A consortium of cybersecurity vendors on Tuesday officially launched “R-Score,” a free cyber resilience assessment tool that’s exclusively focused on scoring a company's ability to recover from ransomware attacks.
According to its creators, the tool could prove especially useful to CISOs and other security professionals when the board of directors comes knocking to find out just how equipped the business is to bounce back from a worst-case cyber scenario.
“I think all of us are hearing from customers across the security space, data protection space and [data] storage space that boards are asking more and more, ‘Are we ready? Are we prepared?’” said Simon Taylor, founder and CEO of Hycu, Inc. (pronounced “haiku”), a multi-cloud backup and recovery-as-a-service provider that is leading the effort behind R-Score.
“The latest research suggests that there's a ransomware attack every 11 seconds,” Taylor continued in an interview with SC Media. “We’re doing this because ransomware and criminality is on the rise, and we felt like it was time somebody stepped up and did something about it.”
Of course, resilience against any and all forms of digital attack is an important attribute to possess and measure, but ransomware does come with its own unique assortment of challenges and consequences. And with ransomware attacks occurring at an alarming rate, it is helpful for organizations to have a tool that specifically looks at how effectively they can rebound from such an incident.
“While there are a variety of resources, reports, and ways to learn how to protect at-risk data, an agency’s ability to recover should a ransomware attack happen is often left under-addressed or untested. R-Score focuses on these issues, helping agencies develop a current security and data protection strategy,” said Craig Abod, president of Carahsoft, one of Hycu’s R-Score partners, along with FireEye/Mandiant and Sada.
To complete the assessment, organizations must answer 23 questions designed to evaluate their readiness in five critical areas of ransomware resiliency: backup process, backup infrastructure, security and networking, restoration assurance and disaster recovery.
“What we came up with was, effectively, a credit score — but instead of evaluating your financial viability, it's valuing your ability to recover from a ransomware attack,” said Taylor.
Questions include: “What % of your data do you have three copies of backup, on two different media and at least one offsite?”; “Is your backup server/appliance backed up at the highest RPO [recovery point objective] you currently have for your business critical data?; and “Is there a formal DR [disaster recovery] test plan in place?
Assessment takers are scored using a 1,000-point system. Upon completing the test, the R-Score immediately delivers recommendations on how best to address areas of weakness. However, companies can also delve deeper by signing up for a free consultation, during which time they’ll receive additional guidance from volunteer data protection experts from participating organizations.
According to Taylor, the score and its corresponding recommendations provide a clear-cut and demonstrable response to inquiries from the board of directors and other top leadership regarding ransomware resiliency.
Traditionally, said Taylor, this is “a highly complex topic that, frankly, non-technical board members have trouble getting their heads around. And so I think being able to simplify this into a simple score that can easily evaluate and tell you how you rank and what is your grade simplifies that process of communicating with the board, and simplifies the expectations from the board on down to the executive team.”
Perhaps even more intriguing is that as more companies use this tool, the operators of R-Score will be able to collect and analyze the data in order to spot trends and determine where, collectively, organizations are suffering the largest gaps in resiliency.
This will also allow businesses to compare how they did against another companies from their same industry vertical. “A big thing we heard from lots of customers we talked to is, ‘Hey, I would like to know how the people in my industry are performing,” said Subbiah Sundaram, vice president of products at Hycu.
All collected data is anonymized, however, so a company does not have to worry about its scores or vulnerabilities becoming public knowledge.
“Ransomware has reached intolerable levels and is a risk that every company needs to address,” said Kevin Mandia, CEO of R-Score partner FireEye/Mandiant. “R-Score is designed to provide a framework to measure resiliency and recovery. These are critical components to combatting ransomware actors and giving business leaders confidence that they are prepared to operate in the current threat environment.”
