Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![AIG Partners with BitSight To Provide Cyber Insurance Diligence](/sites/default/files/styles/4_3_small/public/migration/images/handshake-stock-thumbnail_1.jpg.webp?itok=c5Y-LSw5)
Today AIG announced a strategic partnership with Bitsight to recommend Bitsight Security Ratings for Vendor Risk Management to CyberEdge customers. CyberEdge insureds can now benefit from the data-driven insights and continuous monitoring Bitsight can provide and be alerted of potential threats to their network, as well as promote understanding of individual company risks.
![From Framework to Application: Security Ratings and NIST](/sites/default/files/styles/4_3_small/public/migration/images/DC-Skyline-Big_1.jpg.webp?itok=x8NCgbaP)
This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.
For years, it has been widely-known that the Utilities industry has struggled with cyber security in relation to other industries. In 2014, Unisys and the Ponemon Institute found that 70% of Utility companies surveyed around the world had been breached. The vast majority of breaches are often not reported publicly- or even worse, they aren’t discovered at all. However, breaches for Utility companies are a big problem: beyond safeguarding critical infrastructure, these companies often hold a large amount of customer data.
![Graph of Botnet Grade Distribution by Industry](/sites/default/files/styles/4_3_small/public/2022/08/26/Q215-Botnet-Graphic-Fig2.jpg.webp?itok=ajvqD2So)
Today Bitsight published our most recent Bitsight Insights report, Beware the Botnets; Botnets Correlated to a Higher Likelihood of a Significant Breach. Within this report Bitsight has identified a solid correlation between botnet infections and publicly disclosed breaches. To arrive at this finding, Bitsight leveraged botnet grades that are available to all customers in the Security Ratings platform. These letter grades, which are available for a wide range of risk vectors, provide insight into a company’s performance relative to others. These grades also take into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence).
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?
![How to Create a Cybersecurity Standard of Care](/sites/default/files/styles/4_3_small/public/migration/images/Blog-Thumbnail-Tugboat_1.jpg.webp?itok=7x-H9tg4)
There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats.
![The Pros and Cons of Vendor Risk Management Tools](/sites/default/files/styles/4_3_small/public/migration/images/Blog-Thumbnail-Vendor-Risk-Management-Tools_1.jpg.webp?itok=CRFM2C9K)
Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.
![Managing Vendor Risk Complexity: Insights from Financial Institutions](/sites/default/files/styles/4_3_small/public/migration/images/Blog-Thumbnail-BNY-Mellon-Vendor-Risk-Management_2.jpg.webp?itok=BjDwCUI_)
Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General Alexander painted a big (scary) picture of our national security and then quickly tied his remarks to the topic at hand: vendor security. He predicted that nation states like North Korea will come after the financial services industry with distributed denial of service (DDOS) attacks, combined with “wiper” malware, through their vendors’ networks. (Wiper malware was used in the recent attacks against Sony-- the first time this type of attack was used against a business operating in the U.S.)
![What Anthem Taught Us About Monitoring Information Security](/sites/default/files/styles/4_3_small/public/migration/images/Breach_Reaction_Plan_1.jpg.webp?itok=yt0yLDz1)
In late January, Anthem announced that it had been breached, compromising data from 80 million people. It is the largest publicly-disclosed breach of a healthcare company.
![Diligence-Screenshot-SSL](/sites/default/files/styles/4_3_small/public/2022/12/02/Diligence_Screenshot_-_SSL.png.webp?itok=dXdUb7wd)
Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.
![How the State of the Union Will Affect American Information Security](/sites/default/files/styles/4_3_small/public/migration/images/American_Information_Security_1.jpg.webp?itok=60WKvcud)
In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.
![3 Ways Cyber Insurance Will Improve Security Performance](/sites/default/files/styles/4_3_small/public/migration/images/insurance-risk_1.jpg.webp?itok=M7_vCDG6)
In 2014, Cyber Insurance saw record growth. In fact, in a recent white paper from Advisen, their buyer penetration index showed a five-fold increase in insurance purchases from 2006 to 2013, demonstrating that many organizations have recognized the value in outsourcing corporate cyber risk. Naysayers, however, warn that this move does not make companies more secure and allows organizations to ignore the behaviors and issues that are creating security risks in the first place.
![BitSight Bits: How to Prove that Security Ratings Work](/sites/default/files/styles/4_3_small/public/migration/images/ROI_Graphic_2.jpg.webp?itok=4WVtJoG7)
During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, Bitsight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is more important than ever before. He also performed a live demo of Bitsight Security Ratings to show how to prove that security ratings work.
![How You Can Avoid Becoming the Next Sony](/sites/default/files/styles/4_3_small/public/migration/images/Sony_Breach_Image_1.jpg.webp?itok=-VM5egrF)
As you've heard by now, Sony Pictures suffered a major breach in November, and is still feeling the consequences of it. The FBI warned that other companies could be attacked with similar malware, but that isn't the only reason you should care about this event in particular.
![BitSight Bits: Quantifying Security Performance](/sites/default/files/styles/4_3_small/public/migration/images/bigstock-Computer-Security-8029584_1.jpg.webp?itok=vXOY7Agm)
During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, Bitsight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions people posed, and our answers for each one. There are also two clips from the webinar recording.