Insights blog.

In today’s market, an increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. Bitsight understands that making an organization’s cybersecurity posture accessible to C-level executives and the Board of Directors is becoming more of a requirement within the business; we’ve added capabilities within Bitsight Security Ratings that arm security and risk management executives with actionable metrics that they can share with the Board of Directors.

If you’re involved in a healthcare-based organization, you’ve likely noticed the push for stronger vendor security and vendor risk management (VRM) practices. There are a few reasons for this.

In today’s world, organizations must be extremely conscientious about their vendors. It is just as important to be aware about the security of third-party networks as it is to be aware of their own. In April 2017, Netflix’s new season of the hit show “Orange is the New Black” was stolen and leaked after they ignored several ransom requests by a hacker. The agent was able to breach Larson Studios, a third party postproduction company for Netflix. It’s critical that organizations have a vendor risk management (VRM) program in place to address the risk posed by third parties. As outsourcing and the use of cloud services continues to grow, it’s even more crucial that the strategy can scale to meet the rising demands to increase the number of vendors. This is where many companies are falling short today.

In today’s security ratings services market, a few companies have offerings described as “swaps” or “slots.” When considering third party monitoring, this gives organizations the option to “trade out” which vendors they are monitoring when they see fit. But, does this type of disjointed monitoring actually proactively mitigate risk (which is the goal of utilizing a security ratings service) or just shift it around and hide it? This approach poses several problems.

In today’s day and age, organizations understand that data breaches are a growing problem, but many fail to realize that a third party breach can impact them as much as a breach on their own network. Here we’ll examine several misconceptions surrounding vendor risk management (VRM), and how you can proactively create a strategy to avoid common pitfalls.

Anyone who works in cybersecurity or organizational risk on a regular basis knows how valuable it is to stay up to date on the latest research. If you’re curious about a specific topic—anything from vendor security assessments to ransomware—or you want to improve your vendor risk management program, take a look at the cybersecurity resources and tips below. We’ve rounded up Bitsight’s most frequently downloaded guides, white papers, and research insights. And the best part? They’re all free.

Bitsight Security Ratings are based on security events and configurations present on a company’s digital infrastructure. As we discuss these ratings with companies, we’ve found that many of them have infrastructure registered to them that they are unaware of. With the recent WannaCry ransomware attacks (and with the increased frequency of cyber incidents overall), it is becoming critical that organizations take a more thorough look at their infrastructure. This preventative measure can help identify any vulnerabilities or malicious activity on unmonitored parts of a network, as well as confirm that accuracy of registrations.

The financial services sector has traditionally been viewed as highly mature when it comes to cybersecurity initiatives. In fact, this Bitsight Insights report found that the financial sector had the highest Security Rating of all examined industries. But even though companies in the financial sector has been discussing the necessity of monitoring cybersecurity for quite some time, the threat landscape is constantly evolving—leading to a more complex cyber ecosystem every day. This makes it all the more critical to be proactive when it comes to cybersecurity issues.

While your current Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM) program may have areas of strength, there is most certainly room for improvement. These programs are a significant driver of both internal and external advisor time, extremely costly, and limited in scale. How can you harness more actionable insight to scale your program and truly and continuously understand the cybersecurity of your third parties? Using Bitsight Security Ratings, you can see a positive impact on your TPRM/VRM program by getting more value out of what you are already doing.

Consider this: If you’re part of a large company with thousands of suppliers, you need efficient processes and tools to get a good sense of the risk those suppliers present. If you’re a part of (or own) a small company with only 20 suppliers, you likely don’t have a team of full-time employees dedicated to vendor risk assessment—which makes efficient processes critical for you as well. 

In 2015, Bitsight published a report, Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant Breach. In that report, researchers discovered that companies with botnet grades of ‘B’ or lower were more than twice as likely to experience a significant data breach. Now two years since that study, researchers examined more than 70,000 organizations and found similar results, including additional risk vectors that correlate to an increased likelihood of an organization experiencing a breach. Organizations have begun to take action based on these findings by communicating with trusted third parties who are likely to experience a data breach based on their security posture.

Among other things, cybersecurity is a primary focus on the Bitsight blog. The following is a list of Bitsight’s most-read cybersecurity articles and resources on the topic over the past couple of years, along with a description of what you’ll find in each.

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

The importance of monitoring third-party vendors has increased in recent years with the numerous data breaches originating in vendor systems. You have likely heard from news coverage of major breaches that because of how interconnected organizations are today, it’s critical to make sure your vendors aren’t leaving your data exposed.

Reputational risk is the potential for damage to an organization’s character or good name. If a bank or financial institution is hit with an incident that puts a mark on its reputation, the event could compromise the company’s perceived legitimacy, thus affecting the number of current customers, prospective customers, shareholders, and the stock price. And because information is disseminated online and through social media so rapidly, this type of event could cause reputational harm almost immediately.