Protecting business data in the virtual world – do you know SecurityScorecard?
In today's world, cyber security is becoming increasingly popular. Even in the recent past, many companies have not been very much aware of its importance.
They did not pay priority attention to it, and if so, they tried to solve the problem of cyber security by themselves, using their own means. Many companies used manual assessment of infrastructure security, but today, at a time of rapidly changing marketplace and a huge dynamic of changes in their own infrastructure, it is clearly not enough.
Wondering how best to protect your business data or data from your clients? Want to know more about how to defend against real threats in cyberspace and secure sensitive data from potential hacker attacks? SecurityScorecard offers companies a tool that not only tests the company’s current security status, but continuously monitors and evaluates its security, reducing the threat of cyber attacks. Jozef Chudý, Head of Quality Assurance and Czech Republic Site Manager, told us more about this tool, about the company profile, but also about cyber security as such.
Photo: Patricia Belickova
Hi Joseph, will you tell us how you got to this job?
I got to this job through an advertisement on Glass door. I have seen that a colleague I have been working with works there on LinkedIn, so I asked him how it was. He told me that it was an American startup, that they had an interesting business case, and that they needed to open a branch here in the Czech Republic and were looking for someone for QA – that actually fit my profile and what I wanted to do.
What does SecurityScorecard do?
The value of SecurityScorecard is to provide VRM – vendor risk management. The best way to explain this is by way of example. We have Company A that sells a product, for example photographs. Company A has one of its suppliers, Company B, which supplies it with some services, such as photo editing. Company A also works with sensitive data stored somewhere in the company’s infrastructure, such as the cloud, a computer… This data must be secured against hacker attacks or other misuse. For this purpose, Company A hires SecurityScorecard to audit the infrastructure. This audit is called “Scorecard Security”. During the audit, the company observes the infrastructure, evaluates all necessary technical parameters eg. security against malware attacks, monitors how security of corporate networks is secured, endpoint service security, mail server protection. It collects all the necessary data from these observations and then, based on complex calculations, creates a “scorecard” where the company’s network is evaluated for security – the company gets a score and a so-called “traffic light”. Green on the traffic light means the best rating and red the worst. A total of 7 factors are evaluated, the result is interpreted numerically and by the traffic light. We provide this rating to businesses for free.
And the second thing SecurityScorecard is also supplying to businesses, specifically to the company’s Chief Security Officer and Risk Managers, who are responsible for protecting the business and who need help in securing that protection, is something like a “corrective plan” in which we tell businesses about specific steps to improve security in their business.
How have companies tackled cyber security so far?
Internally, within the company, questionnaires were filled in, where the Risk Manager requested from all administrators detailed data security of individual servers, comprehensive data on passwords, ports, firewalls, which is in large companies (100 000 employees), where there are many servers, a very lengthy process, which can take a month for instance. While the process is invalid from the first minute the task was assigned. This is for a simple reason – because the company’s infrastructure is constantly changing, 24 hours a day, 365 days a year. By completing the questionnaires manually, when the data reached the Risk Manager, they were no longer valid. And that is our benefit. We can provide information on a daily basis on how infrastructure has changed. For such monitoring to work on a daily basis, we need to negotiate a contract together, and that is actually the business case from which we live.
To complete our example, it is not enough if only Company A has secure infrastructure, because it also takes some services from Company B, but Company B takes it from Company C and so on. That is why companies ask not only for their own scan, but also the scan of companies with whom they cooperate and share some data. They want to know if these companies have a sufficiently secure infrastructure as well. Our business case is advantageous in that we do not need to have an army of salesmen who would sell our product; we only need to sell it to one company and then it spreads across all vendors.
Who are your clients?
We do not have a specific client sector to focus on. We can reach the whole Internet, any domain, any business in the world that wants to have its infrastructure secure. We do not distinguish whether it is the automotive industry, medicine, banking systems, telecommunications systems…
You have clients all over the world. What activities or steps do you consider to be key to business growth?
Our key value that we strive for is customer satisfaction. The reliability of our system is also a very important factor. Customer reviews are key to us. We offer a solution that is automated, requiring minimal manual support to make any false positive problems appear, and in this we have a great edge over our competition. We have a branched platform for new functionality. Here, I would like to point out that we really supply our customers with something they can rely on.
How can a regular business verify that it is well “secured”?
They can do it by writing down what they should actually scan on the infrastructure to see if the company is vulnerable in one way or another, they can write it down to Excel, that’s the questionnaire, send it out for example to admins who take care of the infrastructure, they fill it in and the company can then take some corrective actions.
Photo: Patricia Belickova
What 5 practical things can a small business or startup do on their own to protect themselves against cyber threats?
I do not know if I will list exactly 5 things, but it is very important to ensure that they have an overview of what runs where, on which server. What services they are running, to keep these services behind a firewall, to have a clear overview of what they are sharing with whom. Of course, it is very important that they use strong passwords and change them as needed. I should always have a list of tasks that I check off and monitor if I have done, checked and fulfilled everything, so that I don’t forget anything about the security.
Speaking of strong passwords, what does that actually mean? What should one keep in mind when creating a password?
If you do not have your own authentication system, but want to verify that your password is strong enough or not, you can use the free open source applications on the Internet to evaluate the power of your password, for example. Or the application informs you – with today’s resources, this password is hackable. It even informs you about the time it takes to break it. Nowadays, there are algorithms, various applications, tools for strong passwords that can generate a password that will be secure enough.
What is being hacked most often? Are these apps? Business mails?
Data is most useful. Personal data that can be used and misused to gain access for the hacker to systems that he or she can really make money of. Or it’s for blackmailing.
And how to prevent it?
Let’s say, today, it is widespread to have Master Key or Master Password, there are systems that can store many passwords. At the moment, we all have 20 private apps – from facebook to pinterests – and we need to enter a password for all of them. It is not good to repeat the same password, because if the hacker breaks it once, he or she gets to everything that person uses. It is best to have different passwords for all applications, all of them strong enough.
What do you consider to be the biggest cyber risks in the next period?
That’s a big portfolio. For example, it is some espionage that is done today at the level of government agencies, where malware gets to our computers, is distributed and not only in one application, but they can meet at a certain time and do something vicious, get lost again in some way. Very often they are state intelligence agencies. To trace this is really difficult. As far as state agencies do it, they fight for information and domination in espionage more or less among themselves. Worse may be when someone hacks eg. a nuclear power plant and would have such powerful tools that it would pass through all the security techniques and brakes. Then there may be a disaster.
How many members has the SecurityScorecard team at the moment and where do you currently work?
There are 20 of us here in Prague. What we wanted to build here, and we have hopefully succeeded in doing so, is to have a centralized RND in one place. We are based in HubHub.
Photo: Patricia Belickova
What is the biggest benefit for you when working from HubHub?
It is the only service that has managed to fulfill all 4 attributes that we requested. The offices are located in the center – this was a strong management demand from New York. It was extremely important for them to be somewhere in a traffic-accessible place. Another requirement was that the contract was not binding for 4–5 years but for a shorter period. The big advantage of working from HubHub is the possibility of expanding the premises or vice versa reducing them if necessary. Last but not least, the comfort HubHub offers is very appealing to us. It is obvious that the premises are well designed and made of quality materials.
What do you think is the biggest myth about working in coworking centers?
To me, coworking evokes in some way the word collaboration, and cooperation – and this is a downright positive thing, so I personally have never fought a coworking myth.
Which HubHub place do you like the most?
Probably the coffee machine in open space. That’s where I meet people from other startups. They talk about something that bothers me as well, for example, so we always chat a bit. We use our given names almost immediately and you gain acquaintances, maybe even friends, so it’s really pleasant environment.
Thank you for the interview!
Article in cooperation with Daily Upgrade.