Interview with BitSight: Managing ransomware with Financial Quantification

In 2018, Gartner published in its report, Innovation Insight for Security Rating Services, that by 2022, security ratings will be just as crucial as credit ratings when assessing the risk of business relationships.

Since its creation in 2011. BitSight is the only Security Rating on the market that is independently correlated with breach risk and stock performance.

Offering actionable security ratings, cyber risk metrics and Financial Quantification, BitSight aims to transform how security is addressed and how companies take on third party risk management and security performance management.

Following the two major recent events in cybercrime - SolarWinds and Colonial Pipeline, we asked BitSight for their prognosis about ransomware’s impact on the cyber landscape.

How has ransomware changed in recent years and how do you predict it will change in the future?

The number of successful ransomware incidents has grown dramatically in recent years, with some insurers reporting a rise in successful attacks by more than 450% year over year. We’re still in the early stages of these types of attacks — but clearly, they are having a real financial impact today and that’s only going to grow for the foreseeable future. Things will start to change when more organizations address the critical gaps in their programs that are leading to these “easy” attacks — for example, BitSight research finds that implementing an effective vulnerability management system is extremely important to help reduce the likelihood of experiencing a ransomware attack. If organizations can better focus their efforts on doing these things well, we can reduce the risk of ransomware attacks and improve the security of the broader ecosystem.

BitSight research shows that organizations with a security rating lower than 600 are 6.4x, and organizations with a rating between 600-650 are 4.6x more likely to be a ransomware victim compared to the benchmark of organizations with a 750+ security rating. How difficult is it for high-risk services such as the healthcare sector to achieve a rating of 750+?

Security isn’t easy — it requires consistent performance over time. As we’ve seen in the last few months, this is such a dynamic space and attackers are consistently finding new vulnerabilities to exploit. In order to develop consistent performance, organizations would need strong, permanent leadership, an understanding within the organization about the importance of cybersecurity, appropriate budget to manage the risk, and a program that is performing effectively across a number of key categories (vulnerability management, endpoint detection, employee training, etc.).

What will be the long-term impact from the SolarWinds breach and what changes will be made in the security space to prepare for another breach of this scale?

SolarWinds emphasized the importance of managing risk to the supply chain — this was a perfect example of a critical supplier to countless organizations. Organizations need to spend much more time understanding the security posture of their suppliers in order to manage and reduce risk; collectively, there is so much more we can do to improve the supply chain ecosystem.

BitSight estimated the insured losses from the SolarWinds attack to be $90,000,000 but could have been a lot worse. Is it just a matter of time before a ransomware attack on a country’s critical infrastructure leaves irreparable damage?

Early estimates suggest that the Colonial Pipeline attack caused around $25 million in insurable losses. Things could absolutely be worse if future attacks result in longer-term disruption or incapacitation. One of my greatest concerns is that an attack targeting critical infrastructure could conceivably knock an organization offline for weeks or months at a time; much of this infrastructure can be difficult to quickly replace, which could lead to long-term outages.

What kind of security layer does Financial Quantification provide for enterprises and how useful is that knowledge moving forward?

It is so important for CISOs to speak the language of the business. Executives and boards want to understand cyber risk in financial terms, and that’s what Financial Quantification is all about. Historically it’s been very difficult for CISOs to put dollar figures around their risk; BitSight is helping CISOs do that by leveraging models that have been built for the insurance industry. If CISOs can provide better information about financial risk, they can do better planning and budgeting and help drive down the overall financial risk for the organization.

Jacob Olcott is Vice President of Communications and Government Affairs for BitSight, the Standard in Security Ratings. 

He previously served as legal and policy advisor on cybersecurity issues to the U.S. Senate Commerce Committee and U.S. House of Representatives Homeland Security Committee. Prior to BitSight, he advised Fortune 1000 executives on cybersecurity governance and technology issues. He also served as an adjunct professor on cybersecurity at Georgetown University’s School of Foreign Service. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.

 To find out more about how your company can improve its security posture, visit BitSight’s website.