Author: Mark

Cyber Ratings, also known as Security Ratings – what are they and how do you get one? Well, more on that later but Gartner insisted in 2021 that over the next 5 years Cyber Ratings will be as important as credit ratings for supply chain management and they will become a precondition of doing business.  

Enter LinkedIn: Sorry, not sorry 

Picture the scene: the CEO has read on LinkedIn that at least 65% of Cyber Attacks today are due to the negligence of a 3rd party. Although you love (or hate, a bit like marmite) your security questionnaires, you are now sifting through a sea of security vendors, all promising to protect your company from cyber threats involving third parties – with a magic number.  

What are Cyber Ratings? 

Enter cyber ratings, the ongoing trend in the cybersecurity market inspired by the beloved to all 😉 credit ratings market. Cyber ratings provide an aggregated score of a company’s cybersecurity posture based on externally observable data as analysed by Forrester. They aim to help businesses assess their own security and evaluate the cybersecurity risk of their third-party ecosystem. According to the World Economic Forum, cyber risk ratings can objectively assess an organisation’s cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. It’s like having a report card that tells you where your supplier stands in the realm of digital fortification. Let’s dive into the pros and cons: 

Pros: 

• Vendor Risk Management Made Easy: Say goodbye to the hassle of manually assessing your third-party vendors! Security ratings provide a convenient shortcut to evaluating their cybersecurity practices. It’s like having a personal assistant who sifts through mountains of data to give you a neat little score. Who needs hours of due diligence when you can make snap judgments based on a single number? 
• Validation of Security Claims: Cyber ratings platforms can help companies validate the security claims made by third parties, as I’m sure you may be shocked to learn that some people may be less than truthful when a sale is in jeopardy over a security tick box. Their observed security posture can provide a sense of assurance and confidence when engaging with other businesses. It’s like having a truth serum that exposes any exaggerations or lies. 
• Objective Assessment: Who needs subjective opinions when you can have an independent evaluation of a vendor’s cybersecurity practices? Cyber Ratings offer an “unbiased” perspective (well, at least in theory) to help you see through the smoke and mirrors. 
• Some Transparency and Workflow Capabilities: Some cyber ratings platforms offer semi-robust process transparency and workflow capabilities. They provide detailed ratings model white papers, publicly available information, and workflow processes that enhance the understanding and usability of the ratings. 
• Comparative Analysis: Cyber Ratings allow you to indulge in some healthy competition between your vendors. Compare their cybersecurity performance like you’re judging a beauty pageant and crown the winner with confidence. 
• Third-Party Risk Portfolio Building: Building a diverse portfolio is not just for stock market enthusiasts! With security ratings, you can create your very own third-party risk portfolio. It’s like curating a collection of risky relationships and proudly displaying it to your colleagues. Show off your ability to identify potential vulnerabilities in your supply chain and be the envy of risk managers everywhere. 

Cons: 

• Market Immaturity: The cybersecurity risk ratings market is still considered immature, being a new and unregulated industry. While accuracy and transparency have improved, Cyber Ratings heavily rely on data sources, but not all data is created equal. Some rating companies may use outdated or incomplete information, leading to inaccurate portrayals of security. It’s like basing your life decisions on Chat GPT3 and not consulting GPT4, Bing and Bard and you know, real life therapists. 
• Limited Recourse for Low Ratings: One significant drawback of Cyber Ratings is the limited recourse or avenues for improvement if a company receives a low score. Suddenly, the ability to close a deal rests in the hands of a single number and an algorithm. This lack of recourse can be frustrating for organisations on the ‘blacklist’ (in many cases its red), raising questions about the fate of long-term valued partners, unless you want an excuse to purge them 😜 
• Rating Reliability Roulette: The world of Cyber Ratings is a minefield of conflicting methodologies and scoring systems. Standardised metrics? Well, sort of. Different cybersecurity ratings companies may deliver varying risk scores based on the data selected for assessment. Subjectivity also creeps in with their own secret sauce in selecting and weighing criteria. So, grab a pinch of subjectivity to sprinkle on your assessment process. 
• Stuck in the Past: Many Cyber Rating companies still cling to outdated methodologies that fail to keep up with the ever-evolving threat landscape. The lack of integrations with other risk and compliance management technologies hinders widespread adoption and effectiveness. 
• Limited Scope: Cyber Ratings tend to focus on specific aspects of cybersecurity, conveniently ignoring other critical factors. Because who needs a holistic view of security when you can just evaluate one piece of the puzzle, right? 
• Lack of Context with a dash of limited visibility: Context? Pfft! Cyber Ratings might not consider factors like industry specifics or your vendor’s risk appetite, disregarding relevant context. Get ready to be amazed by the wonders of publicly available information and self-reported data—surprise! It’s a mixed bag. 

• Reliance on Historical Data: Want a blast from the past? Cyber Ratings got you covered. Their assessments might be based on historical data, which means they might miss the latest plot twists in a vendor’s security journey. It’s like predicting the future based on last year’s newspaper. 

Conclusion: Cyber Ratings – the imperfect superheroes of supply chain security evaluations. While they bring some undeniable advantages, they also come with their quirks. 

And here we are, at the end of this thrilling cyber rating journey! But before we bid adieu, let’s shine a spotlight on the true superhero of managing third parties and security ratings—HighGround.io.  

With its cyber supply chain management feature about to release, HighGround.io leaps over the competition like a caped crusader, effortlessly balancing the need for security with a touch of whimsy. It’s like having a cyber butler who not only manages your third-party risks but also knows how to crack a good joke. So, whether you’re a David in a world of Goliaths or a Goliath in the world of David’s, HighGround.io is here to save the day, one security rating at a time. Go ahead, take control of your cybersecurity experience and let HighGround.io be your trusty sidekick. Together, we’ll conquer the realm of third-party management with a smile and a virtual high-five. 

Learn more about HighGround.io’s Cyber Security Manager next week as we launch.

Alright, fellow SMEs, picture this: You’re on the brink of sealing that shiny new deal with the huge prestigious account you’ve been pursuing for five long years. The sales team can practically taste their well-deserved commissions, and it seems like a done deal. But suddenly, one of the techies from the potential client demands to know your Cyber Posture 😱. They want concrete evidence that you’ve got what it takes, with the receipts, to bounce back from the darkest corners of the web and protect their precious data. Now, while you may be frantically Googling “what is a cyber posture and how do I get one,” they have an entire security team working on their side, casting doubt on your credibility as a small fry. 

Are they being paranoid or just drunk on the power of knowing you want the sale at any cost? Well, truth be told, they’re not entirely wrong. Data doesn’t lie. According to the European Union Agency for Cyber Security, between January 2020 and July 2021, 32% of cyberattacks targeting supply chain businesses resulted in data theft and breaches of internal processes and 65% of attacks today happen due to the negligence of a third party. 

But fear not, SMEs of the world 😎! Before Sales starts making voodoo dolls out of you, or the board grills you about your Cyber Posture, this guide will show you how to impress potential clients with your Cyber ninja skills and secure that deal ASAP. 

Rock Solid Assessment

First things first, get your risk assessment game on point. Conduct a comprehensive analysis of potential threats, vulnerabilities, and risks lurking in the shadows. Identify weaknesses and showcase how you plan to address them. Your potential clients want to see that you’ve left no stone unturned in understanding and mitigating the risks that could compromise their valuable data. Here’s a quick FAQ from our mothership on risk assessments https://m3networks.co.uk/cyber-security-archive/5-faqs-about-cyber-security-risk-assessments/  

Armor of Security Measures: 

Equip yourself with an impressive arsenal of security measures that will make your potential clients nod in approval. Show them your state-of-the-art firewalls, cutting-edge encryption methods, and multi-factor authentication protocols. Demonstrate that you’ve built a fortress 🏰around their data, leaving no room for cyber villains to penetrate your robust defenses. 

Superhero Training Program: 

Every superhero needs to hone their skills, and your team is no exception. Develop a top-notch training program that transforms your employees into cyber guardians. Train them on the latest cybersecurity best practices, from spotting suspicious emails to handling social engineering attacks. Make it engaging, inject your signature humor, and keep everyone on their toes. And don’t forget to document it all as proof, for the ultimate flex on your Cyber Posture. 

Incident Response Superpowers:

When trouble strikes, you need to unleash your incident response superpowers. Show your potential clients that you’ve got a well-rehearsed plan to handle any cyber threat that comes your way. Outline the steps you’ll take in the event of an incident, from isolating affected systems to swiftly restoring operations. Prove that you’re a master of disaster, ready to tackle any challenge head-on. Need help? Check out our free guide on incident response planning

Validation and Compliance Credentials: 

No showcase of cyber posture would be complete without the necessary validation and compliance credentials 🏆. Highlight any certifications or audits you’ve undergone, such as SOC2, Cyber Essentials or ISO 27001, to demonstrate that your security practices meet industry standards. These credentials provide reassurance to your potential clients that you’ve undergone rigorous scrutiny and emerged victorious. 

So now, you’re fired up 🔥and ready to go – that’s great news! But here’s the not-so-great news: These folks love their questionnaires, and they’re going to send you a document that’s hundreds of pages long. You’ll have to answer every single question, ‘securely’ by email, resulting in a never-ending thread. But fear not, for once you conquer that task, you’ll be in the clear and deserving not just of a raise, but maybe even those elusive bonuses floating around for saving the day. 

The moral of this story? As an SME, you’re often seen as the weak link, and you’ll always have to prove your Cyber worth. That’s precisely why we built HighGround.io – to make your life easier during the show-and-tell sessions. And here’s the most exciting part (well, at least for us): our new Supply Chain Manager feature is ready to be launched! So, make sure to check back here at the end of the month for all the exciting details. 

Sign up for a free trial of HighGround.io Premium. Free forever plans available.

We get it, it’s 2023 and you’re trying to stretch that IT budget as far as possible, but let us ask you this – what’s worse than spending a few extra pennies on your cybersecurity budget? Being the next victim of a cyberattack, that’s what! Think your business is too small to be targeted? Think again, because according to Accenture’s Cybercrime study, nearly 43% of cyber-attacks are targeted at SMBs. Those hackers are always on the prowl for vulnerable targets, and your business could be next on their list. That’s why it’s essential to invest in cybersecurity, and in this post, we’ll give you the top 10 arguments for increasing your company’s cybersecurity budget. (You’re welcome, IT manager.) 

1. Protect your business’s reputation: A cyberattack can do more than just damage your business’s finances; it can also tarnish your reputation. A data breach can make your customers lose trust in your business, and it can take years to rebuild that trust. In fact, according to a study by ISACA nearly 1 in 3 consumers stopped doing business with a company known to have compromised cybersecurity. 

2. Avoid costly legal battles: In the event of a cyberattack, your business could be held liable for any damages incurred by your customers. This could result in costly legal battles that could bankrupt your business. In fact, the average cost of a data breach is $4.35M, according to a study by IBM. 

3. Keep your customers’ data safe: Your customers trust you with their personal and financial information, and it’s your responsibility to keep that data safe. A data breach can result in the theft of your customers’ data, and it can take years to recover from the damage. Think it only happens to the Amazon’s of the world, think again, in fact, according to a  study by Verizon, 58% of data breach victims are small businesses, so that means you. 

4. Stay ahead of the curve: Cybercriminals are always coming up with new ways to attack businesses knowing that there are so many easy targets out there and no one really wants to spend money on protection. By investing in cybersecurity, you can stay up to date with the latest security trends and protect your business from new and emerging threats. 

5. Protect your intellectual property: Your business’s intellectual property is one of its most valuable assets, and a cyberattack can result in the theft of that property. By investing in cybersecurity, you can protect your business’s intellectual property and prevent it from falling into the wrong hands, you know, those competitors out there who want to take you out. 

6. Avoid downtime: A cyberattack can cause significant downtime for your business and while some of your team will be happy watching the series finale of Succession until systems are restored, the result for you is lost revenue and productivity. A benchmark study by CISCO found that 40% of the small businesses that faced a severe cyber-attack experienced at least eight hours of downtime. And this downtime accounts for a major portion of the overall cost of a security breach. By investing in cybersecurity, you can minimise the risk of a cyberattack and avoid costly downtime. 

7. Protect your supply chain: Your business’s supply chain is essential to its success, and a cyberattack on one of your suppliers could have a significant impact on your business. By investing in cybersecurity, you can protect your supply chain and minimise the risk of a cyberattack. (Check back here real soon, HighGround.io is launching a Supply Chain Manager feature). 

8. Ensure compliance: Many industries have regulations governing the protection of data, and failing to comply with these regulations can result in significant fines and penalties. By investing in cybersecurity, you can ensure compliance with these regulations and avoid costly fines and penalties. 

9. Demonstrate your commitment to cybersecurity: Investing in cybersecurity demonstrates your commitment to protecting your customers’ data and your business’s assets. This can help you win the trust of potential customers and differentiate yourself from your competitors. Plus, it has a knock-on effect on your team, not only will your IT manager be able to sleep at night again, but those employees who might be vulnerable to personal attacks like phishing will be better aware of the risks that they pose to the business. 

10. Personal Liability: If all of the above wasn’t enough, let’s hit you where it hurts. As a CEO or business owner, do you want to be held responsible for a breach and potentially face financial penalties? The mood is swinging, and two legal cases in the US suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cybersecurity breaches. Investing in cybersecurity is not just about protecting your business but also protecting yourself and your personal liability. 

In conclusion, cybersecurity is not something to be taken lightly. By investing in cybersecurity, you can protect your business’s reputation, avoid costly legal battles, keep your customers’ data safe, stay ahead of the curve, protect your intellectual property and avoid downtime. 

Or, how about protecting your company at low cost with a tool like HighGround.io? At HighGround.io, we offer a low-cost solution for businesses to manage their cybersecurity needs.   

Sign up for a free trial of Premium. Forever free plan available. 

As an IT manager in an SME, one of your top priorities is ensuring the security of your company’s data and systems. However, even with the best security measures in place, the actions of individual employees can pose a significant threat to your company’s cybersecurity. Yes, those who claim to be your work buddies are the very reason for giving you sleepless nights or being the cause of you getting pinged by your boss on a Saturday evening as you were just about to grab a pint at the pub. 

We’re going to outline the top 10 worst cybersecurity habits that your teammates and maybe even you, may be guilty of, and what you can do to help them improve their habits and, in turn, keep you sane. 

1. Using weak passwords

You might think that 12345678 is a cliché, but sadly it’s still used by many employees. Weak passwords are one of the easiest ways for hackers to gain access to your company’s systems and data. As an IT manager, you can encourage your team to use strong, complex passwords that are at least 12 characters long and contain a mix of upper and lowercase letters, numbers, and special characters. You can also implement password policies that require employees to change their passwords regularly and prohibit the use of common passwords. If all else fails, start a dedicated Slack channel for naming and shaming, there must be a plug-in that helps make a firework gif of their name and faux paux. 

2. Sharing sensitive data

Sharing sensitive data over unsecured channels is a common mistake made by employees who may not understand the risks. Email, chat, and file sharing services are often unsecured, and using them to share sensitive data can expose the data to unauthorised access. To mitigate this risk, it’s important to encourage employees to use secure channels, such as encrypted email or file sharing services with password protection. An effective way to explain the risks is to use an analogy: sharing sensitive data on unsecured channels is like shouting your secrets in a public place. To illustrate this point to the non-believers, you could show a slide show of baby photos projected onto the wall in the break room that someone’s mum uploaded to Facebook. 

3. Ignoring software updates

Ignoring Patch Tuesday is going to bite you in the butt one day, and while it feels like the updates are the devil’s work and cause more problems than they solve, software updates often contain important security patches that fix vulnerabilities that could be exploited by hackers. As an IT manager, you can ensure that all devices and software are up to date by implementing automated update processes and regularly reminding employees to install updates. Failure to abide by your rules and you can threaten to block TikTok and Instagram in the office, nobody still uses Facebook anymore and Musk has ruined Twitter so you’re good with those two as a threat. 

4. Clicking on suspicious links

We’re not going to lie, phishing emails and links are becoming increasingly sophisticated. But clicking on a suspicious link is like playing Russian roulette with your company’s data. To help your colleagues avoid this, provide cybersecurity training that teaches them how to identify and report phishing attempts. And if they still fall for it, maybe consider hiring a fake Nigerian prince to run around accounts and teach them a lesson. 

5. Ignoring two-factor authentication

We get it, entering a code in addition to a password can be annoying. But two-factor authentication is an extra layer of security that makes it more difficult for hackers to gain access. As an IT manager, you can require the use of two-factor authentication for all company accounts. And if they still resist, ask the CEO to take the tea and coffee hostage or if you’re in a fancy office, the Kombucha until they all get on board. 

6. Neglecting endpoint protection

Neglecting endpoint protection is a huge risk for your company’s IT infrastructure. Ensure that all endpoints have up-to-date security software, firewalls, and intrusion prevention systems. Monitor these measures regularly for potential vulnerabilities. Failure to do so can lead to a devastating security breach that compromises sensitive company data and exposes the company to significant financial and reputational damage. We have no suggestions for suitable punishments on this one; it’s probably on you. 

7. Using public Wi-Fi networks

Public Wi-Fi networks are often unsecured, which means that any data transmitted over the network could potentially be intercepted by hackers. To help your colleagues avoid this risk when they “escape home” to go to Starbucks on their WFH days, provide a secure VPN (virtual private network) for remote access to company systems. And if they still insist on using public Wi-Fi, have their device play annoying songs on loop, and as loudly as possible, once a non-company network is detected. 

8. Leaving devices unattended

Common sense, I hear you cry, but when they’re not paying for the device, do you think they’re watching it while they run around collecting all the swag at that conference the CEO forced them to attend? Public places can make devices an easy target for theft or unauthorised access. As an IT manager, you can implement policies that require employees to lock their devices when they step away from them. Any culprits “forgetting” will receive a glitter bomb package to their home address. 

9. Using personal devices for work

Look, you get it, everybody loves their phone. It’s with them all the time, it knows their secrets, and it even talks to them (in a non-creepy way, we hope). But just because it’s their constant companion doesn’t mean it should be used for work too. Using personal devices for work can be a major security risk if the devices aren’t properly secured, or if they’re lost or stolen. It’s like inviting a stranger into your home and hoping they won’t steal your TV (or in this case, your company’s sensitive data). As an IT manager, you can implement policies that require employees to use company-issued devices for work purposes. Any detractors (careful, it’s probably your boss) will receive the “car key sellotaped to the roof” treatment. Let them work to get home at 5pm on a Friday. 

All joking aside, we had fun writing the wish list of punishments for failure to abide by the rules, but the one rule is that you need employees to trust and feel they can admit mistakes to you. This is key for number 10 on the list. 

10. Failing to report security incidents

Finally, one of the worst cybersecurity habits an employee can have is failing to report security incidents. Whether it’s a lost laptop, a phishing email, or a suspected data breach, employees need to be vigilant and report any incidents to their IT manager immediately (that’s you, by the way). Failure to do so could result in serious consequences for the company, including regulatory fines, lost business, and damage to the company’s reputation. As an IT manager, you can encourage a culture of transparency and openness when it comes to cybersecurity incidents and ensure that employees know how to report incidents quickly and effectively. 

You might just want to pull out that stress ball, say a few mantras, Netflix and chill, or whatever your calm-down pill might be for all rule-breaking. We do recommend signing up for a free trial of Premium in HighGround.io (forever free available) for all your Cyber Security management needs.

HighGround.io makes cybersecurity easy for small and medium-sized businesses by enabling IT managers without specialised cyber expertise to achieve cyber resilience effortlessly. Our platform is user-friendly, action-orientated and facilitates effective communication with partners and executives using KPIs tailored to their technical proficiency. 

The rise of expectations and the fall of the IT Manager’s budget  

Buried amongst too many disparate projects, implementations, meetings, support cases, report writing, and, of course, security alerts, today’s IT Manager is over-familiar with having their capacity stretched and consequently, operating at a suboptimal level. In the same breath, Forbes very recently published an assessment of the pressure CISOs have faced since the pandemic took hold in 2020, highlighting how ‘IT leaders are now being asked to tackle more complex digitisation projects at a time when IT budgets are growing less quickly’. Tru dat.  

Throw in the frustration of being perpetually misunderstood by pretty much all your string-holding-stakeholders, plus a growing list of rather mundane responsibilities, and anyone would be forgiven for throwing the towel in, or, dreaming of outer space.   

So what is that nagging feeling that despite your difficult reality, there must be another dimension in which you could carry out your role comfortably and with more freedom? 

Where them budgets at  

In January, ComputerWeekly reported the latest Forrester research that also concludes IT budgets are under even more pressure – in fact IT spend is expected to fall by more than 3% in 2023. The promising news is (yes there is always a way of spinning it), ‘Forrester believes organisations will want to focus their technology spending on how they can best achieve cost savings and operational efficiency’.  

Do we sense an eye roll there from IT Managers? Cutting budgets further is a good thing? At least we can give you good no bullshit news in that department as HighGround.io will generate the facts and the figures on all things Cyber Security to present to stakeholders in a way they can understand and give you the best chance of securing what budget is lurking around – to achieve exactly those two things cited; Cost savings and operational efficiency!  

“But your boss thinks you’re already doing this, so how do you go about asking for budget to do what they think they’re already paying you to do?”

Grant the CTO at HighGround.io knows first-hand how this feels. Time to turn things on their head and show that your business case supports broader, commercial strategic planning to achieve long-term savings.  – don’t make the mistake of positioning your request as little more than additional IT expenditure that no non-techie can begin to fathom (HighGround.io has a free plan btw).  

Forbes Technology Council Member and author of the article mentioned earlier, Shane Buckley, lists ‘bringing ROI to the forefront when determining your cost savings strategy’ as one of the top five tactics CISOs should consider when budgeting amid economic uncertainty. Whether or not you report into or work alongside a CISO day-to-day, adopting an approach that supports this advice is unlikely to go amiss. And it’s when those real monetary savings based on NCSC values attributed to the cost of breaches and attacks – easily accessible via the HighGround.io dashboard – come in very handy.  

Low investment, low risk 

As if we needed a reminder, Buckley references that security postures are under more scrutiny than ever in light of survey results that revealed 80% of U.S.-based organisations were hacked in 2021, and 60% of those paid a ransom (argh). Of course, life would be a little simpler if today’s global economic environment could be summed up as ‘post-pandemic’, but not only are IT leaders finally revising the knee-jerk decisions made to accommodate the overnight switch to remote or hybrid working, they’re feeling the not-insignificant pinch as a result of war in Ukraine, widespread disruption impacting transportation and supply chain, plus global political instability.  

Cue HighGround.io. To our point, Buckley points out ‘this might mean cutting back on spending and turning to one-stop solutions’. So let’s focus less on the associated cost of trialling a breakthrough platform, and more on the fact that something like HighGround.io is a major enabler when it comes to reducing existing IT and cyber security spend, shrinking the over-crowded landscape of digital solutions that the past couple of years left in their wake, and condensing your entire cyber security experience into one (easily personalised) dashboard where automation and easy to understand KPI’s like CyberScore and ROI ensure your FTE can steadily begin to focus on more valuable work.  

The dimension 

Pay close attention: is that the door to another dimension? Yes, the dimension where you can sign up for free to take control of your Cyber Security experience with HighGround.io Sign Me Up.