Are Third Parties to Blame for Poor Security Performance in the Retail Industry?

Posted by Nick Gagalis

Nov 18, 2014 6:07:00 AM

Today, we released a new study on retail industry security performance — just in time for the holiday shopping season! Considering all of the retail breaches that occurred over the last 12 months, we wanted to find out if retailers had taken measures to make their data more secure.

more

Topics: Retail, Security Ratings, Third Party Data Breach, Security Performance

Advanced threats, increased regulations and board involvement: How credit unions can prepare for cyber risks

Posted by Zackary Loughlin

Nov 11, 2014 11:23:00 AM

creditunionblogCredit unions are facing increasing numbers of cyber attacks according to a survey for NAFCU’s October Economic & CU Monitor. This survey found that nearly 84% of respondents were operationally impacted by a local data breach within the last two years. While these effects may not garner the same headlines as large breaches affecting corporations such as Target and Home Depot, they have the opportunity be just as damaging for smaller financial institutions like credit unions. In addition, credit unions have the same sensitive information as other financial institutions, including credit and personal information. Credit unions are also facing daunting regulatory requirements, which at larger banks are often handled by entire risk and compliance teams. This increased threat landscape and regulatory pressures has, as we have noted before, elevated cyber risk issues to the board level.

more

Topics: Benchmarking

The Data Breach is Over... let the Phishing Begin!

Posted by Melissa Stevens

Nov 10, 2014 11:12:00 AM

phishingLast week it was revealed that more than 53 million email addresses were stolen as part of the Home Depot breach discovered last September. Combined with the 76 million email addresses stolen in the JPMC data breach in June, we're talking about more than 125 million email addresses available for cyber criminals to use in highly targeted email phishing scams.  

But are breach-wary consumers and businesses still paying attention to this news? Are they aware of the risks they still face even as the breach itself has been contained? 

more

Topics: News, Retail, Third Party Data Breach

What You Can Learn from the JPMorgan Breach

Posted by Nick Gagalis

Nov 6, 2014 10:09:00 AM

Ever since the JPMorgan Chase breach was made public, companies have been watching closely to see the aftermath, the bank's course of action, and any best practices that may be developed as a result.

In this post, I've highlighted some of the most notable details of the breach, explaining why they're important and why they matter even outside of the Financial Services industry.

more

Topics: News, Third Party Data Breach, Benchmarking

How CISOs can Earn a Seat in the Boardroom

Posted by Nick Gagalis

Oct 29, 2014 6:00:00 AM

It’s been a slow but sure evolution for the modern-day CISO. When the position made its debut in the corporate world, the CISO was a firefighter, constantly battling security issues as they arose. CISOs were usually hired only after a security threat affected a given company. They weren’t given access or authority, so it was hard to break out of the firefighter role.

The next step for CISOs was to become more strategic about their actions. (This is where a great opportunity lies for many companies today.) Instead of simply reacting to problems, CISOs at forward-thinking companies started predicting where future problems might arise and crafted their plans accordingly.

more

Topics: Security in the Board Room

AnubisNetworks Acquisition and the Future of Security Ratings

Posted by Nick Gagalis

Oct 22, 2014 1:39:29 PM

Anubis-BitSight-txt

Yesterday, we announced our acquisition of AnubisNetworks, a Security Intelligence company in Portugal. We examine the purchase from both companies' perspectives, get an outside opinion from Network World and explain how the move will help our customers moving forward. 

more

Topics: News

Poodle and the Third Party Perspective: How Can Businesses Verify Security Diligence In Their Extended Ecosystem?

Posted by Ben Fagan

Oct 17, 2014 10:40:24 AM

Third party breaches have become a common occurrence in the last year. From Target to Home Depot and Goodwill, major organizations have been compromised from vulnerabilities present in their extended network ecosystems. Compounding fears surrounding third party vulnerabilities, the last year has also seen no less than three major security flaws affecting basic internet protocols. The first two, Heartbleed and Bash, grabbed media headlines and left businesses scrambling to ensure they weren't left vulnerable. Just this week, another major security flaw dubbed Poodle was uncovered by security researchers. This bug affects SSL v3, a widely used protocol to secure communications over the internet. With growing concern about third party security and the seemingly neverending revelations of internet bugs, organizations are left wondering how they can better gain visibility into the vulnerability of their third parties when it comes to basic configuration hygiene.

more

Topics: BitSight, Security Ratings

Shellshock Part II: Are Your Third Parties or Vendors Vulnerable?

Posted by Debbie Umbach

Oct 2, 2014 9:00:00 AM

BitSight Bash Vulnerability Test FeatureLast week we wrote about how to assess your risk and reduce your exposure when it comes to Shellshock.  While all other products and vendors are helping customers discover Shellshock within their own environment, we uniquely help customers understand whether the vulnerability exists within their supply chain.  Supply chain oversight is so fundamental that the Federal Financial Institutions Examination Council has already issued a warning to banks regarding their third party service providers, urging them to assess risk and “execute mitigation activities with appropriate urgency.”

To that end we have just added functionality to our products that can test for the presence of Shellshock vulnerability within the primary domain of a portfolio company.  Customers will be able to run a test on a vendor and get results back as to whether they have the vulnerability, as shown in the screen shot below.  If vulnerable, they can follow up with the vendor to ask them to take action to patch their systems.

more

Topics: BitSight, Security Ratings

BitSight Announces New Security Ratings For Cyber Insurance Product

Posted by Ira Scharf

Sep 30, 2014 12:15:00 PM

As data breaches continue to pose a major financial and reputational threat to businesses, transferring these risks through cyber insurance has become an increasingly attractive option. Demand is skyrocketing, leaving insurers to figure out how to offer adequate coverage while managing the increased risks associated with cyber liability. A recent Marsh brief notes, “As claims — specifically the cost of notifying affected persons about data breaches and providing credit monitoring and other services — have increased, underwriters have shown a greater interest in the information security practices and procedures of insureds.” Due to a lack of historical actuarial data on data breaches, insurers are vigilant of the security posture of insureds throughout the entire period of coverage. In addition, the rise of third party breaches now has the market looking at options to continuously monitor security posture throughout an insured's vendor networks and supply chain.

Responding to the risk management needs of the cyber insurance industry, BitSight announces our specially tailored cyber insurance solution: Security Ratings for Cyber Insurance. This product allows insurers to proactively gain a historical view of the security posture of prospective and current insureds. Daily Security Ratings give insurers a proactive view of all insureds and applicants, with specific details on a wealth of security event and diligence risk vectors. Insurers can add policy notes and track the overall portfolio risk in comparison to premium values, as well as factor in third party risks by monitoring vendors and suppliers.


more

Topics: Cyber Insurance

Avoiding Shellshock: Assess Your Security Risk & Reduce Your Exposure

Posted by Melissa Stevens

Sep 25, 2014 3:54:00 PM

Reduce Your Security Risk from ShellshockThe security community is abuzz with the news of the latest vulnerability to sweep the internet.  Early yesterday morning, details about the Bash security bug, also called Shellshock, started to emerge, putting companies on high alert about the threat experts are calling “Bigger than Heartbleed.”

To help provide some context about this story, I sat down with BitSight Operations Engineer, Isaac Boehman, and Director of Operations, Kevin Amorin, to talk about Shellshock.

more

Topics: News