Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![How to Build a Realistic Cybersecurity Plan for Third Party Vendors](/sites/default/files/styles/4_3_small/public/migration/images/AdobeStock_143989742-910733-edited-min_1.jpeg.webp?itok=yjkavSOY)
Since third party vendors are not under direct supervision, they are typically the weakest link of an enterprise’s IT security landscape. The largest organizations have tens of thousands of vendors, which makes managing this type of risk particularly challenging. For many organizations, it’s simply impossible to communicate with every vendor on a frequent basis about their security posture. At the same time, outsourcing to vendors is critical for business success, and delaying engagement with vendors while their security is reviewed could adversely affect an enterprise’s operations. Faced with such challenges, how do you go about developing a cybersecurity plan that effectively and efficiently manages third party vendor risk?
![Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk](/sites/default/files/styles/4_3_small/public/migration/images/3.16-Australia-Privacy-Blog-Full_1.jpg.webp?itok=dn1cI8YF)
In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last month, February 22, 2018. The Notifiable Data Breaches (NDB) scheme establishes new requirements for organizations around the notification of data breaches that are “likely to result in serious harm.” Following suit with the GDPR, this new law aims to provide greater protection of personal information for individuals and transparency into data privacy practices of organizations. The amendment pertains to all organizations that are already expected to comply with the Privacy Act, also referred to as APP Entities, including both federal agencies and organizations (for profit and not-for-profit) with $3 million or more in annual turnover.
![Security Ratings Services & “Traditional” Security Solutions: What You Need to Know](/sites/default/files/styles/4_3_small/public/migration/images/3.2-Security-Ratings-SIEM-Blog-Full_2.png.webp?itok=yRl8nkqn)
It’s no surprise that cybersecurity remains a top concern for business leaders today. In fact, PwC’s 2018 CEO Survey showed cyber threats rose from its position as the #10 organizational threat in 2017 to #4. As such, the market for cybersecurity solutions is extremely large, with forecasts putting the expected spending on security solutions at over $100 billion by 2020 (according to Gartner and IDC.) From traditional security hardware to more modern software solutions and a multitude of security services, security leaders have no shortage of options when it comes to strengthening the security posture of their organization. But where do security ratings fit in? Do organizations really need both security ratings and traditional security solutions like a SIEM? And if so, why?
![Filtering Is Easy, Counting Is Hard](/sites/default/files/styles/4_3_small/public/migration/images/2.27-Engineering-Blog-Image-Thumb_1.png.webp?itok=-qPvx0JQ)
A few months back we added a new feature to the heart of our security ratings portal: the ability for users to not only filter companies in their portfolios, but also to see real-time updated counts of how many "filtered" companies match their selected filter criteria. In practice, this allows users to quickly see, for example, all of their vendors in the Technology or Finance industry with an IP footprint in the U.K or Germany that use Amazon or Google as service providers.
![What’s In It For Me As a BitSight Customer?](/sites/default/files/styles/4_3_small/public/migration/images/2.23-BitSight-Customer-Blog-Thumb_2.png.webp?itok=HFi4Yz0m)
In today’s day and age, reducing cyber risk needs to be a priority for your organization — but what is the most effective way to tackle building your security program? For seven years, Bitsight has proven that we have the most time-tested, trusted, and actionable security ratings that are now used by over 2,100+ customers. But when you become a Bitsight customer, what are the benefits that you actually receive besides our world-class security ratings solution?
![Security Ratings of U.S. Federal Agencies & Government Contractors](/sites/default/files/styles/4_3_small/public/2022/05/27/2.19-Federal-BitSight-Insights-Blog-Thumb_1.png.webp?itok=76rJjhuT)
The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key functions. Along with the Federal Government itself, these contractors and subcontractors face a multitude of cyber threats.
![New Singapore Cybersecurity Bill Reflects Growing Focus on Critical Infrastructure](/sites/default/files/styles/4_3_small/public/migration/images/2.14-Singapore-Cyber-Bill-Blog-Full_1.png.webp?itok=3BtLqOm_)
Last year, there were several new cybersecurity developments introduced around the globe to reduce the risk of catastrophic cyber events at national critical infrastructure. These include regulations from the New York Department of Financial Services (NY DFS), the White House’s Executive Order on Cybersecurity, the EU’s General Data Protection Regulation (GDPR), China’s new Cybersecurity Law, and Hong Kong’s Cybersecurity Fortification Initiative.
![Silent Cyber: What It Is & How You Can Avoid It](/sites/default/files/styles/4_3_small/public/migration/images/Thumb%2520Silent%2520Cyber%2520What%2520It%2520Is%2520%2520How%2520You%2520Can%2520Avoid%2520It_1.jpg.webp?itok=EqttVLYt)
Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But many times, companies like this assume that their insurance will cover them—but this may not always be the case.
![The Importance of Responsible Disclosure in Security Ratings](/sites/default/files/styles/4_3_small/public/migration/images/2.8.18-Responsible-Disclosure-Blog-Thumb_1.png.webp?itok=zEmraYLM)
Last year, Bitsight was proud to help drive the Principles for Fair and Accurate Security Ratings, published by the US Chamber of Commerce and supported by over 40 global organizations. The establishment of these Principles demonstrates the momentum and maturity of the security ratings market that Bitsight pioneered in 2011. The Principles were designed to promote fairness in reporting of cybersecurity performance and encourage the adoption of security ratings across all industry sectors.
![Do's & Don'ts for Security Professionals Presenting to Executives](/sites/default/files/styles/4_3_small/public/migration/images/bitsight-how-to-present-to-senior-executives_1.jpg.webp?itok=mLDoZ4AA)
Cybersecurity is a growing topic of discussion in Board meetings everywhere, and more and more security professionals are being asked to present on it in high level meetings. Company leadership is busy, so it’s your responsibility to present a case to them that’s ready for review. We reached out to some security executives and CIOs and asked them for tips on what common mistakes to avoid when presenting your case to executives or the Board.
![Break Out Of The Tinynuke Malware](/sites/default/files/styles/4_3_small/public/migration/images/2.2-Tinynuke-Blog-Thumb_1.png.webp?itok=DDSr8s_e)
New Tinynuke variant with a DGA in the wild
![Making the Case for Vendor Security to the C-Suite](/sites/default/files/styles/4_3_small/public/migration/images/bitsight-vendor-cyber-security-1_1.jpg.webp?itok=-wDy8DFK)
You’re responsible for information security at your organization. You dedicate yourself every day to identifying weaknesses and patching vulnerabilities in your network. You’ve developed policies to protect employees from cyber threats. You’ve designed procedures for responding in the event of a data breach, and you’ve practiced those procedures with company stakeholders.
![Upgrading to the Django Rest Framework V3](/sites/default/files/styles/4_3_small/public/migration/images/1.25-Engineering-Blog-Thumb_1.png.webp?itok=8pL7yXR7)
Due to security, reliability, and growth reasons, organizations are constantly upgrading their software to newer releases. Some upgrades are incremental and minor in nature. Others, like the upgrade from Django Rest Framework (DRF) V2 to V3, require coding changes due to incompatibilities between the releases. This article is about Bitsight's upgrade experience, lessons learned, and how we improved because of it.
![The Cost Of Cyber Risk: How Security Ratings Help With Policy Pricing](/sites/default/files/styles/4_3_small/public/migration/images/Thumb-The-Cost-Of-Cyber-Risk-How-Security-Ratings-Help-With-Policy-Pricing_1.jpg.webp?itok=e0JVlLC9)
Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how policy pricing is examined in cybersecurity today.
![BitSight Hackathon 2017](/sites/default/files/styles/4_3_small/public/migration/images/BitSight-Hackathon-4_1.png.webp?itok=fPbfA3cm)
For the second year in a row, Bitsight gave its engineers, product managers, and data and research scientists the day off from normal work to make something cool. The hackathon day had all the typical stuff: awesome custom-designed t-shirts, pizza for lunch, and a demo day the next day. The only “requirement” for teams was that they produce a working prototype to demo. We wanted actual code (not great code, necessarily, but code), not just design mocks.