Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![The Big Data Breaches of 2020: What Happened and What Did We Learn?](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_218372422_1.jpg.webp?itok=hSp_Bj_y)
Not to be forgotten during the chaos that was 2020 were the massive cybersecurity breaches that directly impacted some of the country’s largest businesses and their customers. Let’s take a closer look at four of the big data breaches of 2020 — and what we can learn from these incidents to avoid a repeat of similar events in 2021.
![Is Single Sign-On Secure? SSO Benefits for Remote Work](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1341139622_2.jpg.webp?itok=_x5HUMlj)
Remote work has always introduced unique and evolving cyber risks. In our “new normal” operating environment, where entire workforces have gone remote, IT security teams are facing an unprecedented challenge.
![2021 Cybersecurity Trends: BitSight Predicts the Top 3](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1814356268_1.jpg.webp?itok=XYqpH1va)
2020 was a transformative year that blew all predictions out of the water. As we look ahead to 2021, we will continue to see the repercussions of this year’s events.
![Use the right cybersecurity analytics to make a business case for risk management](/sites/default/files/styles/4_3_small/public/migration/images/Use%2520the%2520right%2520cybersecurity%2520analytics%2520to%2520make%2520a%2520business%2520case%2520for%2520risk%2520management_1.jpg.webp?itok=2PNqWuUF)
Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year as a “check the box” exercise to maintain compliance with regulations. Overall, however, cybersecurity analytics didn’t really garner much attention.
![A response to Security Ratings - Love, Loathe or Live With Them](/sites/default/files/styles/4_3_small/public/migration/images/Blue_background_numbers_1.jpg.webp?itok=heBnReDb)
A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has a better perspective than most on the value and challenges of ratings not only because of the positions that he’s held but also because he is one of the authors of the Principles of Fair and Accurate Security Ratings. These principles also guide how Bitsight thinks about our rating overall.
![What Cybersecurity Questions Your Report Should Answer | BitSight](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_734785402_2.jpg.webp?itok=JYUjrQP0)
Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.
![Zerologon: BitSight Observations on a Dangerous Vulnerability](/sites/default/files/styles/4_3_small/public/migration/images/zerologon%2520blog%2520post%2520image_1.jpg.webp?itok=oN0mvHvD)
New vulnerabilities emerge daily... but not every vulnerability is being actively exploited by nation state actors. Zerologon (CVE-2020-1472) is one such vulnerability. Zerologon was recently identified by the National Security Agency (NSA) as one of 25 vulnerabilities actively being exploited by Chinese state-sponsored actors.
![BitSight’s View into the NSA’s Top Vulnerabilities](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1613354131_2.jpg.webp?itok=ZxiVnhdn)
In a highly unusual move, the National Security Agency released research on October 20, 2020, highlighting 25 common vulnerabilities that are being actively exploited by Chinese state-sponsored actors. The NSA issued the alert in order to help companies prioritize vulnerability management. Most of the NSA vulnerabilities can be exploited to gain initial access to networks that are directly accessible from the Internet.
![5 Ways to Transform Your Security Program](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1065742220_1.jpg.webp?itok=4fzq4KoQ)
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security leaders was already changing heading into 2020, with decreasing budgets and increasingly skeptical boards citing little change in security performance to show for their investments.
![Lessons Learned From The Garmin Cyberattack](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1211178508_1.jpg.webp?itok=PNsDPpcm)
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional lives of many and have serious business consequences, but perhaps one reason for the lack of urgency society seems to show on the issue is that these tend to be fairly low visibility events for the average person. Even something like the Target or Capital One breaches happened at a remove for most people in the world, with little impact on our daily lives.
![Easy Security Wins: How Patching and Software Updates Impact Your Cybersecurity](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_761462383_1.jpg.webp?itok=t2sv58gF)
As companies continue to try and manage the massive changes to work driven by COVID-19, security teams have faced immense pressure to rise to the challenge and keep companies secure. In the face of the large scale shift to work from home, expansion of the vendor ecosystem and digital attack surface, and disruptions to operations, it’s vital that security teams focus their efforts on areas of risk concentration.
![Protecting Sensitive Data: 4 Things To Keep In Mind](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_382458778_1.jpg.webp?itok=p4SUQiuE)
Given the recent security breaches and reported hacking attempts, it is increasingly important for companies to have a handle on their most sensitive data. Sensitive data can include employees’ personal information, customer information, trade secrets, and other types of data that would cause internal breaches to company information if obtained by a hacker. To identify your organizations’ sensitive data points, refer to our recent article highlighting 5 examples of sensitive data.
![Secure Remote Work: New Threats Require a Shift in Policy and Training](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_431935282_1.jpg.webp?itok=kpxfqnAC)
Working from home introduces significant cyber risk to any organization. However, recent events reveal that it’s not a case of “if” but “when” bad actors will exploit the rampant vulnerabilities on home networks.
![Russian Hackers Validate BitSight WFH Data](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_625624946_1.jpg.webp?itok=vndU-9tP)
This week the New York Times released a report warning that a group of Russian hackers going by the name “Evil Corp” has been attempting to exploit the rampant vulnerabilities presented by the US workforce shifting to working from home at remote offices, raising fears that major U.S. brands, news organizations, or even election systems could be disrupted with ransomware attacks. The research, conducted by Symantec, revealed that 31 large U.S. corporations, including Fortune 500 companies and news organizations, have fallen victim to Evil Corp, and those are just the ones we know about.
![How Organizations Can Reduce the Risk of Ripple20 IoT Vulnerabilities](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_229225618_1.jpg.webp?itok=3hPpZl9_)
“Celebrity” vulnerabilities like BlueKeep attract the attention and resources of security teams, often hogging the spotlight, allowing other, less visible, but just as dangerous, weaknesses that could be exploited by bad actors to go unnoticed. IoT devices are a perfect case in point.