Written by Kevin McDonald, COO and CISO of Alvaka Networks. Originally published December 2018 on TechTarget. Kevin explores what Moody’s new cyber-risk ratings could mean for enterprises and the infosec industry.
Having access to credit is critical for any healthy company, whether it’s for acquisitions, funding organic expansion or even keeping the company afloat during hard times. Credit ratings take many factors into consideration, such as payment history, forms and levels of indebtedness, vertical industry, geography, business longevity, and many other financial factors.
But credit ratings also take other risks into account. The list of risks being considered by Moody’s Investors Service Inc., which “provides credit ratings and research covering debt instruments and securities,” just took a quantum leap forward into the world of cybersecurity.
Moody’s recently announced that it will now consider cyber-risks and breaches in their coveted ratings. The company’s decision to consider cyber-risks will have global impacts across all sectors and could have a significant long-term impact on the behavior of rated organizations as the concept spreads to other rating systems and beyond the scope of Moody’s reach.
While Moody’s cyber-risk ratings will be limited to the organizations and industries they chose, in the very near future, any business asking to borrow money could face questions about their cyber-risks.
In fact, other businesses that rely on risk ratings are already designing ways to do just that within their own context. There are already cyber-risk ratings out there from credit groups like FICO; however, there are no clear leaders in the space, and that may change with Moody’s cyber-risk ratings.
If you consider that credit ratings are a measure of whether a business will actually pay back the money it borrows, then cyberattacks are an important class of risk to consider. Let’s look at ransomware, for example.
I have personally seen the devastation that ransomware can cause. In its “Second Annual State of Ransomware Report: US Survey Results,” MalwareBytes last year reported that 20% of companies surveyed had to “cease business operations immediately” following a ransomware infection. Even when companies do survive a breach, they are often seriously injured in both a financial and reputational sense.
So why would we not expect an organization lending money to be concerned about such serious risks? If a company that is dependent on its internet presence sees its connectivity crippled long term by a denial-of-service attack, it can be devastating and potentially fatal. When a company gets an infection of unknown, or particularly persistent, malware, it often results in that business being taken offline for extended periods of time.
Click here to read the full article at TechTarget Search Security.
Kevin McDonald, COO & CISO – Alvaka Networks
Kevin B. McDonald is the chief operating officer and chief information security officer at Alvaka Networks. Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.
Chairman, Orange County Sheriff/Coroner’s Technology Advisory Council (T.A.C)
Member, OC Shield
Member, FBI InfraGard
Member, O.C. Homeland Security Advisory Council (OCHSAC)
Member, US Secret Service’s LA Electronic Crimes Task Force (LAECTF)
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.