Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Slicing through CISA’s KEV Catalog
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
This post was updated on January 27, 2020.
You’ve likely heard your fair share of mortifying headlines around IT vendor management mistakes. Many of the highly publicized breaches in the last several years happened simply because the companies did not follow basic best practices for IT vendor risk management (VRM).
A sad truth about vendor risk management is that data breaches can—and will—happen to far too many companies. They are an unfortunate side effect of the digital world we live in today. But catastrophic data breaches are another story entirely. Yes, they do happen—and they happen more often than one might hope.
As we highlighted in a recent blog post, a diverse range of companies utilize Bitsight Security Ratings to manage cyber risk. Many of our customers are actively using these ratings to manage vendor risks, screen mergers and acquisition targets, underwrite cyber insurance and benchmark security performance. Regardless of how customers use these ratings within their security and risk programs, it is important that the ratings are both actionable and accurate.
by Ethan Geil and Nick Whalen
In today’s cyber threat landscape, organizations must know how secure they are at any given time. One of the most important questions that security professionals and risk managers can ask is “how secure am I right now?”
Bitsight’s Third Annual Bitsight Insights Industry Benchmarking Report looked at some of the major SSL vulnerabilities affecting organizations, including Heartbleed, POODLE and FREAK. Bitsight’s analysis found that a sizeable number of companies across all industries were still running services that were vulnerable to these flaws. As mentioned in our report, businesses can leverage this information as a measure to ensure that proper controls are being met internally. In addition, companies can gain insight into the performance of their key third party vendors when it comes to ensuring that they aren’t running vulnerable services.
Bitsight’s Third Annual Bitsight Insights Industry Benchmark Report: Are Energy and Utilities at Risk of a Major Breach? discussed the growing convergence of operational technologies (OT) and information technology (IT). In short, this issue revolves around making operational technologies internet enabled. These technologies - which include generation, transmission, smart grid systems, meter reading and more - are increasingly being brought online to enable a smarter grid and systems.
Assessing the security performance of your vendors and third parties is crucial considering the amount of access to sensitive information we grant to these partners. However, for those assessments to be effective, and for you to actually know what the results mean, you need to know what performance trends you should be looking for and to be able to contrast and compare the results. This is where benchmarking comes in.
Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas for these exams. Here are a few highlights:
Today Bitsight published our third annual industry benchmarking report: Are Energy and Utilities At Risk of a Major Breach? This report illustrates the latest security performance of the Finance, Federal Government, Retail, Energy and Utilities, Healthcare, and Education industries. All of these industries hold sensitive data- and as a result they are targets for hackers. Like we do for all of our Bitsight Insights, let’s dive into how each sector performed.
There are obvious and non-obvious vendors, third parties, and contractors that have access to your data or your corporate network. The obvious ones are organizations that provide IT or technology services to you. Naturally, these individuals would have access to your data, because you’ve granted it!
This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.
Prioritizing vendors based on risk is considered a vendor risk management best practice. But how do you do this? To start, let’s look at a commonly referred-to equation:
Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the federal government can implement twenty-first century policies to counter growing cyber threats. A recent study from the US GAO noted that there was a 32.5% increase in cyber incidents at federal agencies from 2012 to 2013. As lawmakers begin to look internally at policies and processes to combat these threats, it is important that they also look externally. Primarily this means taking note of third party risks and emulating models of success found in other industries.