Some of the best business security available today looks surprisingly similar to the way credit reporting companies provide individuals with a credit score. These companies build up a picture of someone’s creditworthiness by rating them on several different factors – whether they’ve ever been bankrupt, if they have large debts, if all their official addresses add up.

IT security is starting to do the same thing when it comes to deciding who can and cannot log onto business systems. Why is this model gaining traction?

Business security is more important than ever

Almost every week we read another headline about a company getting hacked into, about millions of records compromised, or the enormous cost of breaches. Organisations everywhere are desperate to minimise the risk of these sorts of attacks.

And in the wake of the coronavirus, where people are working remotely more often, verifying that the people logging into your systems are who they say they are is especially important.


The traditional business security model is failing

Until relatively recently most organisations protected their private data by erecting a firewall around their servers. More recently, they are protecting all the devices in their network. While this is better than nothing, we have seen time and again how hackers are able to bypass these defences and wreak havoc.

Fundamentally, these approaches were never all that safe. And, in a world where people are going to be logging into your systems remotely more often, the traditional security model is just not appropriate.

Free security eBook: Introduction to Microsoft 365’s Secure Score


How the ‘credit score’ model works

The analogy of business security being like a credit score can be very helpful.

No lender would just accept somebody’s word that they are creditworthy. And this is why they use credit reporting companies to gain a full picture of the individual’s behaviour. Crucially, reporting companies don’t just take one or two pieces of information before giving someone a ‘good’, ‘moderate’ or ‘poor’ rating. Instead, they collect lots of data and add them up to decide if the person is likely to pay the lender back.

Weak protection Strong protection
Credit reporting The individual provides name, address and proof of one piece of collateral An independent business collects numerous personal details, plus a history of all addresses, registration on the electoral roll, years’ worth of spending details and hundreds of utility bills
Business IT The individual provides a username and password An automated system verifies the user’s password, their location, device, browser, normal behaviour and biometrics


Today’s security technology can analyse several different characteristics to decide if a person is who they say they are, including:

  • The location of the device they’re logging in with
  • The location of their last login
  • Whether the mobile or computer they are using is registered on your system
  • The browser the person is using
  • Normal user behaviour (such as time of day they’re active)
  • Biometric data such as facial recognition, a thumbprint, or an iris scan

Your security system will then verify the user by if they pass all of these tests.


Example: business security like a credit score

Why is this more complex system better than a traditional username and login then? The following example illustrates the benefit of this approach:

  • Adam is a salesman at your Manchester office. He usually logs into your system during office hours in the week using his personal laptop at home (which has been registered with your company). He logs in with his password and uses your company’s preferred browser which is Microsoft Edge.
  • One weekend however, Adam’s laptop gets stolen from his home while he is away visiting family. The criminals realise that they have stolen a company laptop with lots of useful information inside. Unfortunately, Adam has sellotaped his password onto the laptop lid. Normally, this error would mean the criminals would soon be inside your company’s walls.
  • Fortunately, however, you have used the credit score model for identity verification and the system prevents this from happening. The first alert would be that Adam is behaving unusually trying to log into his computer at the weekend. What’s more, he is logging into your CRM using Firefox which is not his normal browser. Finally, a facial recognition system does not recognise the criminal.
  • So, even though the thief could have bypassed two of the main ‘credit scores’ (password and device), their unusual behaviour – using the wrong browser, at the weekend and failure on biometrics – means they would still be locked out.

More security: How to use Microsoft 365 to secure your data


What is your organisation’s security ‘credit score’?

How well would your organisation perform on this kind of security ‘credit check’? Can criminals bypass your external walls and access your data relatively easily – or does multi-factor authentication make it significantly harder for them to steal data?

FITTS can help your organisation introduce this credit score model for your company’s security. To find out how this would work in more detail, watch our webinar: Identity Is the New Security. Or, to get started with this ‘credit score’ model, contact us about a free security health check funded by Microsoft.