Best Practices for Cybersecurity Awareness Month with Stephen Boyer

October was Cybersecurity Awareness Month, which gave companies the opportunity to thoroughly examine their security and risk programs and identify where they can strengthen security practices. A Bitsight, we talk about risk management every day. We sat down with our Co-Founder & CTO, Stephen Boyer, to talk about the significance of having a risk-aware organization and proactive ways security ratings can help with risk management.

Q&A with Stephen Boyer

When we think about cybersecurity awareness, where do security ratings fit into the picture?

At Bitsight, we know that responsibility for cybersecurity belongs to everyone, from our executives to our sales team. The process of proactively mitigating cyber risk within your organization isn’t something that happens in a day; it requires of a culture of cyber risk awareness at your company where every employee takes responsibility for their security practices.

Security ratings help address this problem — they are objective, quantifiable assessments of your company’s cybersecurity performance based on externally observable risk factors. Ratings give an organization visibility into its security posture by examining specific risk vectors like machine compromises, patching cadence, and exposed vulnerable services. Once the measurements are made and communicated, specific investments and action plans can be put in place to make improvements.

This month focused on cybersecurity awareness. As a starting point, where can organizations begin when laying the groundwork for a successful risk management program?

Security awareness starts with creating a culture of cyber security responsibility within your company. Employees need to be able to see the results of their actions or non-actions, and there needs to be some level of visibility into the effects of security awareness training. Without some sort of understandable metric, employees may not always see the negative impact or benefits of adhering to best practices. Security ratings can help provide that visibility by showing security progress and emphasizing transparency within the company.

Moving forward, what are some best practices organizations can put into effect to make sure they are proactively mitigating risk within their business?

There are several things that companies can do to help reduce risk across their business ecosystem. I wrote about many of them here.

1. Double down on the basics
2. Invest in employee training
3. Watch and secure the supply chain
4. Work as a team

Historically number 3, securing the supply chain and managing third-party, or vendor, risk, hasn’t had the importance that it has today. Given the growing attack surface and the increasing dependence on service providers, the risk profile has changed dramatically in the past three years.

Businesses partner with and rely on hundreds or thousands of vendors for critical business functions. These partners are an extension of their business and in many scenarios the security performance of those partners needs to be as good as their own. We are observing that attacker target larger organizations through smaller and often lower performing vendors. Attackers have learned that going after the weakest link is often the most effective and easiest route into a company that has implemented its solid security controls.

As more organizations become increasingly dependent on service providers to do business, they must account for the increased risk exposure that those relationships present. These risks are dynamic and complex must be continuously monitored, mitigated and managed. Bitsight Security Ratings help organizations gain the visibility and capability required to take action and move at the speed of business while effectively managing the risks. Get your free security rating and find the gaps in your security program.

Download our ebook for more tips on how to create a culture of cyber risk-awareness in your organization.