Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![gavel and computer](/sites/default/files/styles/4_3_small/public/2022/07/28/gavel%20and%20computer.jpeg.webp?itok=Rb6cxwKE)
In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet, just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.
![Three Ways to Benchmark Security Performance](/sites/default/files/styles/4_3_small/public/migration/images/chart_4.jpg.webp?itok=rhWzKmYH)
Companies are spending more and more on IT security. A recent report by Canalys found that the worldwide IT security market will grow 6.6% annually, becoming a $30.1 billion dollar industry by 2017. This increase in spending may have something to do with the heightened consequences of data breaches and security events. Another recent study, this one from the Ponemon Institute, found average data breach costs to be a lofty $3.5 million. But, as companies spend more and more money on IT security products and services, how can they verify that their overall security is improving?
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
In his talk “CISOs Talking SMAC (Social, Mobile, Analytics, Cloud)”, Jim Routh, CISO at Aetna recounted a lunch conversation that he shared with eight recently hired CISOs. Through the course of the lunch discussion, the CISOs ascertained the following three facts: 1) Each CISO was interviewed for their current position by the CEO, 2) they were all being very well compensated, and 3) the lowest amount of budget increase was double.
Routh’s lunch time anecdote makes it clear that the role of the CISO is evolving. The elevated importance of the CISO within the enterprise shows an increased enterprise awareness and focus on information security risk, but it also speaks to the new nature of the CISO’s role. Traditionally, the CISO was more a of a “back-office” manager focused on network and security operations. The role has evolved. The CISO is in many ways on par with other “C-level” executives. The new CISO is customer-facing and revenue-generating.
Security has been historically classified as a business expense with
Routh’s lunch time anecdote makes it clear that the role of the CISO is evolving. The elevated importance of the CISO within the enterprise shows an increased enterprise awareness and focus on information security risk, but it also speaks to the new nature of the CISO’s role. Traditionally, the CISO was more a of a “back-office” manager focused on network and security operations. The role has evolved. The CISO is in many ways on par with other “C-level” executives. The new CISO is customer-facing and revenue-generating.
Security has been historically classified as a business expense with
![Measuring Security Performance: Is Target More or Less Secure?](/sites/default/files/styles/4_3_small/public/migration/images/Measuring-Security-Performance_1.jpg.webp?itok=3mjzeEUN)
As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.
![The Inevitability of Security Risk in the Board Room – Steinhafel is dead, long live Steinhafel](/sites/default/files/styles/4_3_small/public/migration/images/king-is-dead_1.jpg.webp?itok=VfiB723c)
Originating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the inevitability of future CEOs leaving power and ascending to power as a result of cyber breaches.
![New Methods for Assessing and Mitigating Security Risk](/sites/default/files/styles/4_3_small/public/migration/images/BenchmarkIcon_1.png.webp?itok=i_peizTE)
Businesses often undertake a check-box approach to cyber security by purchasing security products, meeting compliance standards and performing quarterly or yearly audits. While these methods have proven value, they are often not enough. This leaves businesses vulnerable to threats in a constantly changing risk landscape. To overcome these obstacles, businesses should gain expanded visibility into security performance through data-driven comparison and continuous monitoring.
![Discussing Third-Party Risk Management in the Healthcare Industry](/sites/default/files/styles/4_3_small/public/migration/images/medical_corps-128_1.png.webp?itok=hqUfQv92)
Healthcare security and how updated HIPAA/HITECH Act regulations are changing the nature of risk in that industry are hot topics right now. "The rules have made it easier for organizations to have penalties levied against them because of the actions of a subcontractor," Elizabeth Warren, a healthcare attorney with Nashville Tennessee-based Bass Berry & Sims, is quoted as saying in this Becker’s Hospital CIO post. And she’s absolutely right.
Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws. These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
Last week Stephen Boyer, CTO and Co-Founder of Bitsight, and Oliver Brew, VP of Professional, Privacy and Technology Liability at Liberty International Underwriters, hosted a webinar titled, "Security Ratings: A Big Data Approach to Measuring and Mitigating Security Risk". During this webinar, they discussed the challenges to measuring security risk and how Security Ratings can give businesses the tools to proactively identify and mitigate risk.
Unfortunately, something ugly has tarnished the canvases of the artists and crafters who used their debit or credit cards to shop at Michaels from May 8, 2013 to January 24, 2014. In late January 2014, Michaels announced that it was investigating a potential security breach involving customers’ credit card information. After weeks of analysis, Michaels finally confirmed yesterday that a targeted attack did indeed occur on some of their point of sales systems and that approximately 2.6 million cards may have been compromised.
At Bitsight, we have observed significant botnet activity on Michael’s network over the past year. In particular, we observed multiple instances of Conficker, a botnet that can comp
At Bitsight, we have observed significant botnet activity on Michael’s network over the past year. In particular, we observed multiple instances of Conficker, a botnet that can comp
![Interest in Financial Services Third Party Risk Rising](/sites/default/files/styles/4_3_small/public/migration/images/ConnectedBusiness_1.png.webp?itok=DUiD5Va_)
There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.
![Hearts Bleed Over Latest SSL Vulnerability](/sites/default/files/styles/4_3_small/public/migration/images/openssl-logo_1.png.webp?itok=W_VTl4Na)
On April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in OpenSSL for over two years, but was only recently discovered. It allows an attacker to trick systems running any version of OpenSSL 1.0.1. from the past two years into revealing 64 KB of data sitting in its system memory per request. There is no limit to the number of requests an attacker can make. Attackers can gain access to private keys, user names, passwords, credit card data, and other sensitive information. They can spoof a website by launching a more effective man-in-the-middle attack. What is both scary and brilliant about attacks exploiting this vulnerability is that they leave no trace in the server logs.
![Risk 101: SSL Key Indicator in Security Effectiveness](/sites/default/files/styles/4_3_small/public/migration/images/SSL-Implementation-UPDATED-022814_1.png.webp?itok=XewSQrAv)
This post is part of the Risk 101 series.
![Managing Third Party Security Risk in the Critical Infrastructure](/sites/default/files/styles/4_3_small/public/migration/images/third-party-security-risk-critical-infrastructure_1.jpg.webp?itok=A1Sgx8mb)
There’s no shortage of challenges when it comes to securing the critical infrastructure. These are very complex, interconnected systems, and highly motivated, potentially well-trained and funded adversaries target them. And should critical infrastructure systems become unavailable, whether electrical, financial, or communications systems – every public sector organization and private enterprise that relies on them is also in danger of being severely hampered, or even shut down.
![Why a Proactive Approach to Vendor Risk Management is Necessary](/sites/default/files/styles/4_3_small/public/migration/images/Proactive-Reactive-Risk-Management_1.png.webp?itok=uZY-VuxF)
When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?