Insights blog.

Handling cyber risk in your organization’s supply chain isn’t easy. This aspect of Supply Chain Risk Management is a complex problem that even highly sophisticated organizations—like the Department of Defense—struggle to address.

Today, Bitsight is excited to announce that we have raised $23 million in Series B funding. The additional funding will allow Bitsight to keep hiring exceptional talent, as well as extend sales and marketing initiatives in Europe and in the Asia-Pacific region. The funding will also allow us to accelerate the development of new data analytic products and add to our extensive data resources to ensure the most accurate ratings possible. Bitsight is thriled to have Comcast Ventures join as a new investor. We’re also thrilled that all of our current investors participated in this new round!

In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved.  This is why, at best, most vendor management programs only assess third parties on an annual basis or during contract negotiation. However, risk managers know from securing their own networks that annual assessments tell us little about how effectively they are responding to emerging threats or addressing new vulnerabilities. So, how are annual vendor risk assessments making us more secure?

Last week, Bitsight co-sponsored a webinar with Advisen on the use of risk mitigation services for cyber insurance underwriting. Ira Scharf, GM of Cyber Insurance at Bitsight, joined Tracie Grella of AIG and Neeraj Sanhi of Willis Group to discuss several topics in this emerging field. Here are some of the highlights:

Recent breaches making headlines all share a troubling characteristic. In each breach detailed below, the intrusions of company networks lasted months - or in other cases, even longer than a year. While no company is impervious to a breach, one thing organizations can control is how quickly they respond to security incidents. The longer compromises remain neglected and unresolved, the more likely that a large-scale breach will occur, resulting in significant data loss.

I received the following questions from an inquisitive undergraduate student eager to learn more about Bitsight and security ratings. He posed excellent and insightful questions, and I thought that I would share our exchange in case others might be wanting to ask the same questions. Thanks, Nick!

The last few weeks have been a whirlwind of activities here at Bitsight! Between attending and speaking at RSA, participating in the latest Verizon DBIR report, preparing for our session at FS-ISAC, announcing our new partnership with AIG, and being featured as a vendor risk management solution in the Wall Street Journal, we were happy to see the second quarter off to such an exciting start. And then we got even more good news!

Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many customers with experience incorporating Bitsight Security Ratings into their vendor risk management program, and the lessons they have learned along the way are too valuable not to share. There are several different approaches that can be leveraged; here are the 3 most common:

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:

The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a Bitsight Security Rating, being told that another company has been monitoring their security effectiveness, without them knowing, can sound a little "big brother-ish" and raise lots of questions about privacy and legality. Though our methods are unobtrusive and based on the same outside-in model of credit ratings, we provide many materials to our customers to help them deal with these types of situations.

Last week San Francisco became the information security capital of the world for the 2015 RSA Conference. Around 30,000 attendees, mostly security professionals and vendors, descended on the Moscone Center for a week of discussion about the industry and new technologies. With literally too many talks for one person to attend, it’s hard to build a session schedule. Yet, as with any industry conference, there are key themes that arise in sessions, conversations, and the show floor. As a first time attendee who tried to make the most of my first RSA Conference, here are my three key observations on the industry:

Today AIG announced a strategic partnership with Bitsight to recommend Bitsight Security Ratings for Vendor Risk Management to CyberEdge customers. CyberEdge insureds can now benefit from the data-driven insights and continuous monitoring Bitsight can provide and be alerted of potential threats to their network, as well as promote understanding of individual company risks.

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.

For years, it has been widely-known that the Utilities industry has struggled with cyber security in relation to other industries. In 2014, Unisys and the Ponemon Institute found that 70% of Utility companies surveyed around the world had been breached. The vast majority of breaches are often not reported publicly- or even worse, they aren’t discovered at all. However, breaches for Utility companies are a big problem: beyond safeguarding critical infrastructure, these companies often hold a large amount of customer data.

Today Bitsight published our most recent Bitsight Insights report, Beware the Botnets; Botnets Correlated to a Higher Likelihood of a Significant Breach. Within this report Bitsight has identified a solid correlation between botnet infections and publicly disclosed breaches. To arrive at this finding, Bitsight leveraged botnet grades that are available to all customers in the Security Ratings platform. These letter grades, which are available for a wide range of risk vectors, provide insight into a company’s performance relative to others. These grades also take into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence).