Scoring Cyber Risk
Karla Reffold, COO of Orpheus, weighs in on the rise of cyber risk ratings.
Listen to Full Discussion
Orpheus: The 30-Second Download
Orpheus is the only UK government-accredited cyber threat intelligence company that provides cyber risk rating services to clients. Based in London, Orpheus enables clients to stop cyber risks before they occur through its proprietary intelligence platform, powerful technologies and bespoke SaaS subscriptions. “We do threat-led security. So, we provide threat intelligence services, provide cyber risk ratings – quite crucially to help people manage their third-party risk and risk-based vulnerability management as part of that,” said Karla Reffold, COO of Orpheus.
Where Customers Need Support
Financial services and government organisations are perennial, attractive targets for threat actors. Reffold said the pandemic put all industries at risk. “I think what this last year has shown most people who follow the cyber news and the breaches, is that everybody is affected… so small companies can’t just say. ‘We’re small and nobody’s interested in us.’ They might not be interested in you, but they’re interested in your clients and they’re using you and your lack of security to gain a foothold into those organisations.”
Reffold said Orpheus’ customers are looking for guidance on the current threat landscape and how to prioritize risks, but often times their needs go even further.
"The biggest challenge organisations are facing is around third-party risks."
In Orpheus’ experience, some companies don’t know how to prioritize their critical suppliers and properly assess them from a cyber risk perspective. The traditional method for evaluating third parties – questionnaires – is no longer sufficient, said Reffold, as it’s time-consuming, lacks accuracy and is really a point-in-time assessment. Orpheus delivers cyber risk ratings to help companies manage the time, cost and other risks of assessing their partners.
Addressing the Skills and Talent Gap
In Orpheus’ view, there are several ways to address the skills and talent gaps that touch many areas within the cyber industry. Reffold sees three ways to address the gaps. Compensation is key, especially in cyber where top talent is frequently approached by competitor firms. There’s also an opportunity to recruit talent from other areas of the business and train them on cyber. Reffold has seen success with this approach, particularly with women entering the cyber industry.
As for retaining talent, Reffold says professional development opportunities and a clear career path are key. Emphasising the importance of cyber security within the organisation can also help retain staff:
"Make sure the team knows how seriously security is taken by the business… when the team [realises] that they’ve got the backing of the business and they’re able to implement things that will keep the organisation safe, they tend to be happier."
Technology can also help address the gaps. “We're seeing a lot of companies use machine learning and exploit some of those solutions to help address that,” said Reffold. “We have people talk to us about how they use risk ratings to avoid an extra full-time employee who would have to talk to companies and assess what they've told them… so, it's using some of those technology solutions that are out there to help park those gaps a little quicker.”
Outlook for Cyber
"The future of cyber is where it’s always been. Threat actors are always one step ahead.”
Reffold believes third-party and even fourth-party breaches will continue their rapid increase. Ransomware is also likely to become more common. “Ransomware is clearly problematic and that’s going to start affecting more and more organisations, particularly as the larger organisations put solutions in place that make it harder for those criminals to breach them and to affect them with that.”
Reffold also pointed to the rise of cyber risk ratings, which are becoming more relevant across all areas of a business. “Insurance companies are using these to decide your cyber insurance premiums. Your clients are using these to decide who they’re going to work with… much like with credit ratings, they’re just a part of life that we accept. That’s where the future of cyber is going.”
Questions? Connect with the Baird team at RWBcybercoverage@rwbaird.com