Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

August 2023

Choosing Security Questionnaire Automation Software (in 2023)

Your security questionnaire workflow is the litmus test for the efficiency of your overall Vendor Risk Management program. If this pipeline gets congested, all of the VRM processes, depending on it, get disrupted, which impacts your security posture and heightens your risk of suffering a third-party data breach.

Your HTTPS Redirection Risk Exposure

The Hypertext Transfer Protocol (HTTP) and the Hypertext Transfer Protocol Secure (HTTPS) are data communication protocols for the internet. HTTPS uses encryption algorithms for secure data transfer. Without encrypted communications, information transfer is not protected and sensitive data becomes vulnerable to attackers. This article includes a brief overview of HTTPS, as well as actions you can take to ensure that you have set up HTTPS redirection for your website.

The Role of Software in Vendor Risk Management Products

In recent years, vendor risk management (VRM) has become a complicated practice as businesses aim to scale and manage potentially hundreds or thousands of vendors. With more vendors, cybersecurity risk is introduced, necessitating software and other digital solutions to adequately manage these vendors. The role of software in vendor risk management products is more important than ever now and moving forward.

Top 5 Challenges and Solutions in Managing Third-Party Risks

Whenever an organization outsources part of its business process to an outside party, it introduces various risks to the primary organization. Third-party risk management refers to how organizations address and mitigate security risks across their entire library of vendors and suppliers. Unfortunately, third-party risk exposure can be difficult to manage and comes with many challenges organizations must address for an effective third-party risk management program.

Choosing a NIST CSF Compliance Product in 2023 (Key Features)

Whether you’re a large or small business, the cybersecurity framework by the National Institute of Standards and Technology (a federal agency of the U.S. Department of Commerce) offers an efficient roadmap to an improved cybersecurity posture. Compared to other popular cyber frameworks, like ISO 27001, NIST CSF is more effective at mitigating data breaches, especially during the initial stages of implementing a cyber risk management program.

How to Respond to CVE-2023-24489 Impacting Citrix ShareFile

CISA added CVE-2023-24489 to the Known Exploited Vulnerabilities Catalog in August 2023. CVE-2023-24489 is an access control vulnerability impacting the use of Citrix ShareFile StorageZones Controller version 5.11.24 and below. Citrix ShareFile is a real-time collaboration platform. While ShareFile primarily offers a cloud-based file-sharing application, there are some features that accommodate data storage through the use of a storage zone controller.

How to Identify and Strengthen Weak SSL

Your website or application must be set up within communications networks in order to be accessible to users. Each connection point to an external environment is a possible attack vector that makes up your attack surface. In order to encrypt traffic between your site and your users, you can set your system up with an SSL certificate that uses SSL/TLS protocols to secure traffic.

Why is the Finance Sector a Target for Cyber Attacks?

According to the Bank for International Settlements, the financial sector is most targeted by hackers, after the healthcare sector. Finance businesses handle and manage large amounts of financial data, making them prime targets for cybercriminals. According to the Financial Stability Board, a serious cyber incident could destabilize financial systems, impacting critical infrastructure and the economy.

Cybersecurity and Social Responsibility: Ethical Considerations

Cybersecurity is necessary to protect data from criminals. However, the world of cybersecurity is not so simple. Therefore, a discussion of cybersecurity ethics needs to examine the morality of businesses collecting, processing, using, and storing data. How cybersecurity professionals affect security measures is also worth exploring. Businesses and individuals should ask themselves whether the ends justify the means and to what extent they are willing to sacrifice data privacy for data protection.

8 Key Elements of a Third-Party Risk Management Policy

Any organization that relies on third-party vendors for critical business functions should develop and maintain an effective third-party risk management (TPRM) policy. A TPRM policy is the first document an organization should create when establishing its TPRM program. TPRM policies allow organizations to document internal roles and responsibilities, develop regulatory practices, and appropriately communicate guidelines to navigate third-party risks throughout the vendor lifecycle.

Choosing an External Attack Surface Management Tool (in 2023)

The external attack surface is the sum of all potential attack vectors originating outside your internal network, that is, your third-party attack surface. With reliance on third-party vendor relationships increasing, External Attack Surface Management (EASM) plays a more prominent role in data breach prevention programs.

Key Steps to Developing an Effective Third-Party Risk Management Program

A Third-Party Risk Management Program (TPRM) is a systematic approach to mitigating risks associated with third parties, such as vendors, suppliers, and contractors. It includes an assessment process that identifies, evaluates, and remediates any risks affecting your organization. Implementing effective third-party risk management (TPRM) measures can safeguard organizations against potential threats and promote seamless and confident collaborations with external partners.

What is the Computer Fraud and Abuse Act (CFAA)?

The U.S. Federal Government passed the Computer Fraud and Abuse Act (18 U.S.C.§1030) (CFAA) in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, which included the first federal computer crime statute. Since enacting the CFAA, congress and the federal government have amended the act multiple times to extend its reach and impose criminal and civil liability on additional malicious computer activities.

Choosing Automated Risk Remediation Software (in 2023)

When it comes to improving your cybersecurity posture, few strategies have as much of an impact as your cyber risk remediation program. Efficient risk remediation ensures security risks and vulnerabilities are shut down faster, reducing the potential risks of data breaches and their financial impacts. The cornerstone of an efficient remediation program is cyber risk remediation software that automates manual processes to improve the efficacy of risk mitigation efforts.

Understanding the Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) is a U.S. federal law regulating consumer credit information collection, dissemination, and use by consumer reporting agencies. Understanding the FCRA is vital for organizations directly utilizing consumer credit information and individuals who want to exercise their rights over their personal credit information. Monitor your organization’s attack surface and stay FCRA compliant with UpGuard BreachSight >

How to Respond to Ivanti EPMM/MobileIron Vulnerabilities (CVE-2023-35078)

There are three vulnerabilities impacting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core: CVE-2023-35078 and CVE-2023-35082, which both enable authenticated bypass for unauthorized access; and CVE-2023-35081, which allows directory traversal with privilege escalation and arbitrary file write. These Ivanti EPMM vulnerabilities have been observed in active cyber attacks on systems using the affected versions.

Why is the Tech Sector a Target for Cyber Attacks?

While the tech sector is a pillar of efficiency and creativity, tech businesses are often vulnerable because of the type and amount of critically important data they handle. Tech companies are often at risk of cyber attacks from individual hackers, cyber spies, and nation-state-sponsored hacking groups. In this post, we’ll look at common traits of tech businesses that can expose them to cyber risks and make them a popular target for cybercriminals.

Why is the Education Sector a Target for Cyber Attacks?

‍Educational institutions are among the top targets for hackers and cybercriminals. Education is among the sectors that experience the most cyber attacks, including healthcare, finance, and retail. According to Check Point’s Mid-Year Report for 2022, the education sector had 44% more cyber attacks than the year earlier. An average of about 2300 attacks against educational organizations were reported weekly.

Cybersecurity in the Entertainment Industry: Risks and Solutions

Book publishers, movie distributors, TV producers, game developers, and newspaper publishers are just a few of the many businesses in the media and entertainment industry increasing their use of online services. Streaming services and the production of digital assets are the norm for media companies around the globe.

Cybersecurity in the Hospitality Industry: Challenges and Solutions

Hospitality is a broad field encompassing service organizations that provide lodging, food and beverages, travel and tourism, and entertainment and recreation. Since the COVID-19 pandemic hit the hospitality industry hard, it’s made significant steps toward recovery. Hospitality businesses must remain vigilant to continue this recovery amid an evolving cyber threat landscape.

The NIS Directive: Enhancing Cybersecurity in the Digital Era

In 2016, the European Commission adopted the EU Network and Information Security (NIS) Directive. The directive aims to establish regulations that improve the overall cybersecurity level across Europe and was recently updated in January 2023 to a new directive called NIS2. The NIS Directive is a multifaceted legislation that applies to various industry sectors, providing regulations that help EU member states build strong cybersecurity postures.

7 Third-Party Risk Management Trends to be Aware of in 2024

Whether your organization is prepared or not, the risks associated with third-party partnerships will continue to increase. In 2022, approximately 1,802 data breaches exposed the information of more than 422 million individuals in the United States alone. While those numbers are enough to frighten any organization, many reports expect them to continue to rise throughout 2024.

Choosing Automated Vendor Risk Remediation Software (in 2023)

Vendor Risk Management is critical for reducing the impact of security risks associated with third-party vendors. But often included with this cybersecurity practice is a bloat of administrative processes that disrupt workflows and impact VRM efficacy, defeating the purpose of even having a VRM program. To establish a scalable Vendor Risk Management program, cybersecurity teams should take advantage of every opportunity to replace manual processes with automation technology.

What End-of-life Software Means for Your Business

Technology in the modern era moves fast. Historically, new technologies emerged quickly as well, but novelty in the age of computing occurs in a matter of days, sometimes even minutes. Do you use the same computer or cell phone that you did five years ago? And how often do you run software updates or patches on your devices?

Ensuring Data Protection for Third Parties: Best Practices

When a company contracts or partners with a third party to handle and process its sensitive customer data, it is crucial for those third parties to use effective strategies to safeguard that data. Third parties should treat the data they handle from organizations as their own, complying with regulations and security requirements set by the organization.

What is the Security of Critical Infrastructure Act 2018 (SOCI Act 2018)?

Australia is using the Security of Critical Infrastructure Act 2018 (SOCI Act 2018) as a framework to help the country mitigate and remediate threats to the country’s critical infrastructure. This comes after several high-profile cyber attacks raised Australia’s awareness of the need for cybersecurity and the standardization of cyber security measures for priority organizations.

Do You Need to Hire a Professional to Be PCI-Compliant?

You don’t need a professional to be PCI-compliant, but professional expertise can make navigating the notoriously complex PCI DSS requirements easier. An experienced cybersecurity firm with qualified assessment staff can speed up compliance, enhance a firm’s security posture according to priority actions, and help the firm achieve a high level of security and peace of mind. However, you must use a professional for your business to be PCI-certified.

What is the Massachusetts Data Security Law? Guide + Tips

The Massachusetts Data Security Law (201 CMR 17.00) safeguards the personal information of Massachusetts residents. The law went into effect on March 1, 2010, and at the time, was one of the most comprehensive data privacy laws passed in the United States. Since the law’s passing, a variety of U.S. States have passed more robust data privacy legislation, including the notable California Consumer Privacy Act (CCPA) and Virginia Consumer Data Privacy Act (VCDPA).

The LastPass Data Breach (Event Timeline And Key Lessons)

In August 2022, LastPass suffered a data breach with escalating impact, ultimately resulting in a mass user exodus toward alternative password manager solutions. This post provides an overview of the timeline of events during the LastPass cyber attack and critical lessons to help you avoid suffering a similar fate. Learn how UpGuard streamlines Vendor Risk Management >

What is an ISMS (Information Security Management System)?

An information security management system (ISMS) is a broad term that encompasses an organization’s information security policies, practices, and procedures regarding information security and how these are assessed, optimized, and implemented over time. An ISMS aims to ensure all risks are mitigated and that all risk management processes work effectively.

What is the Washington My Health My Data (MHMD) Act?

Washington’s My Health My Data Act (MHMD Act) regulates businesses and service providers that process or collect consumer health data from state residents. The act’s broad definition of “health data” carries compliance implications for a wide range of entities, including many that fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA).

Choosing a Financial Services Cyber Risk Remediation Product

In 2022, the finance industry suffered the second-highest number of data breaches. Besides implementing an attack surface management solution, the finance sector must also ensure its remediation product can quickly and efficiently address cybersecurity risks. If you’re in the market for a cyber risk remediation product, this post outlines the key features to look for to maximize the ROI of your new IT security tool. Learn how UpGuard protects financial services from data breaches >

Choosing a Tech Cyber Risk Remediation Product (Key Features)

Cyber risk remediation, the process of actively identifying, remediating, and mitigating cybersecurity risks, is particularly critical for the technology industry. With its characteristic enthusiasm towards adopting the latest trends in innovation, without a cyber threat remediation product, tech companies are unknowingly increasing their risk to a swatch of data breach risks.

Understanding the California IoT Security Law (SB-327)

In September 2019, California signed Senate Bill 327, also known as the California Internet of Things (IoT) Security Law. While not an extensively written piece of legislation like the California Consumer Privacy Act (CCPA), SB-327 took effect on January 1, 2020, and focuses on manufacturers of connected devices—requiring updated security standards that protect both devices and end-users. Learn how UpGuard can help your organization update security standards and monitor risk >

What is the SSL Not Available Risk?

So you've received a critical risk finding for SSL not available, which means your domain does not have an SSL certificate installed on the server. To resolve this finding, you can generate and supply an up-to-date SSL/TLS certificate on your site. SSL, which stands for secure sockets layer, and its successor TLS, or transport layer security, are internet protocols for securing traffic between systems with an encryption algorithm.

What is a Cybersecurity Risk Assessment?

A cybersecurity risk assessment is an examination of an organization or potential vendor’s current technology, security controls, policies, and procedures and which potential threats or attacks could affect the company’s most critical assets and data. Organizations can use cybersecurity risk assessments to understand their ability to protect sensitive data, information, and critical assets from cyber attacks.