Read news articles covering Bitsight, the leader in security ratings. We're proud to be featured in these leading business & technology publications, journals, blogs, and broadcasts.
In The News
Two months after Microsoft discovered and patched the BlueKeep vulnerability, more than 0.8 million systems online remain vulnerable, according to an assessment done by to Bitsight, a Security Ratings company. That’s down just 17 percent since the company’s first assessment about the exposure of the BlueKeep vulnerability a month ago.
"There have been very few of these situations over the years where a vulnerability has lined itself to be so wormable," Bitsight director of security Dan Dahlberg says. "It’s still just a function of time until someone with more nefarious end goals might develop something."
Bitsight attributed the huge discrepancy to the fact that "telecommunications companies usually host end-customer systems that they cannot upgrade themselves, which may explain the higher ratio for this industry sector".
That leaves a broad potential attack surface for someone who exploits the vulnerability. BlueKeep is “wormable,” meaning the malware could infect systems as it finds its own ways to move from network to network.
The good news is that, since the end of May, the number of systems that are vulnerable to BlueKeep is down 17 percent, according to Bitsight. Additionally, at least 854 systems vulnerable to BlueKeep are being patched per day.
“We are really trying to encourage organizations to take action and to address their externally exposed systems,” Dan Dahlberg, Bitsight’s director of security research, told CyberScoop.
The phishing campaign used a fake gov.uk address to attempt to send 200,000 people emails that appeared to be from an unnamed UK airport. These were designed to scam recipients into paying a fee under the illusion that they would receive an increased refund.
Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.
The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.
An organization without a cyber security strategy is an organization with the door open for trouble to walk right in unchallenged.
If you're in any doubt, take a look at the Government's latest Cyber Security Breaches Survey, which found 32% of businesses had suffered a breach or attack in the previous 12 months. While this is less than 2018 (43%) and 2017 (46%), the financial impact of these events has been steadily increasing. In 2017, the average cost to an affected business was £2,450, whereas in 2019 that's risen to £4,180.
At the same time, boards remain ignorant to the dangers of hackers and confident in their ability to keep their organisations safe. Almost two thirds have no board member tasked specifically to tackle cybersecurity threats, and the same percentage doesn’t review risks and management, at least not formally.
Risk management vendor Bitsight Technologies published a report that showed approximately 805,665 systems online -- as of July 2 -- that remain vulnerable to BlueKeep. That figure represents a decrease of about 17% from Bitsight's previous findings from May 31.
The unprecedented penalties imposed on Facebook, Marriott and British Airways should serve as a warning for company leaders, according to Tom Turner, CEO of cyber security ratings firm Bitsight.
“CEOs around the globe are on notice that they are accountable for cyber security performance management just the same way they are accountable for managing the business,” he said.
So will the C-Suite and the main board actually take notice? Jake Olcott, VP Government Affairs at Bitsight, says they must: “These fines make it clear — executives and boards are responsible and accountable for cybersecurity. It has never been more important for them to understand and manage their organisation’s security performance just like they would manage any other critical business issue. When it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have — they are required.”
Following an extensive investigation, the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine Marriott International the sum of £99,200,396 for infringements of the General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018
Jake Olcott, vice president of cybersecurity ratings group Bitsight, told The Hill in a statement that "these fines make it clear -- executives and boards are responsible and accountable for cybersecurity.”
Jake Olcott, VP of Government Affairs at Bitsight, concurs saying: "These fines make it clear - executives and boards are responsible and accountable for cyber-security. It has never been more important for them to understand and manage their organization's security performance just like they would manage any other critical business issue. When it comes to cyber-security, ongoing briefings, regular reporting, and performance metrics are no longer nice to have -- they are required."
Jake Olcott, a vice president at Bitsight, advised, “It’s no wonder that third-party risk has become the most significant cyberissue for organizations around the globe – lax understanding of third parties’ security posture and practices is creating a massive weak spot for all organizations across all industries.” Olcott added simply trusting business partners to do the right thing is irresponsible.