<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">

BITSIGHT SECURITY RATINGS BLOG

Read about the latest cybersecurity news and get advice on vendor risk management, reporting to the board, managing cyber risks, benchmarking security performance, and more.

Many Third-Party Risk Management Programs are Missing Continuous Monitoring

If you’ve done your homework as a cybersecurity professional, then you know that third-party vendors with substandard security controls and processes could be putting your organization at risk.

READ MORE »

BitSight Joins Local Boston Companies Participating in Annual Pride Parade

On June 9th, a BitSight team participated in the annual Boston Pride parade for the first time. Boston Pride is a celebration of the city's LGBTQ community and its allies that brings thousands of marchers and spectators into the streets....

READ MORE »

NIST Cybersecurity Framework Now Includes Supply Chain Risk Management Category

Recently, the National Institute of Standards & Technology (NIST), released an updated Version 1.1 of the NIST Cybersecurity Framework that now includes a new category on “Supply Chain Risk Management.”

READ MORE »

How Secure is that Third Party Mobile App?

In a world where business is increasingly conducted on mobile devices, it is imperative that organizations offer mobile applications to serve their customer base. In fact, for many businesses, mobile applications are one of the primary...

READ MORE »

A Conversation with MJ Porcello, BitSight’s VP of People & Talent

As the leader in security ratings, BitSight had a monumental year of growth moving into 2018 and we have no plans of slowing down. So far this year, 75 new employees have been hired globally with plans to hire more. This brings the current...

READ MORE »

Meet Our Customer Success Team: David Gardner

Check out this Q&A with a member of BitSight's Customer Success team to learn about his role as a Customer Success Manager, his experience, and more.

READ MORE »

Make Security Benchmarking a Reality

Most organizations are accustomed to benchmarking certain business areas like sales, profits, and resource allocation. These areas all have one thing in common — they are easily measured with simple, quantifiable metrics.

READ MORE »

How Security Ratings Can Help Organizations Adhere to Hong Kong’s Cybersecurity Guidelines

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the...

READ MORE »

Why Establishing Cybersecurity Benchmarks is a Must for Organizations

Effective cybersecurity involves regularly assessing the effectiveness of your organization’s policies, tools, and processes to ensure you’re staying ahead of the curve. In order to gain insight into your cybersecurity performance, you...

READ MORE »

The State of Security in the Boardroom

In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about their company’s security performance. In fact, the NACD has found that 89% of public companies and 72% of private companies regularly...

READ MORE »

Tips for Picking the Right Security Benchmarking Solution

Quantifying and tracking your cybersecurity performance so you can compare your organization to others, also known as benchmarking, is necessary to improving the effectiveness of your security programs.

READ MORE »

What to Expect in Your CISO’s Cybersecurity Presentation

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on...

READ MORE »

Why We Collaborated with Verizon on the Verizon Risk Report

When 1+1 Truly Equals 3

Recently, Verizon announced the Verizon Risk Report (VRR), a new managed service offering that provides a security assessment framework to enable customers to gain a comprehensive view of their cyber risk. By...

READ MORE »

Building Our UI Design System

As the BitSight front end team grows we are investing in our design infrastructure to enable faster development, better collaboration, and a more unified look and feel in our product.

READ MORE »

How Does Third Party Risk Management Relate to IT?

As advances in cloud computing and managed services have made IT operations more streamlined, the focus of IT leaders has shifted to improving efficiency, agility, and risk management. Managing risk, in particular, has become an even more...

READ MORE »

What Are Security Ratings?

Security ratings are valuable, objective indicators of an organization’s security performance, especially when you’re looking to mitigate third-party risk, assess the cybersecurity posture of a potential acquisition, or benchmark...

READ MORE »

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Getting Started With Vendor Risk Management Assessments for IT

Mitigating risk is an essential business function that should cover obvious domains — like financial risk — but also include reputational, strategic, and operational risks.

READ MORE »

How Long Does It Take To Assess Third Party Cybersecurity Posture?

With outsourcing continuing to rise, third party cyber risk management has become a pressing issue for organizations worldwide. Yet, many firms across the globe are approaching this challenge differently.

READ MORE »

How BitSight Helps Drive Quick Risk Reduction Across Third Party Ecosystems

At a recent BitSight Roadshow, a customer with an advanced third party risk management program declared “assessments are not risk reduction.” The statement was not meant to convey that assessments are useless for third party risk; rather,...

READ MORE »

Meet Our Customer Success Team: Patrick Puentes

Check out this Q&A with a member of BitSight's Customer Success team to learn about his role as a Customer Success Manager, his experience, and more.

READ MORE »

How to Build a Realistic Cybersecurity Plan for Third Party Vendors

Since third party vendors are not under direct supervision, they are typically the weakest link of an enterprise’s IT security landscape. The largest organizations have tens of thousands of vendors, which makes managing this type of risk...

READ MORE »

Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last...

READ MORE »

Security Ratings Services & “Traditional” Security Solutions: What You Need to Know

It’s no surprise that cybersecurity remains a top concern for business leaders today. In fact, PwC’s 2018 CEO Survey showed cyber threats rose from its position as the #10 organizational threat in 2017 to #4. As such, the market for...

READ MORE »

Meet Our Customer Success Team: Micaela Courelas

Check out this Q&A with a member of BitSight's Customer Success team to learn about her role as a Customer Success Manager, her experience, and more.

READ MORE »

Filtering Is Easy, Counting Is Hard

A few months back we added a new feature to the heart of our security ratings portal: the ability for users to not only filter companies in their portfolios, but also to see real-time updated counts of how many "filtered" companies match...

READ MORE »

What’s In It For Me As a BitSight Customer?

In today’s day and age, reducing cyber risk needs to be a priority for your organization — but what is the most effective way to tackle building your security program? For seven years, BitSight has proven that we have the most time-tested,...

READ MORE »

Analyzing Security Ratings of U.S. Federal Agencies & Government Contractors

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key...

READ MORE »

New Singapore Cybersecurity Bill Reflects Growing Focus on Critical Infrastructure

Last year, there were several new cybersecurity developments introduced around the globe to reduce the risk of catastrophic cyber events at critical infrastructure. These include regulations from the New York Department of Financial...

READ MORE »

Silent Cyber: What It Is & How You Can Avoid It

Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But...

READ MORE »

The Importance of Responsible Disclosure in Security Ratings

Last year, BitSight was proud to help drive the Principles for Fair and Accurate Security Ratings, published by the US Chamber of Commerce and supported by over 40 global organizations. The establishment of these Principles demonstrates...

READ MORE »

Do's and Don'ts for Security Professionals Presenting to Senior Executives

Cybersecurity is a growing topic of discussion in Board meetings everywhere, and more and more security professionals are being asked to present on it in high level meetings. Company leadership is busy, so it’s your responsibility to...

READ MORE »

Break Out Of The Tinynuke Malware

New Tinynuke variant with a DGA in the wild

 

Summary

Tinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web browsers and equipped with the most common features needed by a bank trojan (e.g....

READ MORE »

Making the Case for Vendor Security to the C-Suite

You’re responsible for information security at your organization. You dedicate yourself every day to identifying weaknesses and patching vulnerabilities in your network. You’ve developed policies to protect employees from cyber threats....

READ MORE »

Upgrading to the Django Rest Framework V3

Due to security, reliability, and growth reasons, organizations are constantly upgrading their software to newer releases. Some upgrades are incremental and minor in nature. Others, like the upgrade from Django Rest Framework (DRF) V2 to...

READ MORE »

Tips for Explaining Technical Things in Simple Terms to Non-Technical Executives

You don’t have to be a CIO to know that a great IT department is crucial to the success of any large organization. With the rise of big data, artificial intelligence, and the Internet of Things, technology promises to become an even more...

READ MORE »

The Value of Sinkholing: It’s In the Numbers

In 2014, BitSight acquired AnubisNetworks, a real-time data threat provider based in Portugal. The integration of AnubisNetworks extends BitSight’s position as the leading provider of cybersecurity ratings for organizations around the...

READ MORE »

The Cost Of Cyber Risk: How Security Ratings Help With Policy Pricing

Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how...

READ MORE »

BitSight Hackathon 2017

For the second year in a row, BitSight gave its engineers, product managers, and data and research scientists the day off from normal work to make something cool. The hackathon day had all the typical stuff: awesome custom-designed...

READ MORE »

8 Recent, Dangerous Ransomware Examples

The threat of ransomware is rapidly increasing.

READ MORE »

A Breakdown Of Terms In The General Data Protection Regulation (GDPR)

If your company processes the data of individuals who reside in the European Union, the General Data Protection Regulation (GDPR) is likely a hot topic around the office right now. Once the regulation goes into effect in May 2018,...

READ MORE »

What Is the Benefit To an Outside-In Approach to Security Ratings?

When BitSight pioneered the security ratings market over six years ago, it was the first to use the outside-in approach to security ratings. Although not initially intuitive to many people, the value of this approach has become...

READ MORE »

The Top 10 Cybersecurity Articles Of 2017: A Recap

2018 is right around the corner, and while we’re looking forward to what’s coming, we’re also thinking back on the best of this year. Here’s a look at 10 of our most frequently viewed cybersecurity articles in 2017.

READ MORE »

BitSight Releases ROBOT Vulnerability Identification Feature

Within the BitSight Security Ratings platform, we prioritize features specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. BitSight now enables users to...

READ MORE »

To Quote Or Decline? Using Security Ratings To Validate Cyber Underwriting Decisions

Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application...

READ MORE »

5 Highlights Of The NYDFS Cybersecurity Regulations

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license,...

READ MORE »

Extra Budget 101: Invest in Your Cybersecurity and Risk Program

As security and risk professionals work to finish out the year, they must also be thoughtful about planning for 2018. While it’s great to end the last quarter of the business year on a strong note, it’s even more critical for businesses to...

READ MORE »

What You Need To Know About Vendor Compliance

Compliance, at its core, is a legal term. It’s the “act or process of doing what you have been asked or ordered to do.” But creating a successful vendor compliance program isn’t as simple as asking third parties to comply with your...

READ MORE »

A Year in Review: A Look Back on BitSight’s 2017

As 2017 draws to a close, we can’t help but be grateful for what a banner year this has been for BitSight.

READ MORE »

Cybersecurity Vs. Cyber Resilience: A Quick Comparison Of Terms

If you operate in the cybersecurity or business continuity space, you’ve probably heard some reference to cyber resilience. While it has become a bit of an industry buzzword, it’s also a useful construct that should have important...

READ MORE »

Using BitSight Security Ratings to Foster Close Vendor Relationships

In today’s business landscape, it’s critical to manage the risk that your vendors, or third parties, can pose to your business — and it’s not always the easiest task. It requires that organizations not only have the ability to continuously...

READ MORE »

Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity

You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to...

READ MORE »

Data Breaches Within the Retail and Hospitality Industries

The holiday season is upon us, with consumers hastily laying travel plans between time spent browsing for gifts for loved ones. During this season, a few also remember that major retail breaches have long-lasting and far-reaching effects...

READ MORE »

BitSight Executive Chairman of the Board Receives Recognition By Ronald McDonald House

Over 15 years ago, Shaun McConnon, BitSight’s former CEO and current Executive Chairman of the Board, became involved with giving back to the local Boston community. Shaun and his wife, Bonnie, sat on the Board for a Sudbury-based charity...

READ MORE »

The 8-Part GDPR Compliance Checklist For Prepared Organisations

The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer—which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR...

READ MORE »

The Importance of Speed in Driving Business Value Through Your VRM Program

In today’s expanding business ecosystem, managing vendor risk is becoming increasingly critical to protecting companies’ sensitive data. With new threats emerging daily and companies continuing to outsource, vendor risk management is an...

READ MORE »

Examining The Growing Cyber Risk Gap

In today’s business world, the desire to transact in the digital realm is dramatically accelerating and, unfortunately, so is the cyber risk that one takes on as a result. Organizations that handle sensitive data are more likely to become...

READ MORE »

How Mature Is Your Cyber Risk Underwriting Strategy?

If I were to ask you whether your cyber risk underwriting strategy is mature, your first question would likely be: “How do you define mature?” It’s a great question! Here’s the answer: A mature cyber risk underwriting strategy considers...

READ MORE »

Meet Our Customer Success Team: Nurah Muhamad

Check out this Q&A with a member of BitSight's Customer Success team to learn about her role as a Sr. Customer Success Manager, her experience, and more.

READ MORE »

BitSight Reaches Milestone of 110,000 High-Quality, Human Validated Mapped Organizations

This October, BitSight celebrated another very important milestone as the leader and pioneer of the security ratings market: now, BitSight has high-quality, historical data on over 110,000 global organizations at users’ fingertips.

READ MORE »

Building Your Third-Party Continuous Monitoring Plan: 3 Steps You Can't Ignore

In today’s security climate, talk of proper cybersecurity procedures must include discussion of a continuous monitoring plan that applies both internally and externally (with the company’s third-party vendors). And while continuous...

READ MORE »

How & Why U.S. Businesses Should Prepare For The General Data Protection Regulation (GDPR)

As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very...

READ MORE »

Information Security In Banking & The Financial Industry: 3 Critical Risks Posed By Vendors

In a new report on cybersecurity in the banking and financial sector, BitSight researchers examined the security performance of more than 5,200 organizations in the Legal, Technology, and Business Services industries. These...

READ MORE »

A Tale of An Industry: The Finance Sector & Data Breach Type Trends

September marked a month of heated discussion concerning data privacy issues, with continuing coverage in the media regarding breaches at major, global institutions. BitSight looked into the types of breaches experienced by the finance...

READ MORE »

General Data Protection Regulation (GDPR): 12 Of Your Questions, Answered

The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a...

READ MORE »

BitSight’s Newest Alerting Capabilities Showcase Evolution of Leading Security Rating Service

This August, BitSight announced the release of several new risk vectors specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. BitSight chose those new risk...

READ MORE »

5 Tips for Keeping Your Organization Safe During Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which offers organizations the opportunity to thoroughly examine their security and risk programs and identify where any vulnerabilities might exist. Here at BitSight, we talk about risk management...

READ MORE »

How Security Ratings Can Make Renewals More Effective

Most insurers find that the cyber insurance renewal process is fairly efficient from a time perspective—but it’s not very effective. In other words, they are able to quickly re-underwrite a company in their portfolio, but don’t have any...

READ MORE »

Announcing BitSight Executive Reports

An increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. A recent joint survey by Veracode and NYSE...

READ MORE »

12 Daunting Ransomware Statistics

Between the massive WannaCry and NotPetya attacks of 2017, which reached businesses across the globe, ransomware is on the minds of many security professionals. Interest continues to increase as ransomware evolves into one of the most...

READ MORE »

Ransomware Cyber Attacks: Which Industries Are Being Hit The Hardest?

Ransomware is rapidly becoming one of the most common forms of malware distributed on systems all over the world.

READ MORE »

Making Vendor Risk Collaborative, Not Combative

Reducing cyber risk that stems from third and fourth party vendors is no easy task. It requires that organizations not only have the ability to continuously monitor and identify new risk, but also the ability to work with their vendors to...

READ MORE »

Are Vendors Meeting Your Company’s Security Standards?

When it comes to vendor risk management, organizations ultimately need their vendors to meet the same standard of security performance they hold for their own organization. For years, the Finance industry has been a trailblazer in managing...

READ MORE »

Where Should You Be Spending Your Cybersecurity Budget?

The goal of cybersecurity is to help mitigate or prevent a cyber attack that could cause significant harm to your business, your operations, your financial performance, or your customers. But organizations with mature cybersecurity...

READ MORE »

Should You Underwrite A Company That’s Been Breached Before?

In many lines of insurance, claim activity is part of the norm—and it’s expected that you’ll have to underwrite to losses consistently. For example, in casualty lines, it’s common to have workers file for worker’s compensation because of...

READ MORE »

3 Crucial Cybersecurity Reporting Methods To Begin Using Today

Today, businesses are at an interesting intersection when it comes to cybersecurity reporting: with modern technology, tons of data and thousands upon thousands of metrics are available to report on—but it’s difficult to determine which...

READ MORE »

Cybersecurity In Financial Services: Analyzing Third- & Fourth-Party Best Practices

The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office of the Comptroller of the Currency (OCC)...

READ MORE »

Cybersecurity For Law Firms: A Business Risk To Take Seriously

The legal sector is one of the more interesting industries to examine when it comes to cybersecurity—and there are a few reasons for this. First, law firms and other legal organizations are one of the most widely-used third parties. While...

READ MORE »

4 Insider Secrets Of The Superstar CISO

In today’s business environment, companies are often focused on how to best use technology to acquire new customers and improve the customer experience, as these IT applications help generate revenue for the organizations. But every CISO...

READ MORE »

The Importance of Actionable Metrics in Managing Vendor Risk

In today’s market, an increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. Gartner estimates that...

READ MORE »

What Your Board Does (& Doesn't) Need To Know About Cybersecurity

Special thanks to Venky Ganesan, the managing director of Menlo Ventures, for his insights into this topic.

Cybersecurity training for boards of directors has become more common in recent years. But just because cybersecurity in general is...

READ MORE »

Outdated Mobile Devices Double the Chances of a Breach

A key factor in the widespread reach of the WannaCry ransomware attack earlier this year was that, prior to the attack, companies across hundreds of countries failed to apply a critical update (MS17-010) from Microsoft. This attack, along...

READ MORE »

Busting the Myths: Is Proprietary Data the Only Data That Counts?

In the security ratings market, some offerings claim that a staggering percentage of the data they leverage is proprietary, and downplay the value of externally sourced data. While these companies may state that (close to) 100% of their...

READ MORE »

Meet Our Engineers: Nick Whalen

Want to know what it’s like to be an engineer at BitSight? Check out this Q&A with a member of our engineering team to learn about his role as Team Lead, his experience, and more.

READ MORE »

BitSight’s Newest Risk Vectors Highlight Innovation in Security Ratings

Within the BitSight Security Ratings platform, we analyze risk vectors specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Over the past few months,...

READ MORE »

4 Cybersecurity Risks Healthcare Providers Face With Their Vendors

If you’re involved in a healthcare-based organization, you’ve likely noticed the push for stronger vendor security and vendor risk management (VRM) practices. There are a few reasons for this.

READ MORE »

5 Risks Of Outdated Software, Browsers, & Operating Systems

If more than half of an organization's endpoints are outdated, its chances of experiencing a breach nearly triples. 

READ MORE »

Are Data Breaches Actually on the Rise?

Security media is pervaded by seemingly ever-increasing and ever-worsening reports of data breaches at businesses ranging from your mom-and-pop corner store to large retail and internet giants. But how accurate is the perception that...

READ MORE »

Why Loss Runs & Trends Alone Are Not Enough To Make Cyber Underwriting Decisions

A loss trend can be defined as a projected loss expectation based on historical data. If you find that past losses might be indicative of potential future losses, you can then use this information to price your services accordingly. 

READ MORE »

How Can Existing Vendor Risk Management Programs Efficiently Scale to Meet the Current Demand?

In today’s world, organizations must be extremely conscientious about their vendors. It is just as important to be aware about the security of third-party networks as it is to be aware of their own. In April 2017, Netflix’s new season of...

READ MORE »

Meet Our Engineers: Kevin Amorin

Want to know what it’s like to be an engineer at BitSight? Check out this Q&A with a member of our engineering team to learn about his role as an engineering director, his experience, and more.

READ MORE »

Team Fun In The Summer Sun: Community Engagement at BitSight

Here @BitSight, we are committed to our mission to transform the understanding of cyber risk through the usage of Security Ratings. It’s pretty serious stuff and involves lots of inspiration and even more perspiration. BUT we are not just...

READ MORE »

Cybersecurity In The Boardroom: A Complete Guide For Security Professionals

CISOs, CIOs, and other security professionals are taking on huge roles of some of the largest organizations in the world to provide details on better data protection and security. They win business, which translates into profitability for...

READ MORE »

The “Swap” Model: Is Your Goal to Mitigate Risk...Or Just Move it Around?

In today’s security ratings services market, a few companies have offerings described as “swaps” or “slots.” When considering third party monitoring, this gives organizations the option to “trade out” which vendors they are monitoring when...

READ MORE »

Meet Our Engineers: Caroline Gallagher

Want to know what it’s like to be an engineer at BitSight? Check out this Q&A with a member of our engineering team to learn about her role as a software engineer, her experience, and more.

READ MORE »

How To Balance Speed & Quality In Cyber Underwriting Practices

As an underwriter who’s constantly trying to balance being both quick and careful, the worst thing you can do is treat every single applicant the same. Doing so can ultimately be setting you up to take on more risk than you’d expect. Of...

READ MORE »

What Is Endpoint Security & Why Is It Important?

From an IT perspective, an important part of endpoint security refers to ensuring that the endpoint devices connected to your network—computers, laptops, mobile devices, tablets, etc.—are running on the latest version or patch to all...

READ MORE »

Scaling Our SPA

BitSight recently completed a reorganization of a large part of our Single Page Application (SPA) code. Our goal was to make our codebase more scalable and developer-friendly by adding a few simple rules for where different parts of the...

READ MORE »

Vendor Risk Management: What Increases Your Risk & How To Combat It

Organizations today aren’t single entities—they are interconnected networks of third parties. While third party relations are critical for success in the majority of businesses, they also leave data more vulnerable to exposure. In today’s...

READ MORE »

How Practitioners Can Share Their Security Expertise With the Board

There’s no doubt that organizations understand the value of implementing strong cybersecurity programs and encouraging their third parties to do the same. As data breaches continue worldwide, 63% of those breaches are caused through a...

READ MORE »

Breaking Down Your Cybersecurity Team Structure: 7 Important Roles & Responsibilities

You’ve heard it said that a chain is only as strong as its weakest link. When it comes to your cybersecurity team, this adage couldn’t be more appropriate. If you want this team to perform with both diligence and accuracy, it’s critical...

READ MORE »

Why You Should Consider Aggregate Portfolio Risk In Your Book Of Business

Considering aggregate portfolio risk is critical for insurance companies—which means it’s important to differentiate between concentration risk and aggregation risk. 

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Petya / NotPetya: What Security Diligence Tells Us

There are many details of yesterday’s ransomware attack are still being worked out, and its impact is still being assessed. Yet, there are many security diligence steps organizations can take to reduce exposure to these types of attacks....

READ MORE »

Meet Our Data Scientists: Ryan Heitsmith

Want to know what it’s like to be a data analyst? Check out this Q&A with a member of BitSight’s data science team to learn about what he does at BitSight, his experience, and more.

READ MORE »

Summarizing Federal & State Data Breach Notification Laws

If your organization handles or works with a certain type of data, you have a legal obligation to protect that data. Generally speaking, this could refer to personal information like names, identifiers (i.e. social security numbers),...

READ MORE »

Catching the Blind Spots of Vendor Risk Management

In today’s day and age, organizations understand that data breaches are a growing problem, but many fail to realize that a third party breach can impact them as much as a breach on their own network. Here we’ll examine several...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

8 Free Cybersecurity Resources For Risk Managers & CISOs

Anyone who works in cybersecurity or organizational risk on a regular basis knows how valuable it is to stay up to date on the latest research. If you’re curious about a specific topic—anything from vendor security assessments to...

READ MORE »

Keeping Your Reputation Safe: Why Monitoring the Attribution of IP Addresses Matters

BitSight Security Ratings are based on security events and configurations present on a company’s digital infrastructure. As we discuss these ratings with companies, we’ve found that many of them have infrastructure registered to them that...

READ MORE »

4 Reasons To Use Security Ratings Before Your Next Acquisition

For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but there wasn’t a whole lot...

READ MORE »

Meet Our Engineers: Nuno Boavida

Read this Q&A with a member of BitSight’s engineering team to learn about his role as a front-end developer in our Lisbon office, his experience, and more.

READ MORE »

5 Credible Cybersecurity Threats To The Financial Services Sector

The financial services sector has traditionally been viewed as highly mature when it comes to cybersecurity initiatives. In fact, this BitSight Insights report found that the financial sector had the highest Security Rating of all examined...

READ MORE »

Latest BitSight Insights Explores A Growing Risk Frequently Ignored: Critical Updates

Last month, thousands of computers across the world were infected by a strain of ransomware known as WannaCry. Estimates show that this massive attack impacted over 300,000 computers across banks, hospitals, telecommunications services,...

READ MORE »

Meet Our Data Scientists: Jessica Louie

Check out this Q&A with one of BitSight’s data scientists to learn about what she does as a part of our data science team, her experience, and more.

READ MORE »

CIO Vs. CISO: Who Does What?

Every organization handles security differently, based on their needs and internal structure—but in some midsized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved. 

READ MORE »

How BitSight Helps Scale the Current Assessment Approach to Vendor Risk Management

While your current Vendor Risk Management (VRM) program may have areas of strength, there is most certainly room for improvement. Vendor Risk Management programs are a significant driver of both internal and external advisor time,...

READ MORE »

Meet Our Engineers: Kevin Chen

Want to know what it’s like to be an engineer at a fast-growing start-up? Check out this Q&A with a member of BitSight’s engineering team to learn about his role as Engineering Manager, his experience, and more.

READ MORE »

Assessing the Global Impact of WannaCry Ransomware

Since our initial post during the breakout of WannaCry ransomware, our Research & Development team has learned more about the spread of this malware. While the outbreak of this ransomware surprised the entire security community, the amount...

READ MORE »

12 Key Takeaways From 6 Cybersecurity Insights Reports

At BitSight, our data scientists are constantly analyzing new cybersecurity trends and information and then extracting the data most pertinent to our customers. With those findings, we create what we call a BitSight Insights report. Below,...

READ MORE »

Meet Our Data Scientists: Tom Montroy

Want to know what it’s like to be a member of BitSight’s data science team? Read this Q&A with BitSight’s Senior Data Scientist, Tom Montroy, to learn about his job, experience, and more.

READ MORE »

5 Things To Consider While Building Your Continuous Security Monitoring Strategy

At the outset of building a continuous security monitoring strategy for the purposes of cybersecurity, you first need to understand how data can be compromised. The three main ways are:

READ MORE »

Meet Our Engineers: Brian O'Halloran

Check out this Q&A with a member of BitSight’s engineering team to learn about his role as a Senior Test Engineer at BitSight, his experience, and more.

READ MORE »

Understanding the Effect of DoublePulsar and WannaCry Across Industries is the Key to Protecting your Supply Chain

The Shadow Brokers, a hacking group known for releasing exploits and vulnerabilities allegedly used by the National Security Agency (NSA), published a cache of tools over a month ago on April 14th. This release had initially caused panic...

READ MORE »

Vendor Risk Management: 5 Ways To Improve Your Efficiency

Consider this: If you’re part of a large company with thousands of suppliers, you need efficient processes and tools to get a good sense of the risk those suppliers present. If you’re a part of (or own) a small company with only 20...

READ MORE »

5 Must-Haves When Transitioning to a Single Page Application

Spend any time in web development and you will be struck by the daunting pace at which the technology landscape changes.  The must-have technologies of today quickly become the legacy spaghetti code of yesterday.  In some cases, adopting...

READ MORE »

7 Of The Best Outlets For Data Breach News

Staying up-to-date on the latest data breach news is something most security professionals want to do more of. These seven outlets make finding information on data breaches and analysis therein much easier. We’ve listed them below—take a...

READ MORE »

Two Years Later, Still at Least Twice as Likely

In 2015, BitSight published a report, Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant Breach. In that report, researchers discovered that companies with botnet grades of ‘B’ or lower were more than twice as...

READ MORE »

5 Examples Of Sensitive Data Flowing Through Your Network (& How To Protect It)

As a security professional, it’s critical to understand the many ways data could be inadvertently exposed. But first, let’s define what sensitive data actually is, as people often have different ideas. 

READ MORE »

TransUnion Receives CSO50 Award with Enterprise Security Ratings Platform

Information security leaders today are faced with increasingly complex challenges, needing to balance the demands of a growing business against the risks of operating in a global, connected marketplace. To be successful, they must bring a...

READ MORE »

The 8 Most-Read Cybersecurity Articles On The BitSight Blog

Among other things, cybersecurity is a primary focus on the BitSight blog. The following is a list of BitSight’s most-read cybersecurity articles and resources on the topic over the past couple of years, along with a description of what...

READ MORE »

How To Communicate Cyber Risk As A CIO

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

READ MORE »

What You Need To Know About Fourth-Party Vendor Risk

Over the last few years, awareness of the importance of monitoring third-party vendors has increased. You have likely heard—and agree—that because of how interconnected organizations are today, it’s critical to make sure your vendors...

READ MORE »

Analyzing Cybersecurity & Reputational Risk Management In Financial Institutions

Reputational risk is the potential for damage to an organization’s character or good name. If a bank or financial institution is hit with an incident that puts a mark on its reputation, the event could compromise the company’s perceived...

READ MORE »

Inherent Risk: How Insecure Systems Pose a Threat to Network Security

A few months ago, Anubis BitSight Labs researchers discovered that millions of low-cost Android phones, many of them in the United States, were vulnerable to Man-in-the-Middle attacks. The backdoor could be exploited through unregistered...

READ MORE »

Sovereign Security Ratings: Assessing Cyber Risk At The National Level

BitSight is thrilled to announce BitSight Sovereign Security Ratings, the first objective measurement of national cybersecurity performance. Sovereign Security Ratings measure the security hygiene of nations by observing their IP space and...

READ MORE »

4 Things CISOs & Security Managers Are Thinking About Today

We were curious about what CISOs and security managers have on their minds these days—so we searched around online and asked a few to share their thoughts. Below, you’ll find some interesting insights and observations to get a good...

READ MORE »

Using BitSight Security Ratings to Ensure Cyber Hygiene

Last week, one of BitSight’s board members, Venky Ganesan of Menlo Ventures, gave a testimony to the Senate Commerce Committee on “The Promises and Perils of Emerging Technologies for Cybersecurity”. Watch his testimony here.

READ MORE »

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

If you’re involved in the cyber insurance underwriting process—from the transaction to the ongoing operations—you’re constantly looking for things to help you (and your team) select better risks. Here are three specific ways BitSight’s...

READ MORE »

New Research: W-2 Phishing Scams Increase During Tax Season

Stress and worry are emotions that are often linked with the period between the beginning of a new year and mid-April, the federal tax filing deadline. Modern technology has brought with it techniques and applications that reduce this...

READ MORE »

How To Combat Security Risks In Cyber Insurance

As an underwriter in the cyber insurance industry, you know that insurance is all about information. You’re responsible for making decisions about your applicants based on the details given to you—but you’re also aware of the potential for...

READ MORE »

How Secure Are America's Largest Business Partners?

Fortune 1000 organizations are acknowledged for generating significant amounts of revenue. Yet beyond bringing in a considerable amount of money, these companies are also integral to the supply chains of many organizations around the...

READ MORE »

A Breakdown Of Recent OCC-Issued Examination Procedures For Third-Party Risk Management

Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial...

READ MORE »

BitSight’s Response to “Cloudbleed” and a Framework for Addressing Third Party Vulnerabilities

 

As we discussed in a previous blog post, Cloudflare suffered a serious bug that caused private information from any Cloudflare customer and their users to be publicly leaked onto websites that had corrupted web content. Any person with...

READ MORE »

Cloudbleed: Breakdown of Cloudflare's Memory Leak

On Thursday, February 23rd, Cloudflare announced a serious bug in its caching infrastructure that caused uninitialized memory to be printed on a number of its customers’ websites. This information included sensitive data such as passwords,...

READ MORE »

Necurs Proxy Module With DDOS Features

Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware. However, Necurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit...

READ MORE »

What Should Be In Your Security Benchmark Reports?

A security benchmark report is a document that helps an organization identify their cybersecurity capabilities and initiatives and compare those efforts to peers or competitors of the same sector or size. This snapshot is prepared either...

READ MORE »

4 Things You Should Include In Your Data Breach Response Plan

If you’re working on organizational cybersecurity, one of your top goals is likely putting a system in place that will help identify data breach incidents as quickly as possible, whether that data is inside your organization or with one of...

READ MORE »

Cybersecurity Compliance: Regulations For 7 Industry Sectors

Over the last 5-10 years, we’ve seen a major uptick in the number of regulations across all sectors regarding cybersecurity. The following is a brief look at how cybersecurity regulations have been implemented across seven sectors and...

READ MORE »

RSA Conference 2017: Practical Tips To Make Your Experience Easy As Pie

The annual RSA Conference is upon us once again! I don’t know about you, but at BitSight, we always look forward to joining 40,000+ of our closest friends and fellow security professionals in the city by the bay.

READ MORE »

4 Reasons Traditional Vendor Risk Management Strategies Fall Short

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a...

READ MORE »

5 Reasons To Uncover Third-Party Risk With Security Ratings

Any seasoned vendor risk manager will tell you that determining whether a particular third party’s cybersecurity is up to your standards—and deciding how much risk to assume through your relations with your vendors—is not a simple task....

READ MORE »

Dridex Botnets

Dridex is a banking trojan that uses an affiliate system for its botnets. We have documented the Dridex communication and P2P protocols in the past. In this post we want to shed some light about all the known botnets, their respective...

READ MORE »

Uncovering the Impact of the MongoDB Vulnerability

Over the past couple of weeks, a major issue has surfaced affecting numerous companies that use MongoDB to store their data. Those who install MongoDB on a server and use default settings are exposing their data to the internet and...

READ MORE »

13 Cybersecurity Training Tips For Employees (From 7 Insiders)

Anyone in the security space can agree that a solid cybersecurity policy goes a long way. But not everyone in your organization is a security expert. In fact, many employees may not know the first thing about firewalls or viruses—which is...

READ MORE »

Using Security Ratings and the NIST Framework as a Map to Cybersecurity Maturity

On February 12, 2013, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called for collaboration between government and the private sector to create a set of standards for...

READ MORE »

Cybersecurity Risk: A Thorough Definition

Risk is commonly defined as threat times vulnerability times consequence. This formula applies to anything that could be exposing you to danger, but when applied to cybersecurity—the unique risks individuals and businesses face as a result...

READ MORE »

New Report: Cybersecurity In The Legal Sector

Cyber criminals are constantly looking for new ways to gain access to sensitive information, trade secrets, or intellectual property from companies with strong security measures. But if those organizations have strong security measures in...

READ MORE »

4 Cybersecurity Trends You'll See In 2017

During 2016, a lot happened in the realm of cybersecurity, and we witnessed a number of noteworthy events and trends: 

READ MORE »

A View into the Dark Web

There is a parallel universe in the cyber world known as the “Dark Web.” It’s a part of the Internet inaccessible via standard browsers or search engines, and it’s where cyber criminals share botnet kits, trade bitcoins, and recruit other...

READ MORE »

Don’t Ignore Law Firms: Why Cybersecurity in the Legal Sector Matters

Vendor security is becoming a focal point of risk management for many organizations. In many ways, this trend started with the Target breach from 2013, which highlighted the extensive financial and reputational impact of a third party...

READ MORE »

The Top 7 CIO Challenges In 2017

In today’s security landscape, the CIO has a large and important role to fill. They must be aware of and compliant with regulations in their industry, focus on ensuring that the right security controls are in place for the organization and...

READ MORE »

Driving Greater Prioritization In Vendor Risk Management

With third parties becoming a major attack vector into organizations, BitSight is focused on enabling security and vendor risk professionals to better prioritize their efforts when it comes to identifying and monitoring cyber security...

READ MORE »

Data Breach Statistics: 7 Of The Most Reputable Sources For Good Data

Understanding the consequences of cyberattacks and the importance of putting cybersecurity measures in place is more important today than ever before. Therefore, the need for data-driven breach statistics and facts from the cybersecurity...

READ MORE »

BitSight Adds Analytics to Empower Vendor Risk Decision Making

BitSight customers can now gain greater insight into the cybersecurity risk of their vendor ecosystem and measure the efficacy of their third party cyber risk programs. BitSight’s new Portfolio Quality Dashboard generates interactive...

READ MORE »

How To Approach IT & Cybersecurity Benchmarking As A CIO

To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also...

READ MORE »

Ragentek Android OTA Update Mechanism Vulnerable To MITM Attack

In this article, we will be detailing an issue we discovered affecting a number of low-cost devices. It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a...

READ MORE »

Analyzing The CIO's Roles & Responsibilities Regarding Cybersecurity

The chief information officer (CIO) has traditionally owned IT security—and in recent years, cybersecurity has become a larger part of the modern CIO’s responsibility. Cybersecurity is a company-wide issue—and it’s everyone’s...

READ MORE »

Red Cross Data Breach: How 550,000 Australian Donors Were Exposed

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing...

READ MORE »

What Is Concentration Risk Management & Why Should It Matter To Insurers?

As insurers underwrite their book of business, they must have a good grasp on what potential losses could look like for each of their applicants. To better understand this, they evaluate hundreds of metrics—including those related to...

READ MORE »

Cybersecurity In The IoT (Internet Of Things): What You Need To Know

The “Internet of Things” (or “IoT”) is a blanket term that encompasses embedded devices that are connected online. There’s a slew of devices that fit within this category, ranging from consumer applications (like “smart” refrigerators and...

READ MORE »

Calculating The Cost Of A Data Breach: Factors You Should Keep In Mind

A recent IBM study found that the average cost of a data breach has hit $4 million—up from $3.8 million in 2015. There are countless factors that could affect the cost of a data breach in your organization, and it’s virtually impossible to...

READ MORE »

Forbes Names BitSight as one of the Next Billion-Dollar Startups of 2016

On October 19th, Forbes released its second annual list of soon-to-be billion-dollar startups. BitSight is proud to be part of this years’ list and excited about what the future holds for the company.

READ MORE »

Ransomware's Impact On Government Cybersecurity

In our most recent BitSight Insights report, we discuss the pervasive issue that is ransomware. The report states that education has the highest rate of ransomware across all industries—and government comes in second. 

READ MORE »

What Is Cyber Risk and How Does It Affect Selecting Vendors?

When using dozens, hundreds, even thousands of vendors, how safe is a company’s digital assets? According to a recent Ponemon Institute study, almost half of respondents (49%) said that they had experienced a data breach caused by a vendor...

READ MORE »

DNS Outage Sheds Light on Service Provider Reliance and Cyber Risk Aggregation

Written with the assistance of Dan Dahlberg, Ethan Geil, and Ross Penkala.

Last Friday morning, a distributed denial of service (DDoS) attack was carried out against Dyn, a managed DNS provider that offers Internet services for Twitter,...

READ MORE »

Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?

Whether you’re a CIO or a CISO that has been asked by the board to facilitate a cybersecurity audit or you’re a member of the board and are planning to request one, it’s extremely important to know what a cybersecurity audit is and what it

READ MORE »

Technology Resiliency & Outsourcing (TRO): Familiarize Yourself

In a recent Huffington Post article, Shared Assessments senior director Tom Garrubba discussed how third-party risk management has become an important topic to many executives and board members around the world. He recalls a conversation...

READ MORE »

13% Of The Higher Education Sector Has Been Infected With Ransomware

Hackers look at ransomware as a quick payday, so they are very opportunistic in terms of their ransomware attack strategy. They cast a wide net, but tend to focus on target industries they think are more likely to click their links.

READ MORE »

Ideas For Incorporating Continuous Risk Assessment Software Into New Vendor Selection

Onboarding third-party vendors that will have access to your network and data can have dire consequences if you don’t have the ability to gauge vendor risk.

READ MORE »

Bolek – An evolving botnet targets Poland and Ukraine

Bolek is a recent malware from the Kbot/Carberp family. We first heard about this malware from the cert.pl blog post in May 2016, and since then, a few others have published additional information about it (links below).

READ MORE »

Takeaways From Yahoo's 500-Million-Account Breach

Last month, email giant Yahoo announced the compromise of 500 million user accounts—which is being called the largest breach from a single site in history. The breach compromised names, email addresses, telephone numbers, dates of birth,...

READ MORE »

Simplifying Vendor Selection Criteria Using Security Ratings

Ponemon Institute’s study, Data Risk in the Third-Party Ecosystem, highlights the challenges that companies face in protecting sensitive and confidential information shared with third parties.

  • Of the respondents surveyed, 37 percent do...
READ MORE »

Debunking Security Rating Myths

Security Ratings are still a relatively new phenomenon. As a result, many security and risk professionals are still familiarizing themselves with how ratings work, the data used to compute ratings, and how ratings are put into action. We...

READ MORE »

How To Build Your Vendor Compliance Manual For Cybersecurity

Today, organizations don’t just ask their vendors, business partners, and third parties to perform a service or provide a product. They also expect them to meet a number of contractual requirements. Financial and legal requirements are...

READ MORE »

The Cybersecurity Pocket Dictionary: 24 Terms You Should Know

Like many technical industries, cybersecurity has a lot of specialized lingo. But there are two dozen cybersecurity terms in particular that are critical to understand. We’ve defined them here (in alphabetical order) and linked to a few...

READ MORE »

The Rising Face of Cybercrime: Ransomware

Ransomware has been all the talk lately in the security industry- and deservedly so. These attacks have surged in the last year: hospitals, banks, and local police departments have all been infected with ransomware. Organizations have been...

READ MORE »

AndroidBauts - Advertising with a bit more than expected

From time to time we have the opportunity to sinkhole domains that have an high volume of traffic and are part of a mobile device botnet. In the beginning of July we registered a domain that we found to be part of the AndroidBauts family...

READ MORE »

How Does BitSight Work? A Look At Security Ratings & How They’re Used

What is BitSight?

BitSight’s goal is to translate complex cybersecurity issues into simple business context through the use of security ratings. In doing this, BitSight helps companies:

  • Understand their own security performance, and the...
READ MORE »

3 Attack Vectors That Lead To Cybersecurity Breaches

When we talk about cybersecurity events, we often discuss “the three principles of security”—which are often abbreviated “CIA”: 

READ MORE »

A Vendor Risk Management Checklist For Small Companies

Vendor risk management (VRM) is a very broad category that encompasses all the measures an organization may take to prevent issues or business disruptions that arise due to vendor and third party relationships. Legal issues, past...

READ MORE »

How Point of Sale Breaches Happen

In recent weeks, the security news has been dominated by announcements of data breaches resulting from Point of Sale (PoS) malware present on payment processing terminals. All 350 North American Eddie Bauer retail locations and 20...

READ MORE »

Vendor Risk Management Best Practices to Prevent Embarrassing Headlines

You’ve likely heard your fair share of mortifying headlines involving IT vendor management. Many of the highly publicized breaches in the last several years occurred simply because the companies did not follow basic best practices for IT...

READ MORE »

Torrents: the good, the bad, and the ugly

A number of leading torrent websites have gone offline recently, drawing attention again to the use of torrents to share copyrighted material. But the absence of these sites doesn’t mean torrents have stopped. Torrenting is a peer-to-peer...

READ MORE »

The 4 Most Important Vendor Risk Management Principles For Security Managers

Organizations today aren’t single entities—they are interconnected networks of third parties. And while third party relations are critical for success in most businesses, they also leave data more vulnerable to exposure from bad actors....

READ MORE »

Security Breaches In Healthcare: How These 7 Recent Cases Happened

There have been a number of large healthcare breaches in recent years. In fact, the Washington Post called 2015 the “year of the health-care attack.” This chart, accessed from Modern Healthcare, represents 11 of the largest healthcare...

READ MORE »

Breaking Down 3 Of The Latest Cybersecurity Breaches

Even with every safeguard in place, it’s simply impossible to avoid all cybersecurity breaches. That being said, there are things you can do to lower the chance of a catastrophic one happening in your organization. By looking at a few...

READ MORE »

5 Common Issues When Building An Information Security Management System (ISMS)

What is an Information Security Management System?

An information security management system (ISMS) is a structured approach used to better manage your company’s most critical data and information. It can be achieved by adopting an ISMS...

READ MORE »

8 Cybersecurity Managers & Influencers To Follow For Thought Leadership

If you’re looking for some thought leadership in the information security space, searching #cybersecurity on Twitter isn’t going to give you clear advice or direction.

READ MORE »

Why Cyber Insurance Providers Need Security Ratings

Why cyber insurance?

While cybersecurity insurance is a relatively new line of service in the industry (it’s only been around for the last 10-15 years), it is currently the fastest-growing form of insurance. And it’s no wonder—today, a...

READ MORE »

The FDIC Breaches: Uncovered

The Federal Deposit Insurance Corporation was brought into existence in 1933 in the wake of catastrophic bank failures that occurred during the Great Depression. The FDIC’s most recognizable function is insuring deposits up to $250,000,...

READ MORE »

How To Introduce Information Security Risk Assessment Methodology To Your Company

Today, performing information security risk analysis is an accepted part of managing any business, and it’s something most CEOs and board members take very seriously. They don’t just want to “check a box” for information risk management...

READ MORE »

9 Critical Responsibilities Of The Cybersecurity Manager

In a nutshell, a cybersecurity manager serves as the expert on cybersecurity protection, detection, response, and recovery.

READ MORE »

A Security Rating Versus A Security Score

Assessing the cybersecurity posture of trusted vendors, suppliers, and other business parties is a very complex task. With so many different elements involved to secure a network, it’s rare that a company is simply just “good,” “average,”...

READ MORE »

How Different Industries Have Fared In Data Breach Prevention

PwC recently published The Global State of Information Security Survey 2016, which highlights security trends in a number of industries and key themes across all industries.

READ MORE »

Brexit and Cybersecurity: Anger Is an Energy

Right now, the UK is in political turmoil, which makes any long-term cyber security predictions difficult. But it is possible to make statements about cybersecurity in the short term.

READ MORE »

ISO 27001: A Definition & 5 Critical Implementation Questions Answered

What is ISO 27001?

To understand 27001, you need to first understand ISO. ISO is the acronym for the International Organization for Standardization, which creates international standards in virtually every industry. In fact, the...

READ MORE »

3 Recent Data Breaches & What You Can Learn From Them

It is well understood that an organization can never be 100% safe from data breaches—but it is possible to lower your company’s likelihood of experiencing a breach by using a number of good cybersecurity practices. Below, we’ve outlined...

READ MORE »

3 Critical CISO Roles & Responsibilities

A chief information security officer (CISO) is a senior-level executive who wears many hats in the realm of cybersecurity—but is primarily responsible for translating complex business problems into effective information security controls. 

READ MORE »

How CISOs Should Establish A Vendor Management Process

Vendor management spans a wide variety of topics: from contracts, to metrics, to relationships, and beyond. But one of the most critical aspects of vendor management—particularly for a CISO—is how to manage the risk your vendors bring to...

READ MORE »

Infection counters & measurement techniques

In June 2016, we observed an all time high of number of infections worldwide, breaking the previous record and raising the number of unique active observed IPs to 20,579,894 measured over a 7 day time window.

READ MORE »

What To Include In Your Cybersecurity Board Of Directors Presentation

Most boards today know that cybersecurity is a critical issue that simply cannot be overlooked—which means many boards today receive regular briefings on the topic. If you’re a new CIO or CISO (or your organization has just begun this...

READ MORE »

Cybersecurity Policy & The Role Of The Executive Team

One of the primary roles of senior executives—from the CISO to the general council and all the way up to the board of directors—is to ensure that an organization has policies set in place for cybersecurity.

READ MORE »

2015 Publicly Disclosed Breach Data

In 2002 California became the first state to pass a data breach notification law, requiring companies doing business in the state to disclose any breach of the security of computerized data including personal information. The law went into...

READ MORE »

28 Data Breach Statistics That Will Inspire You (To Protect Yourself)

The importance—and urgency—of cybersecurity measures have become increasingly visible in recent years. Yearly industry reports from the likes of VerizonTrustwave, and PwC all express the importance of cybersecurity measures and the...

READ MORE »

Analyzing Important Supply Chain Risk Management Data

Surveys highlighting third-party security and supply chain risk management best practices are conducted regularly. Many of them draw a similar conclusion: that supply chain risk management is a critical issue IT professionals are aware of,...

READ MORE »

The Underlying Threat to the Supply Chain: Cloud Service Providers

Organizations have come to depend on cloud service providers for key services - from email and domain registrars, to payment processors and certificate authorities. According to the 2015 Cloud Computing Survey by IDG, 72% of organizations...

READ MORE »

Third-Party Security: How To Successfully Monitor For Potential Breaches

Recently, BitSight commissioned Forrester Consulting to examine the practices of IT decision-makers as they relate to monitoring and managing third-party risk. From the survey, we learned that 59% of IT decision-makers indicated a desire...

READ MORE »

File Sharing & Email Security Across The Globe

Despite all the complex cybersecurity threats facing organizations around the globe, employee behavior often leads to security compromise. In a recent Experian survey, 66% of data protection and privacy training professionals say employees...

READ MORE »

Monitoring Necurs - The tip of the iceberg

Anubis Networks began monitoring Necurs, a malware family known for it's rootkit capabilities, in August 2015. Since then we have been able to observe approximately 50.000 unique IP addresses connecting to our sinkhole over a 24 hour...

READ MORE »

BitSight Insights: A Global View of Security Performance

BitSight is proud to announce the release of our latest research report, ”BitSight Insights Global View: Revealing Security Metrics Across Major World Economies”. This report looks at the Security Ratings of a random sample of 250...

READ MORE »

Do Investors Care About Cybersecurity?

Given the financial, reputational, and legal harm that can arise from cyber breaches, corporate shareholders and investors are increasingly concerned about the cybersecurity of the companies in their investment portfolio. How will...

READ MORE »

The Newest Role Of The Board Of Directors: Cybersecurity

Over the last several years, there has been a growing chorus of security professionals advocating for a new responsibility in boards: focusing more on cybersecurity. This is a valid concern, as threat actors in recent years have proven...

READ MORE »

The Top Cybersecurity Threats Of 2016: An Overview For Board Meetings

Boards today have a vested interest in the cybersecurity posture of their companies. Because of this, board members are increasingly interested in being briefed on top cybersecurity threats and understanding the countermeasures that should...

READ MORE »

Which Vendor Management Metrics & KPIs Should You Track For Cyber Risk?

“You can’t manage what you can’t measure.”

This adage may be overused in business, but there’s a reason for it. Simply put, if you want to improve your vendor risk management program or get a better look at your vendor’s security posture,...

READ MORE »

4 Cybersecurity & Information Security Metrics To Report To The Board

There are many different metrics that the CISO or CIO collects to measure the performance and effectiveness of its cybersecurity program. But only a select number of these metrics hold enough weight to be reported to the C-suite. The...

READ MORE »

UK Cybersecurity Strategy: 5 Things To Keep In Mind

We’ll start by saying there isn’t anything inherently different about a U.K. cybersecurity strategy compared to one in, say, the U.S. But many countries do face some specific cybersecurity strategy challenges, whether they’re regulatory or...

READ MORE »

Introduction To Information Risk Management In The UK

Before we go into details about managing information risk, let’s start with a working definition we can refer back to:

Information risk management (IRM) is comprised of the policies, procedures, and technology one adopts in order to reduce...

READ MORE »

Moving security forward: BitSight expands collaborative capabilities and data breadth in Security Ratings platform

BitSight is proud to announce the release of new features that provide expanded data breadth to all customers. These new innovations enable customers to better identify risks in third party networks and their own networks. Annotations, a...

READ MORE »

The 5 W’s Of The New EU Data Protection Regulation Law

The GDPR: Who, What, Where, & When?

The European Parliament has recently voted to approve the long-awaited General Data Protection Regulation (GDPR). The bill was drafted in 2012 and passed with the EU’s Committee on Civil Liberties,...

READ MORE »

GhostPush Android Botnet

GhostPush is an Android malware that was first discovered in September 2015. Once installed on a user’s device, it will display unsolicited advertising, and install unwanted applications on the user’s device. This malware is also known for...

READ MORE »

Supplier Risk Management: Why & How To Address Cybersecurity

Due diligence when it comes to managing supplier risk isn’t a new thing. Most companies dig into a supplier’s finances, past performance, and legal history to determine if there’s potential for a business relationship. If you’re an...

READ MORE »

Panama Papers: The Cybersecurity Risk Perspective

Touted as “history’s biggest data leak”—with over 2.6 terabytes of information compromised—the “Panama Papers” is one recent data breach that has drawn a great deal of press over the past few weeks. Over 11 million documents were leaked...

READ MORE »

Mitigating Security Risk: 4 Supply Chain Strategies To Implement

You can’t prevent everything from threatening your data or on your network. Any experienced CISO will tell you this flat out—adding that exploitation is simply a fact in today’s threat landscape.

But you can put a number of controls in...

READ MORE »

6 Scenarios That Increase Your Vendor Risk

“We don’t ask our vendors about their cybersecurity efforts.”

This is not a statement you hear very often from many modern organizations. And if you do, it’s safe to say that they’re being highly negligent! In today’s threat landscape,...

READ MORE »

Supply Chain Risk Management: Best Practices For Improved Cybersecurity

This is a two-part blog post. First, you'll discover supply chain risk management best practices for improved cybersecurity. In the second part, you'll read on to uncover 4 ways to address your cyber risk.

There are two distinct...

READ MORE »

Analyzing 3 Major Data Breaches Of 2015

Some of the largest data breaches in history happened in 2015. Notable breaches on that list include PNI Digital Media, Anthem Insurance, and The Office Of Personnel Management. These three weren’t necessarily the top data breaches of last...

READ MORE »

The 5 Pillars Of Cybersecurity In Financial Services

Financial services is a wide industry, encompassing banks, insurance companies, investment firms, analysts, consultants, and many more. We’ve found financial services to be one of the best performing sectors in terms of cybersecurity....

READ MORE »

BitSight’s Event Store in Production

This is the final entry in a three-part series on BitSight’s new Event Store. In the first and second posts, we described some key components of the architecture. Because of the limited number of access patterns we had to support (bulk...

READ MORE »

How To Lower The Risk Of A Bank Data Breach

The financial services industry is a leader in many aspects of cybersecurity performance and has set the standard in areas like vendor risk management. Why? Because risk is built into their culture. Inherent in the financial services...

READ MORE »

Cybersecurity News: The 15 Best Places To Get Great Info

Reading thetop cybersecurity blogs is, of course, one of the best ways to stay up on the latest news in the security industry. But while these niche blogs do often address news stories, most often they’re doing so while also interjecting...

READ MORE »

17 Major Data Breaches From 2013 To 2015

It goes without saying that the following data breaches were incredibly damaging, both to the companies and to those affected. Each has resulted in some level of data loss, financial loss, and reputational harm. Below, we’re exploring what...

READ MORE »

Mapping the Internet: Why High-Quality Company Asset Maps are the Foundation of BitSight Ratings

BitSight has an inventory of over 80,000 customer curated companies that can be instantly added to any portfolio. All rated companies have the capability to vet and provide feedback on all information within their asset map. This enables...

READ MORE »

Cybersecurity Vs. Information Security: Is There A Difference?

“Is there a difference between cybersecurity and information security?”

READ MORE »

How 400 Organizations Are Using BitSight Security Ratings in their Day-to-Day Processes

BitSight has grown tremendously over the last few years, and we’ve learned a lot about the many ways our customers are using BitSight Security Ratings. With over 400 customers (including 42 Fortune 500 companies) and 2,000 users from...

READ MORE »

Analyzing Vendor Risk Tools: Vulnerability Scans, Penetration Tests & More

This is a two-part blog post. First, you'll discover 5 things to keep in mind when selecting a vendor management software. In the second part, you'll read on to uncover the pros and cons of the many vendor risk management tools that...

READ MORE »

63,000 Personal Records Compromised in UCF Breach

Students and faculty from the University of Central Florida have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner. On February...

READ MORE »

Why You Need A Vendor Management Policy

A vendor management policy is put in place so an organization can tier their vendors based on risk. A policy like this identifies which vendors put the organization most at risk and then expresses which controls the company will implement...

READ MORE »

DROWN: Breaking Down The Latest TLS / SSL Vulnerability

A new security vulnerability in an older version of TLS / SSL was announced this week and has been named “DROWN” by its authors (Decrypting RSA with Obsolete and Weakened eNcryption). It’s estimated to affect up to 11 million servers using...

READ MORE »

Top 3 Cybersecurity Metrics To Start Tracking

Creating a vendor risk management program is of utmost importance in today’s threat landscape. So if you don’t have a program in place already, you may be wondering where—and how—you should get started. One of the building blocks for any...

READ MORE »

TaxSlayer Breach: Dissecting The Latest Cyberhack

Cyberhacks in the online tax software service and software realm have been extremely prevalent in the last year. In August of 2015, the Internal Revenue Service (IRS) revealed that hackers had gained access to sensitive information about...

READ MORE »

Automotive Cybersecurity: A Sneak Peek At An RSA 2016 Presentation

Automotive cybersecurity wasn’t even thought about 15 years ago—but today, it’s a well-understood and critical problem. The crux of the issue is due to the fact that cars have hundreds of millions of lines of code, which are run by...

READ MORE »

A Survival Guide To RSA 2016 For Vendor Risk Managers

The RSA conference—held annually in beautiful San Francisco—is one of the largest gatherings of security professionals in the world. (Last year’s conference hosted about 30,000 attendees!) This year, RSA will be held February 29-March 4;...

READ MORE »

BitSight Insights: Risk Degrees of Separation

On October 15, 2015, UltraDNS experienced a technical issue that led to a widely publicized outage, bringing down websites for Netflix, Expedia, and others for over an hour. In a separate incident on April 8, 2015, Sendgrid, a cloud-based...

READ MORE »

Locky ransomware, metrics and protection

Ransomware is a cash-in machine for criminals and we have just spotted another one come alive this week. Since 16th February, AnubisNetworks Labs team is tracking Locky, a malware that given the high volume of its distribution campaigns...

READ MORE »

COBIT Vs. ITIL: Which Framework Works Best For Cybersecurity?

COBIT and ITIL are information technology management and IT governance frameworks, and both are popular around the world. They were created to provide management and guidance for IT services in businesses of all sizes.

READ MORE »

Beyond Hurricanes: The 4th Party Side of Cyber Aggregate Risk

On August 24, 1992, Hurricane Andrew devastated South Florida and Louisiana, leaving a trail of destruction in its path. The estimated payout from insurance claims totaled $15.5 billion ($26.4 billion in 2015 dollars). Due to the...

READ MORE »

3 Ways Using A Vendor Risk Assessment Template Alone Can Fail You

Vendor risk assessment templates are the starting block to creating vendor questionnaires. Typically, they’re comprised of a variety of questions, but the end goal for each is the same: to figure out how secure your vendor is.

READ MORE »

The NIST Risk Management Framework: Key Things You Should Consider

Are you familiar with the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity”? It’s often referred to as the “NIST risk management framework.” The interesting thing about the...

READ MORE »

2015 University Data Breaches

In 2015, many college and universities suffered substantial data breaches. In each case outlined below, universities lost personally-identifiable information (PII) on thousands of individuals, from their student bodies to faculty and...

READ MORE »

3 Information Security Risk Assessment Templates

If you’re in the beginning stages of building your comprehensive vendor risk management plan, you’re likely looking for something that will help you get started with your vendor risk assessments. That’s a big task—but it doesn’t need to be...

READ MORE »

How Third-Party Risk Management Will Change In 2016

Over the last few years, we’ve seen many new regulations and legal requirements put into place around third-party risk management affecting a number of sectors. But even companies without legal requirements forcing them to examine...

READ MORE »

Developing a Distributed Event Store: Avro + Parquet + Java Reflection

by Nick Whalen and Ethan Geil

BitSight collects, stores, and processes billions of security-related events every day. In our last post, we discussed reasons why we're moving our massive event store from HBase to S3. Today we’ll take a...

READ MORE »

Third-Party Breaches Of 2015: What We Learned Over The Year

2015 has been fantastic for some companies—but for those who dealt with a third-party breach or cybersecurity issue, it was likely more difficult. If this happened to your firm in 2015, you’re not alone. Consider these four large incidents:

READ MORE »

The Top 22 IT Security Blogs Of 2015

If you want to find out what’s happening in the world, you probably turn to your favorite news outlet. Maybe it’s your local paper or something more widely circulated, like the Washington Post or the New York Times. But if you want to find...

READ MORE »

BitSight Insights: Peer-To-Peer Peril & File Sharing Risks

This is a two-part blog post. First, you'll discover the key findings in our latest BitSight Insights report titled “Peer-To-Peer Peril: How Peer-To-Peer File Sharing Impacts Vendor Risk and Security Benchmarking.” In the second part,...

READ MORE »

What Is Information Risk Management?

If you search the term information risk management (IRM) on Google, you’ll likely come up with many lengthy explanations and definitions. And while you can learn more about IRM by searching the terms “NIST” and “800-53,” many of the...

READ MORE »

Cybersecurity Metrics: Importance, Measurement, & Guidelines

This is a Q&A session with Ed Pollock, the Chief Information Security Officer at STERIS Corporation. Ed offers years of experience in the cybersecurity field and has offered some excellent advice about monitoring cybersecurity metrics.

READ MORE »

9 IT Vendor Management Best Practices

You’ve likely heard your fair share of mortifying headlines around IT vendor management mistakes. Many of the highly publicized breaches in the last several years happened simply because the companies did not follow basic best practices...

READ MORE »

Vendor Risk Management (VRM): A Full & Complete Definition

What is Vendor Risk Management?

Vendor risk management (VRM) is the practice of evaluating business partners, suppliers, or third-party vendors both before a business relationship is established and during the duration of your business...

READ MORE »

IT Risk Assessment Template: 40 Questions To Ask Your Vendors

There are so many necessary steps involved in creating a solid vendor risk management (VRM) program. Since we understand how much of a time investment it is to get your VRM program up and running—and because we acknowledge that vendor...

READ MORE »

Think You Can Avoid A Catastrophic Data Breach?

A sad truth about vendor risk management is that data breaches can—and will—happen to far too many companies. They are an unfortunate side effect of the digital world we live in today. But catastrophic data breaches are another story...

READ MORE »

From the Server Room to the Board Room: Actionable Security Metrics

As we highlighted in a recent blog post, a diverse range of companies utilize BitSight Security Ratings to manage cyber risk. Many of our customers are actively using these ratings to manage vendor risks, screen mergers and acquisition...

READ MORE »

Developing a Distributed Event Store at BitSight: Why We Are Moving Away From HBase

by Ethan Geil and Nick Whalen

Every day, BitSight analyzes billions of security events. Not only do we collect billions of new events per day; we also regularly re-examine all of our historical data, to provide security ratings for new...

READ MORE »

Advisen Cyber Risk Conference 2015 Recap

BitSight attended the Advisen Cyber Risk Insights Conference in New York last week. This event brings together insurance underwriters, brokers and enterprise risk managers to attend panels on the growing cyber insurance industry and...

READ MORE »

Why Historical Security Data Matters in Vendor Risk Management

In today’s cyber threat landscape, organizations must know how secure they are at any given time. One of the most important questions that security professionals and risk managers can ask is “how secure am I right now?”

READ MORE »

How A Diverse Range of Customers Use BitSight

Cybersecurity has garnered the attention of executives and board members across the globe. Many boards are seeking security metrics to get a true understanding of how secure their company is, and how secure they are relative to industry...

READ MORE »

Beyond Heartbleed, POODLE and FREAK: SSL Vulnerabilities Persist in Organizations

BitSight’s Annual BitSight Insights Industry Benchmarking Report looked at some of the major SSL vulnerabilities affecting organizations, including Heartbleed, POODLE and FREAK. BitSight’s analysis found that a sizeable number of companies...

READ MORE »

Samsung / LoopPay Breach Illustrates Third Party Cyber Risks for Enterprises

Last week, it was announced that LoopPay (now a Samsung subsidiary) was the victim of a data breach. LoopPay’s technology is apparently central to Samsung’s mobile payment system, yet Samsung said the breach has not affected the Samsung...

READ MORE »

OT/IT Convergence: Why Vendor Risk Matters to Energy and Utilities

BitSight’s Third Annual BitSight Insights Industry Benchmark Report: Are Energy and Utilities at Risk of a Major Breach? discussed the growing convergence of operational technologies (OT) and information technology (IT). In short, this...

READ MORE »

3 Ways Industry Benchmarking Data Can Be Used in VRM Programs

Assessing the security performance of your vendors and third parties is crucial considering the amount of access to sensitive information we grant to these partners. However, for those assessments to be effective, and for you to actually...

READ MORE »

New SEC Exams Emphasize Vendor Risk Management

Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas...

READ MORE »

BitSight Insights: Are Energy and Utilities At Risk of a Major Breach?

Today BitSight published our third annual industry benchmarking report: Are Energy and Utilities At Risk of a Major Breach? This report illustrates the latest security performance of the Finance, Federal Government, Retail, Energy and...

READ MORE »

Expect The Unexpected: Which Non-Obvious Vendors Have Access To Your Data?

There are obvious and non-obvious vendors, third parties, and contractors that have access to your data or your corporate network. The obvious ones are organizations that provide IT or technology services to you. Naturally, these...

READ MORE »

From Framework to Application: Protect with BitSight

This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.

READ MORE »

The Do's & Don'ts Of Sharing Sensitive Information With Vendors

No matter what industry you’re in, there is policy, as well as hundreds and thousands of laws that go into creating vendor risk management (VRM) programs. As such, there are plenty of resources dedicated to that very topic. You could...

READ MORE »

Why Vendor Management Best Practices Should Be A Little More Risky

Prioritizing vendors based on risk is considered a vendor risk management best practice. But how do you do this? To start, let’s look at a commonly referred-to equation:

READ MORE »

Risky Business Services: Who’s Accessing Your Corporate Data?

When most people think about mitigating cyber risk from their business service providers, they usually think of their banks, IT service providers, or their software manufacturers.

READ MORE »

OPM is not alone: More Third Party Risk in the Federal Government

Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the...

READ MORE »

Vendor Risk Assessments: Why You Should Use An Industry-Standard Method

If you’re just starting out with Vendor Risk Management, you probably have a lot of questions about security. You might be wondering, “Which companies should be on my radar? Am I supposed to monitor all of my vendors, or just a few of...

READ MORE »

How Often Should You Do A Third-Party Risk Audit With Your Vendors?

When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:

READ MORE »

NAFCU Services Selects BitSight as a Preferred Partner

Today, we are pleased to announce that NAFCU Services has selected BitSight as a Preferred Partner, giving its member credit unions access to BitSight Security Ratings. The partnership is very timely: credit unions have been increasingly...

READ MORE »

4 Industries That Should Be On Your 3rd Party Risk Management Radar

Your organization probably deals with handfuls (or maybe hundreds) of vendors. Whatever the case may be, having a comprehensive third-party risk management solution is the best way to protect yourself against cyber mischief.

READ MORE »

From Public Dumpsters to Third Party Networks: The Evolution of Vendor Risk in the Retail Industry

Last week, Walmart Canada, Rite-Aid, CVS, and Sam’s Club were among the retailers to suspend their online photo operations due to a possible data breach of third party photo service provider PNI Digital (a Staples subsidiary). This is the...

READ MORE »

10 Cybersecurity Thought Leaders You Should Be Following

In a recent Forbes Magazine article, contributor Larry Magid quipped, “Your cyber hygiene affects others.” We couldn’t agree more, and if you’re reading this article, you probably do, too. And, I’m sure you know that as more people gain...

READ MORE »

Regulators Continue to Emphasize Third Party Cyber Risk Management

In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.

READ MORE »

The 5 Mistakes You May Be Making With Your IT Risk Management

In business and in life, safety is always made a priority. From simple day-to-day tasks like wearing a seatbelt, to important business security decisions, prioritizing our safety and the safety of our families and valuable information is...

READ MORE »

From Weight Loss to Security Performance: Finding the Indicators for Healthy Habits

When I was a young pup studying statistics, I remember reading about a study on weight loss that found three factors correlated with weight loss: weighing yourself daily, eating a good breakfast and having access to work out equipment at...

READ MORE »

Vendor Risk: 1 Issue That's Too Critical To Overlook

If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third...

READ MORE »

From Framework to Application: Identify With BitSight

This is the second post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here.

READ MORE »

Supply Chain Risk Management: 4 Ways To Address Your Cyber Risk

Handling cyber risk in your organization’s supply chain isn’t easy. This aspect of Supply Chain Risk Management is a complex problem that even highly sophisticated organizations—like the Department of Defense—struggle to address.

READ MORE »

BitSight Series B Funding: Furthering Our Mission

Today, BitSight is excited to announce that we have raised $23 million in Series B funding. The additional funding will allow BitSight to keep hiring exceptional talent, as well as extend sales and marketing initiatives in Europe and in...

READ MORE »

A Vendor Risk Management Questionnaire (With 10 Questions You Might Be Afraid To Ask)

Perhaps you and your company are at the beginning stages of implementing a vendor risk management (VRM) program—or maybe you’re just beginning to explore the idea.

READ MORE »

Trends in Third Party Risk Management & Metrics: Insights from the 2015 Gartner Security & Risk Summit

Last week I attended the annual Gartner Security & Risk Management Summit in beautiful National Harbor, MD. The below photo was taken just before a big storm, but otherwise it was perfect weather.

READ MORE »

BitSight Presents: "Twice as Likely" Video

In April, we published a report Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant Breach. In this report, we found that companies with botnet grades of ‘B’ or below were more than twice as likely to experience...

READ MORE »

Managing Vendor Security Risk Between Annual Assessments

In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved.  This is why, at best, most vendor management programs only...

READ MORE »

Risk Mitigation Services in Cyber Insurance Underwriting

Last week, BitSight co-sponsored a webinar with Advisen on the use of risk mitigation services for cyber insurance underwriting. Ira Scharf, GM of Cyber Insurance at BitSight, joined Tracie Grella of AIG and Neeraj Sanhi of Willis Group to...

READ MORE »

How Quickly are you Detecting Network Intrusions?

Recent breaches making headlines all share a troubling characteristic. In each breach detailed below, the intrusions of company networks lasted months - or in other cases, even longer than a year. While no company is impervious to a...

READ MORE »

Q&A with Stephen Boyer, BitSight's CTO and Cofounder

I received the following questions from an inquisitive undergraduate student eager to learn more about BitSight and security ratings. He posed excellent and insightful questions, and I thought that I would share our exchange in case others...

READ MORE »

BitSight Achieves "Cool Vendor" Status in Gartner Report

The last few weeks have been a whirlwind of activities here at BitSight! Between attending and speaking at RSA, participating in the latest Verizon DBIR report, preparing for our session at FS-ISAC, announcing our new partnership with AIG...

READ MORE »

Best Practices for implementing vendor security ratings

Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many...

READ MORE »

Why you should assess your vendor's security performance more than once a year

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could...

READ MORE »

Shared Assessments 2015: Trends in Vendor Risk Management

Vendor risk management professionals representing every industry gathered in Baltimore last week at the annual Shared Assessments conference. I am privileged to serve on the Advisory Board for Shared Assessments and found the conference to...

READ MORE »

3 Ways Your Vendors will Benefit from Knowing their Security Rating

The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a BitSight Security Rating, being told that another company has been monitoring their...

READ MORE »

RSA 2015: Emerging Trends in Infosec

Last week San Francisco became the information security capital of the world for the 2015 RSA Conference. Around 30,000 attendees, mostly security professionals and vendors, descended on the Moscone Center for a week of discussion about...

READ MORE »

AIG Partners with BitSight To Provide Cyber Insurance Diligence

Today AIG announced a strategic partnership with BitSight to recommend BitSight Security Ratings for Vendor Risk Management to CyberEdge customers. CyberEdge insureds can now benefit from the data-driven insights and continuous monitoring...

READ MORE »

From Framework to Application: Security Ratings and NIST

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of...

READ MORE »

Security Ratings: Quality over Quantity (but here are the numbers)

Poor information security can lead to serious, public data breaches for companies and their customers. That's why BitSight Security Ratings are used by companies to evaluate and mitigate information risk. This risk applies to a company's ...

READ MORE »

Security Performance in the Utilities Sector: Steps for Progress

For years, it has been widely-known that the Utilities industry has struggled with cyber security in relation to other industries. In 2014, Unisys and the Ponemon Institute found that 70% of Utility companies surveyed around the world had...

READ MORE »

BitSight Insights: Beware the Botnets

Today BitSight published our most recent BitSight Insights report, Beware the Botnets; Botnets Correlated to a Higher Likelihood of a Significant Breach. Within this report BitSight has identified a solid correlation between botnet...

READ MORE »

InfoSec Breakdown: Latest Research Shows a Shift in Priorities

Recent reports and surveys show that organizations concentrated greater efforts toward cyber security in 2014 than they have in years past. Furthermore, cyber security has become a greater priority for IT professionals facing a variety of...

READ MORE »

Continuous Monitoring: 3 Keys to Government Success

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure...

READ MORE »

How to Create a Cybersecurity Standard of Care

There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats. 

READ MORE »

The Pros and Cons of Vendor Risk Management Tools

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why...

READ MORE »

Managing Vendor Risk Complexity: Insights from Financial Institutions

Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General...

READ MORE »

How to Close the Cyber Insurance Coverage Gap

During a Feb. 10 gathering of the Federal Advisory Committee on Insurance (FACI) in Washington, D.C., Deputy U.S. Treasury Secretary Sarah Bloom Raskin highlighted the coverage gap that exists in the cyber insurance market. Raskin points...

READ MORE »

How Continuous Third Party Monitoring Can Improve Information Security

As cyber attacks via third parties become more commonplace, IT decision makers have put the spotlight on the cyber security of their vendors. According to data from a commissioned study, conducted by Forrester Consulting on behalf of...

READ MORE »

What Anthem Taught Us About Monitoring Information Security

In late January, Anthem announced that it had been breached, compromising data from80 million people. It is the largest publicly-disclosed breach of a healthcare company.

READ MORE »

Monitoring SSL Vulnerabilities in Your Network

Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the...

READ MORE »

How the Internet of Things Affects Your Corporate Network

Almost every day there seems to be another story about the “Internet of Things" (IoT). More and more “things” are being equipped to send and receive information over the internet. It might be fun to have your running shoes connecting to...

READ MORE »

How the State of the Union Will Affect American Information Security

In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and...

READ MORE »

BitSight Announces New Enterprise Integrations in Security Ratings Platform

BitSight is committed to showing organizations how to implement Security Ratings data throughout their risk and security operations. We have added new features to make it easier for our customers to extract our Security Ratings data to use...

READ MORE »

Managing Security Risk in Mergers & Acquisitions

Every year, companies spend billions of dollars on mergers and acquisitions. (The value of worldwide M&A deals in 2014 totaled $3.5 trillion.) Managing risk throughout the process is an important element of any merger, but there's one area...

READ MORE »

3 Ways Cyber Insurance Will Improve Security Performance

In 2014, Cyber Insurance saw record growth. In fact, in a recent white paper from Advisen, their buyer penetration index showed a five-fold increase in insurance purchases from 2006 to 2013, demonstrating that many organizations have...

READ MORE »

A Data-Driven Approach to Vendor Risk Management

Third party risk has become a hot topic throughout 2014, with no signs of slowing down in 2015.  The WSJ highlighted high-profile breaches stemming from a vendor here and here, and the OCC issued more third party risk guidance.  Steve...

READ MORE »

2015 Information Security Predictions Round-up

It's the time of year that every media outlet talks about predictions and resolutions. We've compiled a list of the most interesting and/or relevant information security predictions for 2015 and added a few of our own, courtesy of BitSight...

READ MORE »

BitSight Bits: How to Prove that Security Ratings Work

During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is...

READ MORE »

How You Can Avoid Becoming the Next Sony

As you've heard by now, Sony Pictures suffered a major breach in November, and is still feeling the consequences of it. The FBI warned that other companies could be attacked with similar malware, but that isn't the only reason you should...

READ MORE »

Cyber Security News Round-Up: More Legislation, Guidance for Banks

Cyber security in the financial services industry was a hot topic last week.  Below is a round-up of big stories affecting banks and creditors.

READ MORE »

BitSight Bits: Quantifying Security Performance

During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions...

READ MORE »

Poodle is Back! TLS Targeted by New Vulnerability

Last October the world was alerted to Poodle, a vulnerability on websites and servers running SSL 3.0. Acting as a "man in the middle," would-be attackers could compromise the secure connection between a browser and a website, and inject ...

READ MORE »

BitSight Expands Breadth and Transparency of Security Ratings

BitSight has released new capabilities and features in the BitSight Security Ratings portal to widen the data breadth offered to customers and give more detailed, granular performance analytics on specific risk vectors. These changes are...

READ MORE »

Are Third Parties to Blame for Poor Security Performance in the Retail Industry?

Today, we released a new study on retail industry security performance — just in time for the holiday shopping season! Considering all of the retail breaches that occurred over the last 12 months, we wanted to find out if retailers had...

READ MORE »

Advanced threats, increased regulations and board involvement: How credit unions can prepare for cyber risks

Credit unions are facing increasing numbers of cyber attacks according to a survey for NAFCU’s October Economic & CU Monitor. This survey found that nearly 84% of respondents were operationally impacted by a local data breach within the...

READ MORE »

The Data Breach is Over... let the Phishing Begin!

Last week it was revealed that more than 53 million email addresses were stolen as part of the Home Depot breach discovered last September. Combined with the 76 million email addresses stolen in the JPMC data breach in June, we're talking...

READ MORE »

What You Can Learn from the JPMorgan Breach

Ever since the JPMorgan Chase breach was made public, companies have been watching closely to see the aftermath, the bank's course of action, and any best practices that may be developed as a result.

In this post, I've highlighted some of...

READ MORE »

How CISOs can Earn a Seat in the Boardroom

It’s been a slow but sure evolution for the modern-day CISO. When the position made its debut in the corporate world, the CISO was a firefighter, constantly battling security issues as they arose. CISOs were usually hired only after a...

READ MORE »

AnubisNetworks Acquisition and the Future of Security Ratings

Yesterday, we announced our acquisition of AnubisNetworks, a Security Intelligence company in Portugal. We examine the purchase from both companies' perspectives, get an outside opinion from Network World and explain how the move will...

READ MORE »

Poodle and the Third Party Perspective: How Can Businesses Verify Security Diligence In Their Extended Ecosystem?

Third party breaches have become a common occurrence in the last year. From Target to Home Depot and Goodwill, major organizations have been compromised from vulnerabilities present in their extended network ecosystems. Compounding fears...

READ MORE »

Shellshock Part II: Are Your Third Parties or Vendors Vulnerable?

Last week we wrote about how to assess your risk and reduce your exposure when it comes to Shellshock.  While all other products and vendors are helping customers discover Shellshock within their own environment, we uniquely help customers...

READ MORE »

BitSight Announces New Security Ratings For Cyber Insurance Product

As data breaches continue to pose a major financial and reputational threat to businesses, transferring these risks through cyber insurance has become an increasingly attractive option. Demand is skyrocketing, leaving insurers to figure...

READ MORE »

Avoiding Shellshock: Assess Your Security Risk & Reduce Your Exposure

The security community is abuzz with the news of the latest vulnerability to sweep the internet.  Early yesterday morning, details about the Bash security bug, also called Shellshock, started to emerge, putting companies on high alert...

READ MORE »

How do major data breaches affect cyber insurance?

There is no denying that cyber security issues have captured headlines over the course of the year. From the highly public Heartbleed bug to major data breaches affecting some of the largest names in business, there has been increased...

READ MORE »

What Do Boards Need to Know About Third Party Risk?

ISACA and the Institute of Internal Auditors (IIA) recently released areport emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards...

READ MORE »

Setting Standards: Benchmarking Security in Higher Education

Data breaches at higher education institutions are becoming more and more common, putting themnear the top of the list of industries most affected by cyber security risks. Hackers target .EDU networks because they tend to be left wide...

READ MORE »

BitSight Insights: Powerhouses and Benchwarmers

Assessing the Cyber Risk of Collegiate Athletic Conferences

It is no secret that America's colleges and universities hold a wealth of personal and sensitive information that is frequently targeted by cybercriminals, as evidenced by some...

READ MORE »

Why are America's colleges a prime target for cyber criminals?

The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following...

READ MORE »

Performance Measurement and the Cyber Security Mindshift

The other day, I received yet another email asking, "How much cyber security is enough?" You probably recognize this message, and see similar phrases on a regular basis. It's a really interesting question and something that a lot of people...

READ MORE »

How can the SEC become the primary regulator of corporate cyber security?

In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a...

READ MORE »

Months After Target Breach, Retailers Still Leaving Data at Risk

On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail...

READ MORE »

Putting Preparedness in Context: Comparing Your Security Performance to Other Companies in Your Industry

David Burg, Principal at PriceWaterhouseCoopers, said recently that businesses are moving beyond mere compliance when assessing their security postures. Today’s companies now view outstanding security performance to be a major competitive...

READ MORE »

The SEC emerges as a vocal proponent of cyber security

Proposed cyber security legislation, notably bills relating to a federal data breach notification standard, has been slow moving in the halls of Congress. While measurable progress has been made on some legislative pushes -- recently...

READ MORE »

Utilizing BitSight Security Ratings for Enterprise IT Risk Mitigation

Businesses need to adapt to a constantly changing risk landscape to address increasingly dangerous cyber threats. Recent ESG analysis shows that 49% of enterprise organizations suffered from a successful malware attack in the past 24...

READ MORE »

Boards Struggle With Measuring Security Performance - Are Security Ratings the Answer?

Over the past few weeks, there have been several discussions on the presence of cyber security in the board room, and the challenges boards are facing when it comes to mitgating security risk.  

READ MORE »

Data Driven Security Podcast: Measurement & Security Performance

On June 22, 2014, BitSight CTO and Cofounder Stephen Boyer (@SWBoyer) joined Bob Rudis (@hrbrmstr) and Jay Jacobs (@jayjacobs) on their Data Driven Security Podcast series.  This conversation was long in the works, and something we were...

READ MORE »

Webinar: Benchmarking Security Performance with Industry Security Ratings

As executives and corporate boards are increasingly being called upon to act on cyber security issues, security practitioners need new tools to better communicate performance to upper level management. Benchmarking, a tool used by...

READ MORE »

SEC places security on the board agenda

Comments by Securities and Exchange Commission official, Luis Aguilar, further fueled the debate about the role of the corporate board in addressing cybersecurity risk.  The board already has a risk oversight responsibility, so in theory...
READ MORE »

An Update on Data Breach Notification

In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and...

READ MORE »

Three Ways to Benchmark Security Performance

Companies are spending more and more on IT security. A recent report by Canalys found that the worldwide IT security market will grow 6.6% annually, becoming a $30.1 billion dollar industry by 2017. This increase in spending may have...

READ MORE »

Compliance: The Danger to Security Performance of Just Going Through The Motions

Merely doing things out of habit can be a risky thing to do. Such as when we just go through the motions when completing tasks – tasks we do so many times that muscle memory or our subconscious take over and put us in autopilot.

Doing...

READ MORE »

Three Steps to Reduce Your Security Risk

It may sound trite, but it's true; for organizations today, being breached is no longer a question of if, but when. In our recent analysis of security performance in the S&P 500, BitSight saw over 80% of the nation's largest organizations...

READ MORE »

Will Healthcare Be the Next Retail?

Today BitSight released a new BitSight Insights Report. Our objective in publishing these reports is to share findings from analysis conducted on the terabytes of security-incident data we gather on a daily basis. Due to our unique...

READ MORE »

Investors DO Care About Data Breaches

I just read a good article with a controversial title by Eric Chemi in Business Week, "Investors Couldn't Care Less About Data Breaches." Chemi asserts that based on the current stock behavior of eBay and the prior stock activity of...

READ MORE »

Vote for BitSight in the Advisen Cyber Risk Awards!

BitSight is very excited to announce that we've been nominated for an Advisen Cyber Risk Award for Cyber Risk Innovation of the Year.

READ MORE »

FS-ISAC Recap: The Evolving Role of the CISO

Security professionals in the financial industry shared lessons learned from the past year and discussed challenges facing them in the coming year at the recent 2014 FS-ISAC & BITS Annual Summit. Topics ranged from malicious insiders and...

READ MORE »

PCI DSS version 3.0: Third time is a charm for third party risk

Any time now, the Payment Card Industry Standards Council Third Party Security Assurance SIG is expected to release its guidance to merchants, service providers, and banks on third-party service provider assurance for Requirement 12.8 of...

READ MORE »

Measuring Security Performance: Is Target more or less secure?

As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.

READ MORE »

The Inevitability of Security Risk in the Board Room – Steinhafel is dead, long live Steinhafel

Originating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the...

READ MORE »

New Methods for Assessing and Mitigating Security Risk

Businesses often undertake a check-box approach to cyber security by purchasing security products, meeting compliance standards and performing quarterly or yearly audits. While these methods have proven value, they are often not enough....

READ MORE »

Discussing Third Party Risk Management in the Healthcare Industry

Healthcare security and how updated HIPAA/HITECH Act regulations are changing the nature of risk in that industry are hot topics right now. "The rules have made it easier for organizations to have penalties levied against them because of...

READ MORE »

Breach Notification: Even Those Who Know, Don’t Know Enough

Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws.  These laws follow similar basic tenets that “companies must...

READ MORE »

Cyber Insurance: Looking at Third Party Risk

The tremendous growth in cyber insurance is being fueled in part by the desire of companies to cede some of the risk of a cyber breach to insurers.  In many cases insurers are eager to take on this risk – provided they can objectively...

READ MORE »

BitSight Bits: Measuring and Mitigating Risk with Security Ratings

Last week Stephen Boyer, CTO and Co-Founder of BitSight, and Oliver Brew, VP of Professional, Privacy and Technology Liability at Liberty International Underwriters, hosted a webinar titled, "Security Ratings: A Big Data Approach to...

READ MORE »

Arts and Craftiness: Data Breach at Michaels

I LOVE shopping at Michaels. It allows people of all ages to express themselves. From paint by number kits, to beads and professional grade oils and varnishes, Michael’s sells products that allow us to, as Pablo Picasso said, “wash away...

READ MORE »

Interest in Financial Services Third Party Risk Rising

There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident,...

READ MORE »

BitSight Reacts to Cyber Security Topics in the News

As major stories about information security risk continue to capture the attention of the news media, BitSight has become a part of the national conversation on cyber security. We have been featured in both local and national publications...

READ MORE »

Hearts Bleed Over Latest SSL Vulnerability

On April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in...

READ MORE »

Security Ratings: A Big Data Approach to Mitigating and Measuring Risk

In the past year data breaches have become a fixture on the news cycle. The major breaches across multiple industries have also caught the attention of business leaders, with a recent study noting that CEOs and senior executives rank cyber...

READ MORE »

Our Reach (Usually) Exceeds Our Grasp

In his insightful book that was published in 1984, "Normal Accidents", Charles Perrow lays out how many modern complex and/or interconnected systems designed by humans fail in myriad ways due to causes that were either not anticipated or...

READ MORE »

Make Risk Management More Effective with Security Ratings

Today many organizations take a check-box approach to network security. By purchasing security products, meeting compliance standards and performing audits, businesses gain some insight into their security posture and those of third...

READ MORE »

A Q&A with the authors of Data-Driven Security: Analysis, Visualization and Dashboards

If you want to know what the state of the art is when it comes to using data to help secure systems, no analysis would be complete without speaking with both Bob Rudis and Jay Jacobs, co-authors of Data-Driven Security: Analysis,...

READ MORE »

Fatal Attraction: How Optimism Bias Extends to the Third Party

Our recent BitSight blog post Cyber Security Risk: Perception versus Reality in Corporate America resonated with many in the infosec community and was even picked up by WIRED’s Innovation Insights and cited in a Forbes article by Howard ...

READ MORE »

Managing Third Party Security Risk in the Critical Infrastructure

There’s no shortage of challenges when it comes to securing the critical infrastructure. These are very complex, interconnected systems, and highly motivated, potentially well-trained and funded adversaries target them. And should critical...

READ MORE »

Why a Proactive Approach to Vendor Risk Management is Necessary

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably...

READ MORE »

RSA Recap: Will National Standards Help Reduce Security Risk?

Last week I had the opportunity to be in San Francisco for the RSA conference and Metricon 9. The discussion at the conference and what is now coming out in news reports is that this was the largest RSA event to date in terms of attendance...

READ MORE »

Cyber Security Risk: Perception vs Reality in Corporate America

In February, BitSight released a new BitSight Insight examining the cyber health of the U.S. economy and found that 82% of the 460 companies assessed had an externally observable security compromise in 2013. Examples of security events...

READ MORE »

Washington moves on Data Breach Notification Standards

At BitSight, we’ve taken interest in the need for transparency and the ripple effects of major data breaches following the recent data loss events hitting major US retailers. Many security experts, including our own CTO Stephen Boyer,...

READ MORE »

Security Ratings: An Objective Risk Metric for Cyber Insurers

Cyber insurance is one of the fastest growing segments in the insurance industry.  With the tremendous increase in data breaches companies are looking for insurance products to cover them in the event of a loss. As reported in a recent ...

READ MORE »

Third Party Risk Management Becomes a Topic of Interest at RSA

Before the legions of attendees descend on San Francisco for the RSA conference next week, I wanted to take a minute to share three sessions that may be of interest! If third party risk management is an area of concern for you, clear your...

READ MORE »

Is PCI-DSS effective for security risk management?

As we noted in an earlier post, businesses and organizations are tasked with meeting the new compliance standards of the Payment Card Industry (PCI) Standards version 3.0 in the coming months. While these standards are meant to serve as a...

READ MORE »

Email Security Best Practices: How To Avoid SPF Misconfiguration

The threat from malicious email represents one of the greatest risks to IT security. The Messaging Anti-Abuse Working Group (MAAWG) identifies 85% of incoming mail as abusive or malicious.  One of the best practices to curb this risk is...

READ MORE »

How Strong is the Cyber Health of the U.S. Economy?

With the headlines these days filled with news of data breaches - Target, Neiman Marcus, Michaels, to name a few - cyber security is now top of mind among Americans. We know that today every business faces cyber risk, but just how are U.S....

READ MORE »

Why Third Party Risk Questionnaires Lead To A False Sense of Security

As it appears now, the entire Target breach may be the result of a compromised heating, ventilation, and air conditioning subcontractor that had worked for Target and many other retailers.

According to KrebsonSecurity.com, “Sources close...

READ MORE »

Regulators Put More Emphasis on Third Party Risk Management

With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When...

READ MORE »

Breach Reporting & The Need for More Transparency

Fact: due to inconsistent breach regulation and reporting standards, when a breach occurs, consumers and businesses can't assume that they will always be notified.  

READ MORE »

Cyber security, risk and privacy hot topics at 2014 World Economic Forum

Once a year, political leaders and business executives gather in Davos, Switzerland to discuss political and economic issues of global importance at the World Economic Forum (WEF).  This meeting occurred last week, and I was pleased to see...

READ MORE »

Target Breach Investigation Shows Tangled Web of Third Party Risks

As more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that...

READ MORE »

Addressing Third Party Risk Management in PCI DSS 3.0

On January 1, several of the new compliance standards of the Payment Card Industry Data Security Standard v. 3.0 (PCI DSS 3.0) became effective. These standards were issued in order to ensure that businesses are utilizing best practices to...

READ MORE »

The Ripple Effect: Impact of Target’s Data Breach is Felt Throughout the Partner Ecosystem

Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who...

READ MORE »

Security Success is Found When Continuously Measuring the Right Things, Across Your Ecosystem

Security monitoring and measuring needs to be expanded to trusted third parties; here’s why. 

When it comes to securing sensitive data from attack, there’s certainly no lack of evidence that current tactics are falling short. This is...

READ MORE »

Target and Neiman Marcus Are Not Alone: Malware Abounds in the Retail Sector

The past few weeks have been full of news regarding cyber attacks in the retail sector. First Target, and then Neiman Marcus. Now news outlets are reporting that three other well-known retailers may announce breaches that occurred in the...

READ MORE »

Risk 101: Using Data to Better Understand Information Security Risk

The answer to the question of how organizations can evaluate information security risk depends on how we first think about risk in cyberspace. Good security risk management is a combination of data, processes, technology, and education....

READ MORE »

Target & Neiman Marcus: Security Ratings Uncover Decline in Security Posture of U.S. Retailers in Q4 2013

In light of the recent news of retailers being attacked late last year, we at BitSight looked into our SecurityRatings (an external measure of a company’s security posture) to gain some insight into these attacks. In our November 2013...

READ MORE »

Risk Universe Explores Vendor Risk Management with Mike Duffy

With increased emphasis on third party risk management coming down from regulators and executive boards alike, cyber risk in the extended enterprise is shaping up to be a hot topic in 2014.

BitSight board member Mike Duffy recently...

READ MORE »

On-Demand Webinar: Managing Information Security Risk in Your Partner Ecosystem

Serious network threats, including botnets, malware and phishing attacks put businesses at risk of costly and damaging data breaches every day. But bolstering internal network security is not enough to ensure the protection of valuable...

READ MORE »

Venky Ganesan on BitSight and the Target Breach

On December 20, 2013, soon after news of Target’s data breach broke, Venky Ganesan (Managing Director at Menlo Ventures and BitSight Board Member) talked about BitSight on CNBC. When asked about cutting edge technology in the cyber risk...

READ MORE »

Happy Holidays from BitSight Technologies

Tis' the season for joy, cheer, and lots of reflection!

Here at BitSight, we wanted to take a minute to thank our friends, family, investors, advisors, customers and employees – basically, everyone who has helped us along the way!  2013...

READ MORE »

OCC Guidance: Ongoing Monitoring is Critical for Third Party Risk Management

In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due...

READ MORE »

The Third Party Risk Perspective: JPMorgan Chase UCARD Data Breach

Earlier this month, tech security blogs and mainstream news outlets reported on a large data breach that affected banking giant JPMorgan Chase. During the event, which lasted from mid-July to mid-September, the personal information of...

READ MORE »

UPDATED: So many vendors ... but who's to blame for the breach?

The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach.  The impact is small -  only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling...

READ MORE »

Mapping Data to Get "A Different Perspective" for Security Ratings

I'm excited to announce the release of another great BitSight Insights report! In A Different Perspective, Stephen Boyer, BitSight's CTO and Co-Founder, provides some insight into a key component of our security ratings process: our IP...

READ MORE »

More thoughts on the BitSight Industry Security Effectiveness Report

In late November, we released the first of our quarterly BitSight Insights reports, in which we analyzed the security effectiveness ratings for 70 Fortune 200 companies in 4 key industries: technology, finance, energy and retail.  We...

READ MORE »

Shaun McConnon on Compliance & Security Risk

On November 20th, BitSight CEO Shaun McConnon was published by the Risk Management Monitor. His article, "Looking Beyond Compliance When Assessing Security" explores how risk managers can take a more comprehensive approach to mitigating...

READ MORE »

Security Effectiveness Ratings Provide Insight Into Peformance of Key Industries

A lot has been said about the state of information security; vendors frequently release new reports highlighting their findings and analysis. Some focus on incident volumes and geographical trends, while others look at attack vectors and...

READ MORE »

BitSight included in NetworkWorld list of 12 hot start-ups

It's not everyday your company gets called "hot", but this week, BitSight was excited to learn we made the cut on NetworkWorld's list of "12 Hot Security Start-ups to Watch."

READ MORE »

With Supply Chains, Transparency Only Goes So Far

‘More transparency’ is a mantra for global companies worried about how the next tsunami, or popular revolution might disrupt their supply chain. But transparency only goes so far: omitting critical information on cyber risk.

READ MORE »

Security Needs To Open The Drapes

We live in an era of rapidly increasing transparency. There is little doubt that access to information, which had once been inaccessible and restricted, is now a few clicks away. This transparency is in many ways a byproduct of the...

READ MORE »

Are you aware of the security risks in your partner networks?

Earlier this year, The Ponemon Institute published a report that we at BitSight have referenced many times.  The report is called "Securing Outsourced Consumer Data" and discusses the results of a survey of 748 organizations who share...

READ MORE »

How do you build the information security workforce of tomorrow?

A recurring topic of discussion in the news has been the shortage of available talent in the information security industry.  As an adjunct professor at Northeastern University and the Director of Operations at BitSight, this is an area I’m...

READ MORE »

Thoughts on the Future of Security Risk Measurement from SIRACon

Having just returned from my first SIRACon, I'd like to take a few moments to record my thoughts. Overall, the conference was fantastic. The talks were superb and the small size allowed me to rub shoulders with most everyone. Thinking back...

READ MORE »

Cyber Risk Emerges as an Independent Category of Enterprise Risk Reporting

This post is contributed by guest blogger Michael Duffy, a member of BitSight's Board of Directors.  Michael is the former president and CEO of OpenPages, a leading provider of Enterprise GRC Solutions acquired by IBM In 2010.

READ MORE »

Weekly Security Risk Management News Round-Up - 10/14/13

When Companies Are Hacked, Customers Bear the Brunt. But Not for Long.

This article from the New Republic examines two lawsuits that question who is liable for a breach caused by a third party.  

READ MORE »

Lessons From the BPP: Frequent Measurement Yields Invaluable Insights

When it comes to accurately quantifying the state of security in any given organization, time is such a precious commodity. Threats and internal configurations change so rapidly that it can be tough to zero in on a solid read of a risk...

READ MORE »

Webinar: Managing Information Security Risk in Your Partner Ecosystem

I'm excited to announce that BitSight has partnered with iSMG for a webinar series beginning in October! Securosis analyst and President, Mike Rothman will present along side BitSight CTO and Co-founder Stephen Boyer.

READ MORE »

Weekly Security Risk Management News Round-Up - 9/30/13

More security and risk news from around the web for the week of September 30, 2013.

READ MORE »

In Search of Useful Models

I was in graduate school when I first heard the well-known quote by statistician George Box: “Essentially, all models are wrong, but some are useful."

READ MORE »

Weekly Security Risk Management News Round-Up - 9/23/13

This week was full of BIG stories in the security and risk management space.  Below is a summary of some of the news and blog posts you may have missed.

Data Broker Giants Hacked by ID Theft Service

Perhaps the biggest story of the week;...

READ MORE »

Security Risk Management in the Extended Enterprise

Earlier this month, BitSight licensed a white paper by Mike Rothman, president and analyst at Securosis. The paper, "Threat Intelligence for Ecosystem Risk Management," discusses challenges organizations face in trying to assess the...

READ MORE »

Building CISO Relevance Through Metrics

This post is contributed by guest blogger Eric Cowperthwaite.  

One of the frequently repeated phrases that I've heard over the years in the security conference circuit is "CISOs need to earn a seat at the executive table." At this point...

READ MORE »

Weekly Security Risk Management News Round-Up - 9/16/13

Below is a summary of risk management and security news you may have missed this week.

Hidden Lynx – the hackers for hire who compromised a security firm

Graham Cluley dives into findings from a recent Symantec study revealing information...

READ MORE »

Security Risk Management: Should You Take A Reactive or Proactive Approach?

In a world of evolving threats, executives are faced with the challenge of deciding whether to allocate scarce security resources in proactive investments that may prevent attacks or in reactive investments in response to security...

READ MORE »

My Journey from Security Intelligence to Security Risk Management

The past few days have been amazing. First of all, the response to the launch of our first service - BitSight Partner SecurityRating - has been great. It is rewarding to see our hard work validated. Secondly, I can finally talk publicly...

READ MORE »

How is Partner Security Risk Being Managed Today?

Partner security risk is an important topic in the minds of risk officers today.  With the number of companies being breached via third parties on the rise (New York Times, Bank of America, Twitter), this is clearly a big area of concern. ...

READ MORE »

Where is the science in security risk measurement today?

Security risk management today is both an art and a science. But, as I mentioned in my last post, "The Current State of Security Risk Management," it needs to be more of a science. In this post, I will examine some of the current efforts...

READ MORE »
Load More

Subscribe to get security news and updates in your inbox.