Jan 11, 2024
Canada will use letter grades to assess companies' cyber resilience
, Bloomberg News
Cyber security stocks are now a 'must have", not just a "nice to have" : Diana Avigdor
VIDEO SIGN OUT
The Canadian government is joining forces with the cybersecurity ratings firm SecurityScorecard Inc. to bolster defenses for the country’s critical infrastructure.
SecurityScorecard provides letter grades to businesses and organizations based on cyber resilience. The Canadian Centre for Cyber Security plans to use that information to address where there may be vulnerabilities in critical areas of the economy.
Companies and organizations are routinely hit by cyber breaches, typically from criminal groups seeking to extort them for money. But attacks against critical infrastructure — everything from energy and finance to agriculture and health care — are particularly worrisome because they can disrupt the economy, threaten national security and endanger lives. Hackers backed by foreign adversaries have also broken into companies in key sectors to spy, steal intellectual property or prepare for future attacks.
The consequences of these breaches became clear in 2021 after a ransomware attack on Colonial Pipeline Co. squeezed fuel supplies along the U.S. East Coast.
Since then, the Biden administration has pushed to improve cybersecurity in other critical sectors. Anne Neuberger, deputy national security adviser for cyber and emerging technology, raised the idea in September of a rating system for critical infrastructure companies in the U.S. She described a letter grading system as “game changing.”
Sami Khoury, head of Canada’s cyber center, said the country faces many of the same digital threats as the US. Its critical infrastructure providers are moving in the right direction, he said, but added, “I don’t think we will find ourselves in a state of saying, ‘Job done.’”
The partnership with SecurityScorecard began at the beginning of the year, and Khoury said the company’s intelligence provides an “outside-in view” of an organization’s cyber preparedness. His staff is working to understand what goes into the grades and using that information to “raise the resilience” of Canadian critical infrastructure providers, he said.
The grades won’t be used to shame companies with poor security but rather as a tool to help them improve, he said. If several utilities were found to be relatively weak in one area, like network security, they could be provided with tailored guidance to fix it, he said.
SecurityScorecard analyzes publicly available risk factors for companies and organizations, including checking for high risk or open areas within an organization’s network and how fast it patches its systems when updates are made available.
“It’s giving them real-time, continuous visibility into critical infrastructure,” said Sachin Bansal, SecurityScorecard’s chief business officer.
