Cyberscore: the Security Rating for SMEs in Luxembourg

© IT Nation

Hi Olivier, can you briefly introduce yourself for our readers who don’t know you?

Hello everyone, my name is Olivier Antoine and I’m in charge of the Information Security Management team, which includes the Information Security Officers at POST Luxembourg and POST Telecom. As members of the Cyberforce department, we manage the day-to-day security of governance, risk and compliance.

Can you explain what a Cyberscore is?

A Cyberscore is an initiative developed by POST and Luxcontrol to help small and medium-sized companies in Luxembourg tackle cybersecurity issues more easily. It all began when we noticed that the SME sector was not a priority when it came to information security, and with Luxcontrol we wanted to offer an approach specifically designed for them.

SMEs are not immune to cyber-attacks, and have even become prime targets because they are easier to compromise. This is why SMEs need to implement tools to respond effectively to attacks, especially as it is not easy to know which tools to prioritise, let alone the resources to allocate to them. And SMEs do not necessarily have flexible budgets.

A Cyberscore is a tool used to assess a company’s level of security maturity. Based on an on-site assessment, the company is awarded a Cyberscore from A to E, accompanied by a report indicating specific strengths and weaknesses. If a company fails to achieve a sufficiently high Cyberscore, the detailed report – which includes a host of recommendations – will enable it to draw up a cybersecurity action plan. Companies can also take advantage of the support provided by POST’s Cyberforce experts.

How is the Cyberscore calculated?

A Cyberscore is calculated using responses to a questionnaire based on the CIS’ oversight standards. POST and Luxcontrol wanted an approach that was accessible to SMEs, and these standards were chosen because they focus on practical responses to known threats. The standards have been adapted to the Luxembourg context.

Of the 153 control points established by the CIS covering 3 levels of security, we have selected 91. In our view, these are the essential elements to be considered in order to assess whether a company has proper cyber security and knows how to react effectively in the event of an attack.

The various points concern key issues such as access management, team awareness and training, e-mail protection, data backup and recovery, etc. Some control points are prohibitive. If measures are not put in place to address certain issues, the final score will be negative.

How can you become a cyber responsible SME?

Following the assessment, each SME is given a roadmap enabling it to correct the identified issues. Once the recommendations have been implemented, with or without the help of POST’s Cyberforce, ESCEM, part of the Luxcontrol group, carries out a more in-depth, neutral and independent audit, so that the company may be awarded the Cyber Responsible label. We hope that in the future, this label will be recognised throughout the country and become a benchmark for regulators and insurers in particular.

Your conclusion for our readers?

Managing security is a continuous improvement process. With the Cyberscore, we want to offer SMEs an accessible tool for elevating their security maturity. This does not mean that they will not be attacked, but they will be better prepared and protected. And for companies wishing to go further, the measures put in place through this label provide a solid foundation for tackling more elaborate standards such as ISO/IEC 27001.