Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the federal government can implement twenty-first century policies to counter growing cyber threats. A recent study from the US GAO noted that there was a 32.5% increase in cyber incidents at federal agencies from 2012 to 2013. As lawmakers begin to look internally at policies and processes to combat these threats, it is important that they also look externally. Primarily this means taking note of third party risks and emulating models of success found in other industries.
![How Often Should You Do A Third-Party Risk Audit With Your Vendors?](/sites/default/files/styles/4_3_small/public/migration/images/full-third-party-risk-audit_1.jpg.webp?itok=suLAJRPL)
When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:
![4 Industries That Should Be On Your 3rd Party Risk Management Radar](/sites/default/files/styles/4_3_small/public/migration/images/full-4-industries-third-party-risk-management_1.jpg.webp?itok=3h5PpN2u)
Your organization probably deals with handfuls (or maybe hundreds) of vendors. Whatever the case may be, having a comprehensive third-party risk management solution is the best way to protect yourself against cyber mischief.
![The Evolution of Vendor Risk in the Retail Industry](/sites/default/files/styles/4_3_small/public/migration/images/bigstock-business-people-online-shopp-85204478_1.jpg.webp?itok=-hns-MS9)
Last week, Walmart Canada, Rite-Aid, CVS, and Sam’s Club were among the retailers to suspend their online photo operations due to a possible data breach of third-party photo service provider PNI Digital (a Staples subsidiary). This is the latest cyber incident to affect the retail industry, which has witnessed a number of high-profile breaches involving third-party vendors in recent years.
![Regulators Continue to Emphasize Third Party Cyber Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/ftc-stock-thumb_1.jpg.webp?itok=DM9SvuvR)
In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.
![The 5 Mistakes You May Be Making With Your IT Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/full-it-risk-management-mistakes_1.jpg.webp?itok=rA2ro-xj)
In business and in life, safety is always made a priority. From simple day-to-day tasks like wearing a seatbelt, to important business security decisions, prioritizing our safety and the safety of our families and valuable information is of utmost importance. But this process isn’t always easy. It seems like there are new security threats, from computer hackers and otherwise, that force us to find new ways to protect ourselves on a near-constant basis.
![Vendor Risk: 1 Issue That's Too Critical To Overlook](/sites/default/files/styles/4_3_small/public/migration/images/thumb-critical-vendor-risk-issue_1.jpg.webp?itok=QLTfPejN)
If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third parties pay their bills and don’t employ criminals, and more.
![Supply Chain Risk Management: 4 Ways To Address Your Cyber Risk](/sites/default/files/styles/4_3_small/public/migration/images/full-supply-chain-risk-management_1.jpg.webp?itok=XJmdOLMI)
Handling cyber risk in your organization’s supply chain isn’t easy. This aspect of Supply Chain Risk Management is a complex problem that even highly sophisticated organizations—like the Department of Defense—struggle to address.
![Managing Vendor Security Risk Between Annual Assessments](/sites/default/files/styles/4_3_small/public/migration/images/annual-assessment-small_1.png.webp?itok=iueDRejE)
In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved. This is why, at best, most vendor management programs only assess third parties on an annual basis or during contract negotiation. However, risk managers know from securing their own networks that annual assessments tell us little about how effectively they are responding to emerging threats or addressing new vulnerabilities. So, how are annual vendor risk assessments making us more secure?
![BitSight Achieves "Cool Vendor" Status in Gartner Report](/sites/default/files/styles/4_3_small/public/migration/images/coolvendorthumb_1.jpg.webp?itok=bkXy_KEJ)
The last few weeks have been a whirlwind of activities here at Bitsight! Between attending and speaking at RSA, participating in the latest Verizon DBIR report, preparing for our session at FS-ISAC, announcing our new partnership with AIG, and being featured as a vendor risk management solution in the Wall Street Journal, we were happy to see the second quarter off to such an exciting start. And then we got even more good news!
![Best Practices for implementing vendor security ratings](/sites/default/files/styles/4_3_small/public/migration/images/dial-stock-thumb_1.jpg.webp?itok=Yyg5flU9)
Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many customers with experience incorporating Bitsight Security Ratings into their vendor risk management program, and the lessons they have learned along the way are too valuable not to share. There are several different approaches that can be leveraged; here are the 3 most common:
![Why You Should Assess Your Vendor's Security Performance Frequently](/sites/default/files/styles/4_3_small/public/migration/images/hourglass-stock-thumb_1.jpg.webp?itok=zPGOwtVr)
Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:
![3 Ways Your Vendors will Benefit from Knowing their Security Rating](/sites/default/files/styles/4_3_small/public/migration/images/3wayvendors-sm_1.png.webp?itok=LBpO41iY)
The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a Bitsight Security Rating, being told that another company has been monitoring their security effectiveness, without them knowing, can sound a little "big brother-ish" and raise lots of questions about privacy and legality. Though our methods are unobtrusive and based on the same outside-in model of credit ratings, we provide many materials to our customers to help them deal with these types of situations.
![The Pros and Cons of Vendor Risk Management Tools](/sites/default/files/styles/4_3_small/public/migration/images/Blog-Thumbnail-Vendor-Risk-Management-Tools_1.jpg.webp?itok=CRFM2C9K)
Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.
![Managing Vendor Risk Complexity: Insights from Financial Institutions](/sites/default/files/styles/4_3_small/public/migration/images/Blog-Thumbnail-BNY-Mellon-Vendor-Risk-Management_2.jpg.webp?itok=BjDwCUI_)
Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General Alexander painted a big (scary) picture of our national security and then quickly tied his remarks to the topic at hand: vendor security. He predicted that nation states like North Korea will come after the financial services industry with distributed denial of service (DDOS) attacks, combined with “wiper” malware, through their vendors’ networks. (Wiper malware was used in the recent attacks against Sony-- the first time this type of attack was used against a business operating in the U.S.)