Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![Cyber Security Risk: Perception vs Reality in Corporate America](/sites/default/files/styles/4_3_small/public/migration/images/Optimism-Bias-Leads-to-Security-Risk_1.png.webp?itok=tApcRb-8)
In February, Bitsight released a new Bitsight Insight examining the cyber health of the U.S. economy and found that 82% of the 460 companies assessed had an externally observable security compromise in 2013. Examples of security events observed by Bitsight include communications between compromised computers inside an organization and external computers known to be under the control of an attacker, distribution of malware, and propagation of malicious email. Although these security events do not necessarily equate to data loss, each one is an indication that the organization has been compromised in some manner.
![Third-Party Risk Questionnaires: Best Practice or Legacy Tool?](/sites/default/files/styles/4_3_small/public/migration/images/Third%2520party%2520risk%2520questionnaires_False%2520Sense%2520of%2520Security_1.png.webp?itok=G-5KSd9p)
Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors.
![Regulators Put More Emphasis on Third-Party Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/third-party-information-security-regulations_1.png.webp?itok=aCwF-41m)
With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When sensitive data is hosted in a provider's infrastructure, is that provider or its customer responsible for protecting that data? If a company entrusts a partner with a customer database and that partner lets the database be compromised, which company is responsible for notifying those customers and who will end up footing the bill for legal damages?
![Target Breach Investigation Shows Tangled Web of Third Party Risks](/sites/default/files/styles/4_3_small/public/migration/images/Target-Third-Party-Breach_1.png.webp?itok=nFDwXPHI)
As more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that one or more business partners were used by the attackers to gain access to Target's systems. Below is a summary of top stories which provide insight into the tangled web of third party vendors and suppliers which may have left Target vulnerable to attack, highlighting just how esstential it is for organizations to be aware of their third party risks.
![The Impact of Target’s Data Breach Throughout the Partner Ecosystem](/sites/default/files/styles/4_3_small/public/migration/images/bigstock-The-Hamilton-Crossings-shoppin-260589403_1.jpg.webp?itok=0VLcEZmN)
Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who else has been breached and the impact on their customers, another factor we need to consider is how Target's business partners may be impacted. In a data breach on any retailer, card issuers, payment processors, insurers, suppliers and other parties may face substantial loss as the investigation and recovery costs ripple through these networks.
![Security Success is Found When Continuously Measuring the Right Things, Across Your Ecosystem](/sites/default/files/styles/4_3_small/public/migration/images/Monitoring-icon_1.png.webp?itok=pzmgfFKP)
Security monitoring and measuring needs to be expanded to trusted third parties; here’s why.
![Target & Neiman Marcus Are Not Alone: Malware in the Retail Sector](/sites/default/files/styles/4_3_small/public/migration/images/BitSight_retail_threats_1.png.webp?itok=8vA4Jt1m)
The past few weeks have been full of news regarding cyber attacks in the retail sector. First Target, and then Neiman Marcus. Now news outlets are reporting that three other well-known retailers may announce breaches that occurred in the past year.
![Security Ratings Uncover Decline in Security Posture of US Retailers](/sites/default/files/styles/4_3_small/public/migration/images/BitSight_SecurityRatings-_Retail_Sector_%25281%2529_1.png.webp?itok=JMIfNhIt)
In light of the recent news of retailers being attacked late last year, we at Bitsight looked into our security ratings (an external measure of a company’s security posture) to gain some insight into these attacks.
![Risk Universe Explores Vendor Risk Management with Mike Duffy](/sites/default/files/styles/4_3_small/public/migration/images/riskuniverse-logo_1.jpg.webp?itok=iv6h0D0l)
With increased emphasis on third party risk management coming down from regulators and executive boards alike, cyber risk in the extended enterprise is shaping up to be a hot topic in 2014.
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
On December 20, 2013, soon after news of Target’s data breach broke, Venky Ganesan (Managing Director at Menlo Ventures and Bitsight Board Member) talked about Bitsight on CNBC. When asked about cutting edge technology in the cyber risk management space, Venky responded, “I think the most important thing we find right now is that security has become a board room issue. Everybody in the board room wants to know how secure are we, how can we measure security, and how can we manage it. We have an investment in a company called Bitsight that lets us get a rating on how secure your infrastructure is.”
![OCC Guidance: Ongoing Monitoring & Third-Party Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/bigstock-Washington-Dc-Usa--July----195982744_1.jpg.webp?itok=PSXbdkU7)
In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due diligence and ongoing monitoring of third-party relationships." Current means of assessing third party security risk include annual audits and questionnaires, tools that are useful but which fail to provide the continuous, evidence-based assessments banks need to truly understand their vendor risk, especially when it comes to security risk management.
![The Third Party Risk Perspective: JPMorgan Chase UCARD Data Breach](/sites/default/files/styles/4_3_small/public/migration/images/jp_morgan_chase_logo_icon_articles_1.gif.webp?itok=8BifaUZ8)
Earlier this month, tech security blogs and mainstream news outlets reported on a large data breach that affected banking giant JPMorgan Chase. During the event, which lasted from mid-July to mid-September, the personal information of customers who accessed online accounts of the bank’s UCARD product may have been exposed. While there seems to be no official word on the cause of the breach, the prevailing consensus from news sources is that unencrypted customer data was visible in plain text from logs that track user actions on the website. While the bank insists there is no evidence of illicit use of the compromised information, it is offering affected customers temporary credit monitoring.
![UPDATED: So many vendors ... but who's to blame for the breach?](/sites/default/files/styles/4_3_small/public/migration/images/cyber-security-fingerprint-_1.png.webp?itok=zhdhT2G6)
The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach. The impact is small - only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling around while the conference organizers and convention center try to figure out which vendor is to blame.
![Shaun McConnon on Compliance & Security Risk](/sites/default/files/styles/4_3_small/public/migration/images/risk-mgmt-monitor_1.png.webp?itok=rVQIp5Qv)
On November 20th, Bitsight CEO Shaun McConnon was published by the Risk Management Monitor. His article, "Looking Beyond Compliance When Assessing Security" explores how risk managers can take a more comprehensive approach to mitigating security risk by augmenting traditional audits, questionnaires, tests and assessments with a continuous evaluation of security effectiveness.
![Cyber Risk Emerges as an Independent Category of Enterprise Risk Reporting](/sites/default/files/styles/4_3_small/public/migration/images/Mike-Duffy_1.jpg.webp?itok=JeCQGgjq)
This post is contributed by guest blogger Michael Duffy, a member of Bitsight's Board of Directors.