FAQs: Cyber risk scoring in supply chains

Article by Achilles

Cyber risk is increasing significantly, with adversaries looking to exploit weak third-party cyber security as an open invite for targeted cyber-attacks. As organisations continue to have employees working remotely, the number of weak points through which a cyber-attack could be launched, increases. In partnership with Orpheus, we’re providing cyber risk scoring on suppliers to provide advanced cyber intelligence to buying organisations using Achilles.

What is cyber risk scoring?

The Cyber Risk Ratings indicate the level of cyber risk associated with an organisation. The higher the score, the higher risk a company faces of being the victim of a successful attack.

Why is cyber risk management in supply chains important?

Many attacks start with a company in the supply chain, rather than directly targeting the end victim. Larger organisations often have strong cyber security measures in place but provide access to their systems to legitimate suppliers. Once suppliers have this access, they become part of your network and, as a result, your attack surface. Furthermore, your business is highly likely to be disrupted if any of your important suppliers suffer a cyber-attack, regardless of whether or not they have access to your systems, and it is also probable that many of your suppliers hold your and your customer’s data. You are likely to be held responsible if your customer’s data is breached by your supplier – particularly if you have not followed best-practice in managing your supply chain cyber risk. If you are not assessing your supplier’s cyber security measures, you have no idea if they pose a large or small risk. Attackers are aware of this and look to take advantage of suppliers with weaker security measures.
In addition, international regulators are starting to impose guidelines on supply chain security. Regulators and governing bodies will not reduce fines because the attackers gained access through a third party, as they see this as a risk you were responsible for mitigating.

What information is the cyber risk score calculated from?

The cyber risk scoring uses a large number of data points, combined with machine learning to calculate the score. The information includes:

  • Threat intelligence on sectors and countries in which you operate
  • Unpatched vulnerabilities
  • Evidence of weak email security processes
  • Failures in cyber hygiene

What elements influence a cyber score?

Any organisation can purchase a short report from Orpheus that explains the various constituent parts that make up the cyber score. The risk rating is a combination of a threat score and a vulnerability score. The report will show you the individual score for these two things, along with the information that has been used to formulate that score. It provides actionable advice to mitigate any issues identified.

How do I know it is accurate?

The tools and approach we use follows the processes used by threat actors. Based on our extensive threat intelligence experience we know what cyber attackers are looking for and what they will try to exploit. Our machine learning has been peer- reviewed and is at least 94% accurate when predicting future threats.
Through our partnership with Orpheus, we use a thorough process of manual review to identify false positives that may create an artificially high score for an organisation. We also have a process for organisations to remove any results that we can validate as incorrect, but this is incredibly rare. Some risk rating companies allow organisations to update their scores if they mitigate their issues, we will only do this with validation which ensures the accuracy of our results.

If the cyber score is low, is there anything else I need to worry about?

Low risk does not mean no risk. Insider threat and phishing campaigns are examples of two key risks that exist for almost every organisation. The Orpheus Cyber Risk Rating is a strong indicator, offering steps that organisations can take to reduce their risk. We offer a hacker’s perspective, and you may want to seek additional insight, available only to those who are already within the organisation.

What if I disagree with the score?

Any organisation that disagrees with their cyber score can contact us directly to discuss remediation. We work hard to remove false positives from our scores and an error rarely occurs. The overall Cyber Risk Rating is made from many data points, so it is unlikely that a false positive in one area has a large impact on the overall score. In the unlikely event this is the case, we have a remediation process to correct this, where we can validate the error a company has identified.

Where can I view my cyber score?

As a buyer, you can view a supplier’s cyber scores through Achilles Insights. In addition, you will have the option to get a tailored supply chain cyber risk assessment report on your chosen supply chain, giving you deeper insight into the specific threats and risks you could be exposed to.

As a supplier, you can view your own cyber score in your MyAchilles dashboard. By subscribing to Orpheus’ monthly cyber risk rating reports, you will also receive a detailed breakdown of your cyber risk and an easy to follow action plan to remedy any areas of concern – and ultimately improve your score. With your Achilles subscription, you will receive preferential rates.

For Buyers

At what level should I discount a supplier from the process?

The level you consider acceptable is for you to decide based on your risk tolerance. We would suggest working with suppliers to reduce their score, rather than discounting the supplier altogether. The report we produce shows them how to do that. We would suggest suppliers that are unwilling or unable to mitigate serious security risks should be considered for removal.

How often do I need to check a supplier’s cyber scores?

Our cyber scores are updated constantly and with new vulnerabilities being discovered daily these scores can change. You can set the frequency to review them, but we would suggest at least monthly to review any changes that might be introducing risk to your company.

Can I check my own company cyber score?

Yes, you can also review your own cyber score. We recommend reviewing your own cyber score to mitigate any security issues within your organisation and reduce the number of ways in which an attacker could target you.

Login to see your scores today.



You may also be interested in

Get great insights in your inbox every month

Subscribe