The purpose of vendor risk management is to strike a delicate balance between facilitating the needs of the business by integrating new vendors and ensuring that those same business partners don’t exceed the organization’s risk appetite. Maintaining a healthy balance between those two interests requires leaders to always consider broader business goals when executing VRM strategies.
Ransomware has traditionally revolved around the encryption of victims’ files. But even if encryption remains ransomware groups’ most common approach, it isn’t really their priority–extortion is. Financially-motivated cybercriminals care more about extracting payment from their victims than they do about the particular methods used to achieve that goal.
Cloud applications have opened up limitless opportunities for most organizations. They make it easier for people to collaborate and stay productive, and require a lot less maintenance to deploy, which means they’re much more affordable and easy to scale to your needs. But for all of their benefits, cloud apps also open up your organization to a host of new risks. By enabling users anywhere access to corporate resources you lose the visibility and control that perimeter-based tools provide.
Higher education institutions, like colleges and universities, often work with dozens of third-party vendors, which can introduce considerable security risks if the school doesn't maintain a proper vendor risk management (VRM) program. Compromised third parties can pose serious risks to universities, which can expose sensitive data, disrupt business continuity, or incur serious financial damages.
Cyber vendor risk management (Cyber VRM) is the practice of identifying, assessing, and remediating cybersecurity risks specifically related to third-party vendors. By leveraging data from data leak detection, security ratings, and security questionnaires, organizations can better understand their third-party vendor’s security posture using Cyber VRM solutions.
The spotlight on cyber risk quantification (CRQ) has raised its status to the top of the hypercycle, but with fame comes scrutiny and criticism. Security analysts and practitioners debate the validity of each model framework, along with the data used when modeling cyber risk. Despite this debate, there is a unifying consensus that knowing the possible range of the financial impact of a cyber event is far more optimal than flying blind.
Cybersecurity is a team sport, and SecurityScorecard is proud to partner with the Joint Cyber Defense Collaborative (JCDC) to share cyber threat information in defense of public and private critical infrastructure.
During the Vendor Risk Management process, information is in constant flux. From risk assessments to risk remediation processes, communication involving sensitive security control data continuously flows between an organization and its monitored vendors. If intercepted, this information stream could be used as open source intelligence for a third-party data breach campaign, nullifying the very efforts a VRM program is trying to mitigate.
The vulnerabilities perforating the global supply chain have remained dormant for many years. But the violent disruptions of the pandemic finally pushed these risks to the surface, revealing the detrimental impacts of their exploitation to the world.
Cyber VRM is the practice of identifying, assessing, and remediating the cybersecurity risks of third-party vendors. This involves combining objective, quantifiable data sources like security ratings and data leak detection with subjective qualitative data sources like security questionnaires and other security evidence to get a complete view of your third-party vendors’ security posture. A Cyber VRM solution facilitates this practice.
The technology industry is at the forefront of digital transformation, enabling all other industries to achieve greater operational capabilities and connectivity through innovative solutions. Tech companies, such as SaaS vendors, provide crucial software infrastructure to hundreds or even thousands of other organizations. These vendors access, store and transmit large volumes of sensitive information, including valuable healthcare and finance data.
According to the latest IBM Cost of a Data Breach Report, the average breach costs $4.35M per incident, climbing by 12.7% from 3.86 million USD in IBM’s 2020 report. This does not account for lost business opportunities and lingering reputational damage. A cybersecurity tabletop exercise could substantially reduce this amount simply by having a well-thought-out incident response plan and effectively exercising business continuity plans.
The August 4th compromise of Twilio via a targeted smishing attack has been a topic of wide concern and discussion on social media. My first thoughts on hearing of the attack were to virtually “pat myself down” with regard to exposure risk. Kind of like that feeling when you’re not sure if your car keys or wallet are in your pocket a few blocks after walking away from your parking space. Is my company affected by the breach? Did we receive a notification email from them?
The BlackCat/ALPHV ransomware is a complex threat written in Rust that appeared in November 2021. In this post, we describe a real engagement that we recently handled by giving details about the tools, techniques, and procedures (TTPs) used by this threat actor. Firstly, the attacker targeted an unpatched Microsoft Exchange server and successfully dropped webshells on the machine.
Not all of the recognizable risks in your software supply chain can be identified by their known vulnerabilities recorded as CVEs. A component that is outdated or inactive may present risks to your application that no one has had cause to investigate. Yet these components could still harbor threats.
