What is CyberScore?
CyberScore is a software tool that helps organisations of all sizes improve their cyber security by scanning their network, highlighting vulnerabilities and providing advice on how to make the network stronger. It provides an overall cyber security scorecard and the ability to rate organisations against their peers.
A bit like a financial credit rating, but for cyber security?
Exactly. In addition to the cyber score, it provides reporting, including a Get Well Plan, with a list of actions you need to take to improve your score; a Patch report, showing all the software patches you need to implement; and a Technical report, with more in-depth detail.
Actually, it’s not. It costs nothing to scan your network and generate a score, which you can do as often as you like, and just £1 per analysed device for all three reports. So, if your organisation has 200 devices, a Get Well Plan, Patch Report and Technical Report will cost £200.
Is that normal for the penetration testing industry?
No, it’s a bit of a revolution. David Carroll, CEO of XQ Cyber, told Technology Reseller that CyberScore was born out of frustration with the status quo in pen testing. “As former employees of GCHQ and Qinetiq, we are penetration testers, or ethical hackers by trade. We looked at our own industry and thought it wasn’t good value for money. Penetration testing is not a strategic activity, it’s over-priced and it’s done as consulting when it should be a commodity for the masses,” he said.
So, is CyberScore the end for pen testing as we know it?
It’s certainly a challenge for consultants who charge a lot to do little more than conduct a tick-box exercise. Instead of paying £10,000 for an annual pen test, a business with 200 devices can automate the process for just £200 and repeat the exercise every week if desired.
That said, there is still a place for strategic pen tests that include the exploit phase, showing how a vulnerability could be exploited by hackers, or red teaming, where a bank or Government body emulates specific threats to test its defences.
Is automating the basics enough?
Cyber terrorism by nation states might grab the headlines, but Carroll points out that 90% of losses due to cyber insecurity occur for a far more boring reason, which is people’s inability to do the basics right. “Instead of looking for sneaky-deaky technology to detect the North Koreans or Iranians, what people need is smart technologies to be applied to help do basic things like patching operating systems and applications,” he said.
That’s great. But why does it matter to readers of Technology Reseller?
Because XQ Cyber sees managed services providers and communications providers as its primary route to market. “Our plan is to have a few hundred MSPs on our books who will be servicing 10,000, 20,000, 30,000, 40,000 clients,” explained Carroll. “We have made CyberScore as light touch as possible, but there is still a level of expertise that’s required. If you are an SME that has no IT expertise and no cyber security awareness, it will work better if your service provider is the one ?ying this for you.”
For MSPs, one very useful feature of CyberScore is peer rating, which shows users if they are in the top 10% of organisations for cyber security, the bottom 10% or somewhere in-between. This is a great revenue opportunity for an MSP, who can cyber score its customers; quickly identify the star performers and the problem children; and then go back to them with solutions.
Peer rating can also be used by MSPs to help secure customers’ supply chains (see box).
This sounds like something the Government would approve of. Is CyberScore accredited with any security programmes?
XQ Cyber itself is a Cyber Essentials (CE) certification body. While the use of CyberScore does not qualify for Cyber Essentials Plus certification, Carroll says that XQ Cyber can issue users with an ‘advisory’ saying that on the basis of what CyberScore shows, the organisation in question is likely to pass (or fail) Cyber Essentials Plus. He added: “By this summer it is our intention to be able to award CE Plus badges as a result of running CyberScore. We think this will be a step change for the Cyber Essentials programme.”
Find out more at:
Stronger supply chains
As well as addressing an individual company’s security vulnerabilities, David Carroll says CyberScore could help secure its supply chain.
“If you are a big business with thousands of suppliers, how do you secure your supply chain? Right now, the answer seems to be to send people out with clipboards and questionnaires or, at best, to give them an online portal where they have to answer some questions.”
This, says Carroll, is a huge drain on resources. Answers are not data-driven, are highly subjective and are not always accurate.
“One of our beta partners ran a questionnaire for 300 or 400 of their Tier One suppliers. They estimate that 50% of the answers they got back were less than truthful,” he said.
Carroll suggests that CyberScore is a much better way of doing things.
“One of our reference sites, Drax, is going to ask everyone in their supply chain to run CyberScore, which will give them a view of the herd. This helps because they are not asking a list of questions and the data they get back is based on 0s and 1s. Instead of asking ‘Do you patch?’, CyberScore can show defnitively whether an organisation is patching or not.”
Carroll said: “This is great for MSPs, because if you run a customer’s IT network, you can now say ‘Would you like to look at your critical suppliers and see which of them are taking care of security and which aren’t?