but only a world-leading sinkhole infrastructure like ours enables this data to be collected and comprehensively evaluated.

We obtain further data from providers of security services and through exclusive partnerships with established global companies. The rating information therefore comes from a range of sources – both public and only accessible to us – such as Botnet, spam, user behaviour, news feeds and social media. Before a source is added to the rating, it undergoes a painstaking analysis and accuracy monitoring by our data scientists and technical experts. The rating itself is created by an algorithm that analyses the data for severity, frequency, duration, and confidence.

Another key point about BitSight is our ability to provide unique and actionable data analyses, along with our broad market acceptance. We supply our data as a charged subscription service. BitSight offers a 12-month historical overview of a company's cyber security performance, measured using 23 different risk factors. Other providers are miles away from this level, measuring a maximum of six or seven risk factors.

Last but not least, in 2011 BitSight actually created the market for IT security ratings. Our infrastructure, our sensors, our collaborations, our algorithms – we have a huge advantage over our competitors in all areas.

Do you have a practical example for our readers of how the solution works and, especially, the added value it offers?

Patrick Steinmetz: Of course. I can give two specific examples from the recent past. Firstly, thanks to our sinkhole infrastructure we became aware of a domain connected to the Android Mobile Advertising software development kit (SDK) Arrkii. In their analysis, our experts came to the conclusion that the Arrkii SDK demonstrates functions and behaviours that indicate a potentially unwanted application (PUA). We then identified part of the infrastructure of that SDK using sinkholing. We counted a total of 15 million different devices (with 40 million different IP addresses) over a period of a month that communicated from within a corporate network. This affected devices in more than 6,000 companies in numerous sectors. The overwhelming majority of infected devices were in India. However, we also recorded almost 200,000 infected devices in Germany. As a result, our customers were able to see exactly which of their mobile devices are infected with malware – and the situation regarding the cyber security of their suppliers' mobile devices.

Secondly, we collected information on the exposure and security status of systems in corporate networks that are susceptible to Bluekeep. Worldwide, BitSight found almost a million computers with Internet access that are susceptible to the Bluekeep vulnerability. Our solution allows the susceptibility to Bluekeep broken down by countries. It shows that IT managers in different countries have reacted very differently to their systems' need for a patch. BitSight also analysed the susceptibility of specific sectors to Bluekeep. In this case, the added value for our customers is that they can find out the patch status of their own systems worldwide in respect of this critical security vulnerability. And they learn more about the patch status of suppliers, partners and potential policyholders. Those are just two examples.

Can this rating platform also be used in other sectors?

Patrick Steinmetz: Of course. Our IT security ratings are suitable for any sector and, in actual fact, our customers come from a wide range of different sectors. Companies all over the world use BitSight IT security ratings. CISOs, CIOs, security managers and many others use BitSight to analyse their own security risk or the cyber risks in their supply chain. Global insurance companies use BitSight for underwriting and to assess the risk of companies who are looking for cyber insurance. Financial institutions and private equity firms use BitSight to understand the IT security risk of an investment. However, IT security ratings also support comprehensible reporting to the board and allow benchmarking with competitors and subsidiaries. At a national level, for example, a state can check and monitor the IT security of its critical infrastructure – some states are already doing this. There are many other possible applications for our solution – we are sometimes surprised ourselves by what our customers use the data for.

What role do new analysis methods, such as predictive analytics, play in moving towards advanced risk modelling?

Patrick Steinmetz: For all of our customers, particularly new customers, having a comprehensive, automatically created external view of their own organisation's cyber security, and that of any other organisations, thanks to IT security ratings that are updated on a daily basis is a huge step forwards. Every day they can find out their current risk (or that of their suppliers) in terms of the very latest threats.

With BitSight Forecasting, we also offer the first analytics solution in the field of IT security ratings, which provides an insight into a company's current and future IT security initiatives. BitSight Forecasting helps customers to measure the effectiveness of their IT security investments and initiatives. The numerous different threats that companies are exposed to these days make it harder to provide quantifiable information about which investments will deliver the best possible results. Thanks to BitSight Forecasting, users can model different IT security scenarios and calculate how changes to processes, technologies and corporate culture will impact on their IT environment. This enables them to identify the right strategy and the right resources to minimise risks. BitSight Forecasting helps in managing the complexity that goes with prioritising investment decision options in terms of achieving measurable improvements in IT security.

Despite these technological issues, there is still the question of how and where you get people on board with your solution, particularly when it comes to awareness and developing a strong security consciousness across the organisation?

Patrick Steinmetz: People are at the centre of one of the four broad-based categories which we split the 23 different risk factors into. The categories are compromised systems, IT cyber hygiene, user behavior and publications on data protection violations. The user behaviour category includes every possible risk that is linked to measurable behaviour of users in corporate networks. One example of dangerous user behaviour is peer-to-peer file sharing. This involves users downloading files, often in violation of copyright laws, and perhaps even opening them. If these files are infected with malware, it can infiltrate the corporate network. With BitSight, it is possible to identify users whose behaviour constitutes a cyber risk. Based on this knowledge, additional measures such as training can be adopted.

Nevertheless, it is clear that banks and insurance companies remain a popular target for hacker attacks and acts of sabotage. Where do financial service providers need to take action to achieve a qualitative improvement in security in their own organisation?

Patrick Steinmetz: The answer is obvious. Taking an external view to identify weaknesses and then adopting counter measures to eliminate them. As part of a study, over two years BitSight has analysed the IT security ratings of 27,458 companies and related them to a comprehensive data set made up of 2,671 published data protection violations in the same period. The companies analysed differ in terms of the size and locations of their offices and come from 22 different sectors. The results clearly show that companies with a better rating fall victim much less often to a data protection violation that is publicly announced. Looking at it the other way around, companies with a low rating are victims of a published data protection violation five times more frequently than companies with a rating of 700 or higher. Our ratings go from 250 to 900.

There is also the question of whether there can actually be a winner in this high-stakes game between banks and insurance companies on one side and hackers on the other?

Patrick Steinmetz: Of course, hackers are constantly coming up with new methods, but if risk officers, CIOs and CISOs are using the right tools, they have good cards to play. Our IT security ratings allow the complex issue of IT security and risk to be communicated to the board in a much more understandable form, supporting the allocation of appropriate budgets. For example, we have a rating of 600, but our biggest competitor has a rating of 700 and the industry average is 680. So we need to invest and take action.

Finally, in what direction do you believe banks and insurance providers need to develop organisationally to increase their own resistance (or resilience) and not to get tangled up in the jungle of internal and external regulatory requirements?

Patrick Steinmetz: BitSight promotes a risk-based approach to cyber security. If a company pursues a risk-based approach, the company – or its CIO, CISO or risk manager – will take into account risk ahead of all other factors when making decisions relevant to IT security. Risk-based approaches are often described as the opposite of compliance-focused approaches. Teams with a risk-based approach work more effectively towards reducing the actual threat to their organisation from cyber attacks and data protection violations, instead of ticking off checklists or passing audits – although of course these targets remain important too.

Patrick Steinmetz
Patrick Steinmetz, Head of DACH Sales at BitSight.
Head of DACH Sales at BitSight.

Before Patrick Steinmetz joined BitSight, he was a director of companies including NICE Actimize, Trusteer and BAE Systems in German, Switzerland and Austria. He previously worked at Thomson Reuters in Frankfurt and studied at the University of Kiel.

[ Source of images: Adobe Stock | Patrick Steinmetz: BitSight ]
Risk Academy

The seminars of the RiskAcademy® focus on methods and instruments for evolutionary and revolutionary ways in risk management.

More Information
Newsletter

The newsletter RiskNEWS informs about developments in risk management, current book publications as well as events.

Register now
Solution provider

Are you looking for a software solution or a service provider in the field of risk management, GRC, ICS or ISMS?

Find a solution provider