Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

June 2022

The Key to Risk Intelligence: Visibility

Not all cybersecurity vulnerabilities are created equal. Some vulnerabilities have the potential to bring the entire organization to a halt, such as in the case of ransomware. Meanwhile, other vulnerabilities may only create limited opportunities for exploitation, putting them lower on the list of things to patch.

How To Identify, Mitigate, And Prevent Supply Chain Risks

As cyber attacks and security breaches have increased in recent years, managing digital supply chain risks is becoming more difficult. Cybercriminals exploit vulnerabilities in the ecosystem of less secure suppliers and third-party vendors to gain access to larger institutions. These institutions need to look beyond their own cybersecurity maturity to be successful; cyber risks need to be identified across the ecosystem.

What is the ICT Supply Chain? Things Your Business Needs to Know

Cyber attacks and data breaches are top of mind for businesses around the world as attacks on vulnerable networks persist. It is more important than ever to ensure cyber security and resilience programs are in place for your business and third-party suppliers. The information and communications technology (ICT) supply chain is a globally-interconnected ecosystem that involves CT software, hardware, and services including suppliers, vendors, and contractors.

Modernizing Cybersecurity Through New Standards for Risk Intelligence

Leaders from the SEC, Cyber Threat Alliance, and National Association of Corporate Directors recently joined with SecurityScorecard to share their insights on the state of cybersecurity risk management today. Earlier this month, the New York Department of Financial Services (NY DFS) announced efforts to modernize their supervision process, with the creation of the Cybersecurity and Information Technology Baseline Risk Questionnaire (CIBRQ).

Do you know how to identify your third-parties', third-parties?

It might sound confusing at first, but knowing who your third parties also rely on for their day-to-day business operations is key to building out a smarter and more informed vendor risk management program. Commonly known as fourth-party concentration risk, the ability to determine the fourth-party vendors in your digital supply chain that serve a majority of your third-party vendors can help organizations avoid potentially catastrophic supply chain risk from such a dependency.

How to Make Vendors Respond to Risk Assessments (Faster)

One of the most frustrating challenges of vendor risk management is chasing outstanding security questionnaires. But with some clever operational strategies, you’ll never need to worry about delayed risk assessments impacting your SLAs again. To learn how to encourage your vendors to complete their risk assessments faster, read on.

Compliance Guide: Third-Party Risk Management and the GDPR

The General Data Protection Regulation (GDPR) is one of the world’s most popular regulations. Though the European Union designed the GDPR to protect European citizens, its compliance transcends European borders, impacting most businesses collecting personal data via their websites - because you can’t control whether a European citizen accesses your website. Third-party vendors often require access to sensitive personal data to deliver their services.

What is the NIST Framework? An Introduction and a Look at Its Five Core Functions

The National Institute of Standards and Technology is an agency within the U.S. Department of Justice. It was founded in 1901 to support science and technological development. For decades, it has provided guidance on computer security. In 2014, in cooperation with public and private sector experts, the NIST released its cybersecurity framework. The framework combines best practices and industry standards to help organizations deal with cybersecurity risks.

What is the Difference Between Cyber Resilience and Cybersecurity?

Cyber attacks and data breaches are top of mind for businesses around the world as attacks on vulnerable networks persist. It is now more important than ever to ensure cybersecurity and resilience. But how do these two practices differ? This blog highlights the differences between cybersecurity and cyber resilience and how to secure your business for optimal cyber protection.

How Risk Intelligence Impacts Cyber Readiness

While your security staff tends to work the same business hours as everyone else, it often feels like threat actors never take a day off. Because an attack can and will come from any direction at any time, an organization’s cyber readiness is paramount. Your cyber readiness is the level at which you’re able to identify and respond to an attack.

Why We Collect Data From 12 Countries

At SecurityScorecard, we're collecting data from 12 different countries. Here's why: Some countries, industries, and organizations are beginning to deploy deception technologies to misrepresent their security hygiene. If you're trying to gather information on the Chinese infrastructure from outside, e.g., your data set will appear sparse because China blocks the view. But if you collect information from outside and inside of China and triangulate the different discrepancies, you get a more accurate representation.

6 Incident Response Best Practices You Should Follow

When it comes to cybersecurity, organizations need to be well-prepared for what comes next. Not only are cybercriminals leveraging ever more advanced technology, but the cost of a breach — in terms of cost, reputation, and damage — is on the rise. Mitigating risk requires having a robust incident response plan in place and dedicated team members on standby. Let’s take a closer look.

Incident Response vs. Disaster Recovery: Key Differences

As cybercrimes and security breaches become more sophisticated, data protection strategies have become more important to business survival. A critical element in an organization’s ability to effectively handle these incidents is to reduce downtime and minimize damage. This is where an effective incident response and disaster recovery plan comes into play.

What is Cloud Security Posture Management (CSPM)?

Businesses are moving their data to the cloud to reduce costs and increase their agility. As more applications and data migrate to the cloud, the risk of sensitive data and applications being exposed dramatically increases. In addition, as organizations deploy applications and services in different cloud environments, maintaining security and compliance across the board is becoming more complex than ever before.

What is Vendor Tiering? Tips to Improve Your Vendor Risk Management

Over the last few years, supply chain attacks have increased in number and sophistication. As companies accelerate their digital transformation strategies, managing third and fourth-party risk and a complete look into their security posture becomes more important to securing data and meeting mission-critical compliance requirements. According to one survey, 60% of security leaders plan to deploy supply chain security measures in 2022.

Why We Collect ~70B Security Issues/Week

At SecurityScorecard, we're collecting close to 70 billion security issues per week. Here's how: Worldwide data collection Our goal is to non-intrusively pick up enough data signals from every company worldwide to form an opinion on their cyber hygiene and vulnerability. Malware Sinkholing Working with law enforcement, our R&D team is Our security analysts are looking at the underground criminal communication for poor patching cadence and hygiene indicators.

How to Implement a TPRM into your Existing Security Framework

Can TPRM programs integrate with my existing cybersecurity framework? These are just some of the questions troubling stakeholders at the precipice of a TPRM program implementation. While left answered, these questions cause delays in the onboarding of an initiative that could prevent a catastrophic third-party breach. Whether you’re considering implementing a TPRM program, or not sure how to even begin the implementation process, this article will be your guiding light.

Compliance Guide: 23 NY CRR and Third-Party Risk Management

The NY CRR 500 legislation was instituted by the New York Department of Financial Services (NYDFS) in 2017 in response to the rising trend of cyberattacks in the finance industry. Sometimes regarded as the GDPR for financial services, the NY CRR 500 has a very high standard for sensitive data protection, requiring protection strategies for ensuring the confidentiality, integrity, and security of information systems and nonpublic information (including customer data).

How We Help You Monitor Suppliers' Risk

We did an ROI analysis of SecurityScorecard. Here's what we found out: Companies achieve a close to 200% ROI over 3 years. Here's how: Continuously monitoring cyber threats is difficult to handle for small cyber teams, forcing them to hire more people. In the current economic climate, those personnel costs make up the bulk of company expenses. SecurityScorecard allows you to streamline your third-party risk management program and run your TPM program with a smaller, more efficient team.

The Value of Communicating Risk Meaningfully Across the Business

While cybersecurity might be under the umbrella of IT, make no mistake: a breach will impact the entire business, making it the entire organization’s responsibility to be able to understand and take action on risk. This means that your organization needs to have a holistic view of risk that can enable the risk intelligence required to not only have technical discussions, but business conversations about cyber risk.

The Most Commonly Mixed-Up Security Terms: Learn the Differences Between Asset, Threat, Vulnerability, and Risk

The cybersecurity landscape is complex enough without the lack of a common vocabulary. But, often, organizations use common security terms incorrectly or interchangeably. This leads to confusion, which leads to frustration, which can lead to something much, much worse. Something like a breach. Let’s take a moment, then, to review the four most commonly mixed-up and misused security terms in the cybersecurity world.

MDR for Vessels

Obrela Security Industries’ MDR for Vessels is a specialised cybersecurity tool for the maritime sector built specifically for seafaring information technology (IT) and operational technology (OT). With a centralised and self-contained passive network monitoring solution based on a virtual appliance, supporting log collection from vessel infrastructure, MDR for Vessels builds on Obrela’s tried and tested Enterprise-class MDR solution with dedicated processes for maritime and shipping environments systems both on land and sea.

What is Operational Security & Why is it Important?

Protecting your organization against security incidents is easy enough in theory, but many businesses struggle to find the right approach when it comes to their cybersecurity. As the digital transformation takes hold of the modern business environment, implementing safeguards to your organization’s critical information is only going to become more critical for survival-and if you aren’t doing so already, it’s time for your organization to take proactive protective measures.

7 Best Practices for Data Loss Prevention

Most organizations have at least one thing in common: every year, they’re generating and consuming more and more data. Dealing with all this data can be overwhelming, and especially so for those organizations that haven’t fully embraced the digital transformation and the cultural shifts that come along with it. As your data grows, so too does the risk that your data will be exposed to unauthorized parties in a security incident called a data breach or a data leak.

Optimism, Underestimation and Invincibility: Bridging the Gap Between Reality and Perception in Cyber Security

Earlier this month, the United Nations (U.N.) released its latest Global Assessment Report on Disaster Risk Reduction (GAR2022). For those of us who assess risk for a living, it is a sobering read.

Top Risk Analysis Tools

For many years and across industries, enterprise risk management (ERM) has always been an important part of any successful business operation. Organizations of all types and sizes face a number of external and internal factors that make it uncertain whether they will achieve their goals; ERM can bring that uncertainty to lower levels. Understanding the risks to your organization can help you make better decisions about how to reduce those risks; that’s where risk management comes in.

Penetration Tests of Newly Released Web Applications

Running penetration tests of a mature web application is always a great challenge. Systems are usually well hardened, and scanners fall short of flagging anything interesting, requiring an experienced security engineer to identify vulnerabilities using advanced exploitation methods. On the other side, some applications are going for their first release ever or release after a major code change.

Mitigating Cyber Threats With Continuous Monitoring

The supply chain for organizations has become increasingly susceptible to unplanned cybersecurity interruptions that negatively impact revenue, inventory, and consumer confidence. As a result, there has been an increasing focus on understanding how critical services are delivered, the reliance on third parties and fourth parties, and key risk controls that can be implemented to mitigate the risk of cyber security incidents.

Signs Your Cyber Loss Control Isn't Working

Most cyber insurance policies include a form of value-added service meant to help policyholders avoid cyber incidents. These services create differentiation in the market for insurers and help the bottom line. In fact, a recent survey of cyber insurers found that risk engineering services are a bigger driver of profitability than underwriting accuracy. Yet, we know that the dynamic nature of cyber risk has insurers struggling to keep up and new approaches to evaluating that risk are needed.

Themes, Insights, And Leadership Perspectives From The RSA Conference

SecurityScorecard joined U.S. cybersecurity leaders and the cybersecurity community at the 2022 RSA Conference in San Francisco, California from June 5-9. The RSA Conference is one of the world’s leading cybersecurity events, and SecurityScorecard was proud to join our community in-person at San Francisco’s Moscone Center.

Is Cyber Insurance Enough to Protect You?

Your cyber insurance won't protect you from ransomware. Here's why: It doesn't make your company resilient in and of itself. Think of it like regular house insurance: Just because you have insurance, it doesn't mean you shouldn't get a smoke alarm in your house and get contractors to check for gas leaks. Here are 2 recommendations to be prepared for a ransomware attack.

Operational Risk Management: More Than Just Cybersecurity

In an ideal world, every organization would operate at peak capacity, have perfectly efficient operations, and never experience system failures, cyberattacks, or fraud. In the real world, however, it’s impossible to avoid such adverse events completely. Every organization faces problems due to weak business processes, system downtime, human error, and cybersecurity attacks. Businesses can, however, manage and mitigate the risks that lead to such events, to keep your business functional and viable.

Top 5 Risks Affecting the Healthcare Industry

Cybersecurity is a constant, serious threat to the healthcare industry. Unfortunately, however, the risks to cybersecurity and data security in healthcare are only one part of the larger risk management puzzle for healthcare organizations. Infections, alarm fatigue, telemedicine, and a lack of emergency preparedness also pose severe threats in healthcare. To minimize exposure, healthcare organizations require a comprehensive risk management program.

Reciprocity Wins Coveted Global InfoSec Awards during RSA Conference 2022

Last year was a record year for cybersecurity attacks, with the number of encrypted threats spiking by 167% (10.4 million attacks), ransomware attacks rising by 105% (623.3 million attacks), and intrusion attempts increasing by 11% (5.3 trillion).** Risk management is a fundamental principle of cybersecurity, which is why we are so excited to share that Reciprocity has won two Cyber Defense Global InfoSec Awards from Cyber Defense Magazine (CDM): the Hot Company – Risk Management award and the Cutti

MDR for Vessel Platform

Obrela Security Industries’ MDR for Vessels is a specialised cybersecurity tool for the maritime sector built specifically for seafaring information technology (IT) and operational technology (OT). With a centralised and self-contained passive network monitoring solution based on a virtual appliance, supporting log collection from vessel infrastructure, MDR for Vessels builds on Obrela’s tried and tested Enterprise-class MDR solution with dedicated processes for maritime and shipping environments systems both on land and sea.

The 1st 48 hours (after a cyber incident)

From small school districts and not-for-profit organizations with limited cyber defense budgets to major Fortune 500 companies with sophisticated cyber defense teams, understanding what to do in the first 48 hours following a significant cyber event is essential in protecting your organization and limiting the potential damage.

How Tagging Helps You Identify Risk Faster

One of the most critical factors to effective cybersecurity is time. The longer a vulnerability remains unaddressed, the more opportunity you give hackers to get into your system and wreak havoc. Think about it like this: imagine that you leave your laptop bag sitting on the passenger seat of your car. If you run into the store to get milk but forget to lock the door, the odds are that the laptop bag will still be there when you get back.

Spotlight on Technology - Governance, Risk & Compliance

Today we are talking all things GRC with Megan Brown at LogicGate, including why it's essential to have a robust GRC tool in a modern security stack. GRC is extremely useful for compliance framework management and maintaining compliance - it can be used effectively to supply a historical database of known risks, issues and security measures that can be used to continuously improve security intelligence. Join Megan and Razorthorn MD James Rees to find out how a good GRC tool can save you both time and money, while efficiently improving your security and compliance.

HITRUST: the Path to Cyber Resilience

There has been a lot of talk recently about cyber resilience. There is no doubt that the ability to bounce back from a security event is important, however, all of the resiliency banter seems to be happening at the peril of sound risk management processes. It is safe to say that the path to resilience is paved with risk management.