Insights blog.

We were curious about what CISOs and security managers have on their minds these days—so we searched around online and asked a few to share their thoughts. Below, you’ll find some interesting insights and observations to get a good conversation started in your office. 

As an underwriter in the cyber insurance industry, you know that insurance is all about information. You’re responsible for making decisions about your applicants based on the details given to you—but you’re also aware of the potential for asymmetry in this information.

Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a difficult—albeit necessary—process all companies should go through when they enter into a third-party relationship.

During 2016, a lot happened in the realm of cybersecurity, and we witnessed a number of noteworthy events and trends: 

In today’s security landscape, the CIO has a large and important role to fill. They must be aware of and compliant with regulations in their industry, focus on ensuring that the right security controls are in place for the organization and its vendors, and be able to consider the risks and benefits of new business processes. 

To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also cost them (and others in the C-suite) their job.

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website. 

In our most recent Bitsight Insights report, we discuss the pervasive issue that is ransomware. The report states that education has the highest rate of ransomware across all industries—and government comes in second. 

Onboarding third-party vendors that will have access to your network and data can have dire consequences if you don’t have the ability to gauge vendor risk. In a recent joint survey between Bitsight and IDG Research Services, more than 260 IT managers and professionals, nearly 70% said they were “extremely concerned” or “very concerned” about the security risks posed by third-party vendors and suppliers. Another study found that nearly two-thirds of breaches involve a third party.

Last month, email giant Yahoo announced the compromise of 500 million user accounts—which is being called the largest breach from a single site in history. The breach compromised names, email addresses, telephone numbers, dates of birth, passwords, and some encrypted or unencrypted security questions and answers. 

Ponemon Institute’s study, Data Risk in the Third-Party Ecosystem, highlights the challenges that companies face in protecting sensitive and confidential information shared with third parties.

Like many technical industries, cybersecurity has a lot of specialized lingo. But there are two dozen cybersecurity terms in particular that are critical to understand. We’ve defined them here (in alphabetical order) and linked to a few articles that may help you better understand them along the way.

Since our foundation in 2011 as the first company to provide a rating for measuring a company’s cyber security, Bitsight has become the world-leading security ratings provider. Bitsight is used around the world by industry leaders, country governance systems, as well as smaller organizations alike to take control of their cyber footprint, using safe and objective rating techniques. What does Bitsight do to stand apart from others in the security industry?

Vendor risk management (VRM) is a very broad category that encompasses all the measures an organization may take to prevent issues or business disruptions that arise due to vendor and third party relationships. Legal issues, past performance, and creditworthiness are some of the VRM issues small companies review most frequently—but cybersecurity should not be pushed to the back burner.