Insights blog.

When Bitsight pioneered the security ratings market over six years ago, it was the first to use the outside-in approach to security ratings. Although not initially intuitive to many people, the value of this approach has become increasingly clear for many reasons and subsequently, its adoption has become more widespread. At Bitsight, we believe that an outside-in approach is the best way to build a security ratings product, and has proven valuable in many use cases.

2018 is right around the corner, and while we’re looking forward to what’s coming, we’re also thinking back on the best of this year. Here’s a look at 10 of our most frequently viewed cybersecurity articles in 2017.

Within the Bitsight Security Ratings platform, we prioritize features specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Bitsight now enables users to identify organizations who are potentially vulnerable to ROBOT — short for "Return Of Bleichenbacher's Oracle Threat"— attacks. The vulnerability behind the ROBOT attack was originally discovered in 1998 and has resurfaced through a number of proprietary TLS/SSL implementations, affecting some of the most popular websites — including Facebook and PayPal. The vulnerability ultimately provides a method by which an attacker can decrypt TLS/SSL traffic and obtain sensitive information.

Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application information, and considering your organization’s risk appetite. But are you able to verify whether the decisions you’ve made are valid? 

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

As security and risk professionals work to finish out the year, they must also be thoughtful about planning for 2018. While it’s great to end the last quarter of the business year on a strong note, it’s even more critical for businesses to set themselves up for success when returning to work in January. One of the best ways to accomplish this is to be strategic about the extra budget they possess in Q4, and asking themselves this question: how can my organization be mindful about spending extra funds to benefit our security program later on?

Compliance, at its core, is a legal responsibility. It is defined as “act or process of doing what you have been asked or ordered to do.” Creating a successful vendor compliance program isn’t as simple as asking third parties to comply with your security requests or pestering them to answer your security risk assessment questions.

As 2017 draws to a close, we can’t help but be grateful for what a banner year this has been for Bitsight.

You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.

Over 15 years ago, Shaun McConnon, Bitsight’s former CEO and current Executive Chairman of the Board, became involved with giving back to the local Boston community. Shaun and his wife, Bonnie, sat on the Board for a Sudbury-based charity benefitting children with cancer, which was affiliated with the first Proton Beam at Massachusetts General Hospital (MGH). 

The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer — which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR checklist template to get you going:

In today’s expanding business ecosystem, managing vendor risk is becoming increasingly critical to protecting companies’ sensitive data. With new threats emerging daily and companies continuing to outsource, vendor risk management is an issue that will only grow in affecting organizations and their business partners. According to a recent Navex Global study, the ability to promptly resolve newly identified risks is a top challenge for organizations’ third party risk management programs.

In today’s business world, the desire to transact in the digital realm is dramatically accelerating and, unfortunately, so is the cyber risk that one takes on as a result. Organizations that handle sensitive data are more likely to become the targets of hackers who are looking to exploit this information stored within their network. Businesses now find themselves exposed to a growing “Cyber Risk Gap.” This gap is the outcome of the combined impact of the following:  

If I were to ask you whether your cyber risk underwriting strategy is mature, your first question would likely be: “How do you define mature?” It’s a great question! Here’s the answer: A mature cyber risk underwriting strategy considers all relevant underwriting issues when assessing an applicant's or insured’s risk profile.

This October, Bitsight celebrated another very important milestone as the leader and pioneer of the security ratings market: now, Bitsight has high-quality, historical data on over 110,000 global organizations at users’ fingertips.