Software Contract Solutions

Cyber security scores: a new standard in mitigating risk?

Andrew Martin, founder and CEO of DynaRisk, explains how cyber security scores are improving employee engagement for enterprises.

It looks like cyber attacks are here to stay, and they’re costing businesses a lot of money. According to research from Accenture, cybercrime could cost companies globally $5.2tn over the next five years.

In response, businesses are doing the obvious; ramping up spending on technologies designed to stop cyber attacks entering their networks. While this increased spending has undoubtedly brought many security benefits, one can’t help but notice companies are still overlooking cyber security’s biggest threat: human error.

In 2018, research found that 88% of UK data breaches were caused by human error, and not direct cyber attacks, in the two years previous.

Limitations of security awareness training

With so many breaches being accidentally caused by employees clicking on phishing emails or unknowingly opening suspicious documents, businesses are increasingly looking to security awareness training courses to solve their woes.

However, according to Andrew Martin, founder and CEO of DynaRisk, these courses have major limitations in that they’re not relevant enough to the individuals doing the training.

“The way that companies typically train employees is they either give them a PowerPoint deck to sit through or send them on training courses run by consultants, which are often very expensive and afterwards they get a quiz which everybody passes.

“Often the problem is that nobody is engaged; they go there because it’s just something that they have to do.”

Benefits of cyber security scores

This is why Martin argues it’s time companies consider a new approach that engages employees more effectively.

His company has built a system that combines personal risk factors with external data and algorithms to determine an individual’s level of risk online, and then gives them simple actions to take to protect

“People generally don’t care about their work device, what they care about is themselves. By giving somebody a score and telling them if they are doing good or bad they can begin to understand what it means to them,” said Martin. “The problem with cyber risk is that it’s nebulous, you can’t see it or touch it, but when you put it into a number, people become incentivised and energised to do something about it.”

Real-time metrics

According to Martin, another benefit to security scorecards over more traditional training programmes is that they provide real-time metrics to monitor employee behaviour post-training.

“If you get sent a phishing email and you click it, your score goes down, and if you don’t click it, your score goes up.”

He added: “A lot of the training that’s done today is just an annual thing; one shot, that’s it, which again is not very engaging or effective. With a score-based system what you do is continuously engage people.”

Evening the playing field

Security scores come with another benefit, they allow companies to vet the accuracy of an assessment made by other organisations who might be trying to determine partner risk.

This also has benefits in the emerging area of cyber liability insurancewhere businesses are often feeling left in the dark when it comes to having their premiums determined.

Martin added: “If a company shares data from its security score with an insurance company, then that insurance company can take it into account for their underwriting practices, and then potentially reduce their policy premium.”

 

This article originally appeared on InformationAge.

Share