The real story around risk reports

Risk reports and vulnerability scans can only tell you so much about the level of security across a network. Often having insufficient reach, these overviews can be misleading and result in a far more positive picture than what's really going on under the hood.

Cyber Article 5 min Thu, Jan 5, 2023

Taking a lead from pioneering pollster George Gallup, who made his name almost 100 years ago by proving that quantity is a distant second to quality when it comes to the value of data.

Gallup surveyed 3,000 people ahead of the 1936 US election. He forecast a win for democrat candidate Franklin D Roosevelt, despite a Literary Digest survey that had canvassed 2.5 million people and predicted a republican landslide.

Gallup was correct and Literary Digest – its credibility shot – was out of business within 18 months.

Data quality

So, how does this relate to cyber insurance? Well, the point is that across the cyber market, vulnerability scans are being given too much weight, first as a measure of an organisation’s cyber security, and second as an indicator of their likelihood to have a cyber claim.

Vulnerability scans or risk reports, aim to identify your internet-facing assets and any insecurities they have. Initially, they were used as a means to highlight potential problems and to suggest remedies. This was a good thing. But more recently they’re being used as de facto assessments of a businesses online security rating.

The problem is that these scans or reports produce data that is often limited. For example, they should locate internet-facing servers and identify the software running, but they’re unlikely to pick up all the services, especially those outsourced to third-party cloud providers.  

Nor can these scans see inside your network therefore can’t assess the internal safeguards and protocols that may or may not be in place. In short, they’re seeking to provide a definitive assessment of your cyber security credentials on limited data. And that’s not a good basis on which to assess cyber security or to try and predict future attacks.

The good news is that huge strides are being made in the area of threat intelligence, with CFC leading they way, which does offer the ability to prevent attacks and make effective forecasts on likely cyber claim events.   

Threat intelligence builds up a dynamic picture of the attacks to which an organisation is most susceptible.

Threat intelligence  

While a vulnerability scan provides a survey of an organisation’s internet-facing assets, threat intelligence builds up a dynamic picture of the attacks to which your organisation is most susceptible.

CFC has established close working relationships with government bodies, law enforcement agencies, private sector organisations and our own proprietary sources. This network gives us access to the online platforms and markets used by criminals to trade data and exchange information.

Our network provides details of companies that have been compromised. It offers information on what’s been stolen and where backdoors have been left open on a system. Is this company on a threat actor’s list? Have their passwords been traded online?

Access to this type of information allows us to be very certain about the likelihood of an organisation coming under attack and allows the threat analysis team to be definite about the actions they take to shore up defences and to keep that system safe.

Cyber criminals are extremely dynamic and continually change both their point and method of attack. Understanding how attacks are evolving and uncovering where they’re likely to be targeted makes it possible to take swift and effective preventative action.

Just as George Gallup discovered in the 1930s, it’s the quality of your data that determines its value. The number of attacks prevented by CFC’s threat intelligence service is beginning to tell its own story on the scale of that value.

For more information about CFC's cyber threat prevention capabilities, check out our CFC Response page.