Following CEO and Co-Founder Aleksandr Yampolskiy’s attendance at Davos, and SecurityScorecard’s subsequent visit to Geneva to meet with world leaders at WEF Headquarters, Alex spoke this week to another community of WEF members near our headquarters in New York City during the Forum’s New Champions Leadership Dialogue. New Champions companies are mid-sized organizations transforming industries through new business models and market disruptions.

In today’s business landscape, managing risk has become an increasingly critical concern. The “usual” risks (such as data breaches) paired with the completely unforeseen ones (like the collapse of SVB) have made companies more cautious with their next steps. With tighter budgets and limited resources, it can be quite challenging for CISOs and CTOs to effectively manage risk while ensuring business continuity.

New security vulnerabilities are emerging every day. The number of new disclosed cyber vulnerabilities jumped 25 percent in 2022, and the number of known exploited vulnerabilities—ones observed to be exploited by malicious actors in the wild—nearly doubled from 2021 to 2022. Remediating vulnerabilities rapidly and effectively reduces the likelihood of your organization becoming the victim of a cyber attack. Consider.

A major security incident in the crypto field occurred between March 17-18th. Due to a vulnerability that was not caught before the event, unknown crypto hackers were able to drain 1.6 million USD (around 59 BTC) from Bitcoin ATMs owned by General Bytes - the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

Vulnerabilities are on the rise, and it's not just the number that's growing; the severity of these vulnerabilities is also increasing. Cybercriminals are taking advantage of these vulnerabilities to launch sophisticated attacks, leading to data breaches, ransomware, and other devastating cyber incidents.

According to a 2022 Verizon report, 43 percent of all data breaches reported worldwide targeted small and medium-sized businesses – with numerous businesses reporting at least eight hours of downtime after a severe cybersecurity incident. Little surprise, then, that demand for cyber liability insurance has surged in recent years. Businesses – especially small ones, with fewer financial resources – want to be made whole after a disruption.

SecurityScorecard is a customer-obsessed organization, which is why we asked ourselves: How can we provide more value to the thousands of CISOs who rely on our security ratings to make smarter, faster business decisions? We now make this guarantee: Qualified customers who maintain an A grade within the SecurityScorecard security ratings platform and still suffer an incident are eligible for complimentary Digital Forensics and Incident Response services.

Naming a company is one of the most important decisions a business ever makes. It’s the first thing potential customers will see, and it’s what they’ll use to remember you. A good company name helps establish credibility and image.

AI Trust, Risk and Security Management (AI TRiSM) is an emerging technology trend that will revolutionize businesses in coming years. The AI TRiSM framework helps identify, monitor and reduce potential risks associated with using AI technology in organizations. By using this framework, organizations can ensure compliance with all relevant regulations and data privacy laws. In this article, you'll learn what AI TRiSM is, how it works, and how organizations can use it for their benefit.

The security industry spent decades propagating the myth that risk is bad, and you must eliminate it — but this truth is… Your biggest risk could be the way you view it. You see, there are various “lenses” through which to view risk: rose-colored, blinders, magnifying and crystal clear. After presenting this concept at an ISACA-sponsored webinar, I received many questions and comments about putting this into practice.

Enterprises these days are facing a triple threat: stiffer government policies, volatile cyberspace and an extra-competitive economy. And without a well-planned strategy, it will be hard to survive all these and hit high-performance goals. Hence the need for an effective GRC strategy. Since its invention in 2003, GRC as a strategy for achieving organizational goals amidst uncertainty and with integrity, has stayed true to its primary purpose. Despite the increasing turbulence in the economy.

Imagine you've alerted your IT team to a critical infrastructure error plaguing your network. You ask them to drop their current work and focus on immediate remediation of this detected vulnerability. After further investigation, however, it is found to be a false positive. Unfortunately, these incidents are commonplace – and they cost your organization valuable time and manpower. More worrying, they distract from legitimate security issues.

In January 2023, PrivateLoader, a malware loader from a pay-per-install malware distribution service called “ruzki”, started to distribute Tofsee (a.k.a. Gheg), a modular spambot. Spambots are typically utilized by cybercriminals to spread malware and phishing emails, and this particular one has been in operation since at least 2008.

As technology becomes more prevalent in our lives, the risk of cybersecurity incidents is also increasing. Cybersecurity incidents can cause significant damage to organizations, including financial loss, reputational damage, and theft of sensitive data. Therefore, it is essential to have a robust cybersecurity system in place to protect against cyber-attacks. Artificial intelligence (AI) is one technology that can be used to predict cybersecurity incidents and mitigate their associated risks.

Recently, we discussed the most effective cybersecurity frameworks to reduce the risk of cyber threats. One of the most important systems is the Federal Information Security Management Act (FISMA). This act applies to certain organizations, and is imperative to help protect them against data breaches. Let’s take a look at four things to know about FISMA, from what it is to how to monitor FISMA compliance.

With tax day in the U.S. fast approaching, most people are opting to e-file their returns. But while online tax filing and payment have become more popular, so have tax scams targeting unsuspecting taxpayers. Here are some common online tax scams to avoid.

The other week, BitSight published research identifying thousands of organizations using internet-facing and exposed webcams with many video and audio feeds susceptible to spying. The potential consequences are serious – an attacker could potentially view private activities and eavesdrop on sensitive conversations, presenting a variety of privacy and security concerns. Below are some of the screenshots BitSight captured from exposed devices (blurred for privacy).

In this age of technology, software companies are quickly shifting towards a strict compliance posture. You may ask yourself, why is that and what has changed over the last several years? This can be due to multiple factors but can mainly be boiled down into four categories.

Ransomware as a Service (RaaS) has been a growing trend in recent years, enabling anyone with an internet connection to become a hacker. In the past, launching a ransomware attack required a high level of technical expertise, but RaaS has lowered the barrier to entry, making it easier for anyone to launch a ransomware attack. So, how does RaaS work, and what are the implications for businesses and individuals?

Chief information security officers (CISOs) have both internal- and external-facing roles. Externally, they must constantly scan the horizon for potential threats. Internally, they must implement, communicate, and champion best practices for security at their enterprises. In a time of sprawling global supply chains and growing automation, the role of the CISO is more complex than ever. To carry out this role effectively, CISOs must learn the importance of trust management.

Cloud computing is the most cost-effective way to store and manage data and meet growing business demands today. However, the rapid rise of cloud usage means you need to stay alert to potential cloud security insider threats that can compromise your sensitive data and security posture. In this post, we discuss the insider threat landscape, explore several types of cloud insider threats, and examine the best practices to combat these threats.

The more technology your organization adopts, the more exposed it becomes to third-party risks. Consider these statistics: Organizations have responded to these risks by implementing robust third-party risk assessment procedures. However, a common mistake is to view vendor risk management as a one-time activity, typically conducted prior to onboarding a new vendor. Since third-party risks are constantly evolving, it's crucial to evaluate vendor security at every phase of the vendor lifecycle.

As more and more businesses and individuals rely on technology and the Internet, cyber threats such as data breaches, malware attacks, and cyber extortion are becoming increasingly common. Overall, cyber insurance can help mitigate the financial, legal, and reputational risks associated with cyber incidents.

When you think about third-party risk management, what comes to mind? Are you concerned with measuring the effectiveness of your program? Do you know which third-party providers to focus your risk management efforts on? How are you evaluating your providers during the due diligence process?

Organizations face a growing number of external cyber threats that are becoming increasingly sophisticated and harder to detect. With the rise of remote work and cloud-based technologies, organizations’ attack surface has expanded significantly, making it difficult for security teams to maintain a strong defensive posture.

On March 2nd, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) – #StopRansomware: Royal Ransomware. We highly encourage everyone in a security role to read the Advisory, as it contains recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware.

In recognizing the growing impact of third-party risks on operational resilience, the Prudential Regulation Authority (PRA) has established new regulatory requirements in the areas of third-party risk management and outsourcing. The details were published in a Supervisory Statement that has been put into effect since March 2022.

Companies around the world and across industries face greater cyber threats than ever before. Cybersecurity incidents are becoming ever more frequent, and the costs associated with those attacks have marched upward too. As the risks grow, companies have strengthened their capabilities, both in prevention and incident response. Still, no company can guarantee that it will never be hacked, so companies must have cyber insurance in place in case the worst happens.

Software supply chain compromises are becoming an increasingly common tactic used by cyber criminals to infiltrate organizations. While the SolarWinds attack 3 years ago was the most infamous, these attacks are increasingly gaining in popularity among cyber attackers. This is because it is often easier to compromise a third-party vendor or supplier than it is to attack the organization directly.

As the frequency and complexity of cybersecurity threats continue to grow, it is becoming increasingly important for organizations to adopt advanced tools and techniques to protect themselves. One way to do this is by utilizing the MITRE attack framework (ATT&CK), a comprehensive taxonomy of common tactics, techniques, and procedures (TTPs) cyber attackers use to compromise information systems and steal data.

Internal controls can serve two purposes: to protect a business from accounting fraud, asset loss, or similar financial reporting failures; and to assure that the business meets its regulatory compliance obligations. An audit evaluates the accuracy of a company’s financial statements and the effectiveness of its internal control system to identify control weaknesses. In addition, audits typically include some form of substantive testing, which tests for risks of material misstatements and errors.

Cybersecurity isn’t easy in any industry, but it is perhaps most challenging for the banking, financial services, and insurance (BFSI) sector. Financial institutions are highly digitized and have large, complex IT infrastructures with many environments and assets to protect. At the same time, these enterprises are highly targeted by threat actors, leading to a constant barrage of attacks to detect and disrupt.

These four words are all too familiar to most CISOs and Risk Managers. In fact, nearly 70% of cybersecurity practitioners and decision-makers feel that their organization doesn’t have enough security staff to be effective, found a recent Cybersecurity Workforce Study.1 Infosec and cyber risk management teams are usually small, stretched thin and overwhelmed with work.

Being part of a governance, risk, and compliance (GRC) team is no easy task, as you have to stay on top of evolving expectations and laws, while connecting different business units together in a way that makes sense to other stakeholders. One area that’s been particularly tough to manage recently has been cybersecurity. From new data security standards to heightened risks around areas like ransomware, GRC teams have their hands full.

The recent collapse of Silicon Valley Bank (SVB) has sent shockwaves through the tech industry, prompting many individuals and companies to move their bank accounts to other financial institutions. However, in the midst of this turmoil, cybercriminals are poised to take advantage of people’s fears and concerns. If you’re planning to move your bank account or have already done so, it’s important to be aware of the security risks associated with this process.

In early March, the SANS Institute, whose mission is to empower cybersecurity professionals with the practical skills and knowledge to make the world a safer place, shared some insightful findings based on their survey on ransomware and malware intrusions in 2022. The survey included participants in various roles and industries from organizations worldwide of all sizes. “In this survey, we wanted to understand what the past year looked like for our respondents.

You’ve just sat down to start your work day and you’re going through your emails, hot cup of coffee in hand. You see an email from your company’s IT department telling you to install an update ASAP. As soon as you click the link in the email, you realize you probably should have checked with IT first.

Legal authorities and the general public typically hold organizations accountable for any harm caused during their daily operations. The expectation is that leaders of those organizations have considered the potential harms that might happen, and implemented reasonable precautions to reduce or eliminate the risks. This is known as the “DoCRA standard.”

In today’s interconnected world, it’s easy for organizational leaders to see a security incident on the news and question if they could be next. Security is often top of mind but rarely a strategic priority, leaving many CISOs struggling to communicate how to reduce risk to the board. And the latest risk management trends could present new challenges for security leaders. How can you overcome them?

Today we are going to keep looking at artificial intelligence and how corporations can get ahead of the risks thereof. Our previous post on AI was primarily a list of potential risks that could run rings around your company if you’re not careful; so what steps can the board and senior executives take to prevent all that? Well, first things first. AI is a new technology.

We’re proud to announce that SecurityScorecard has been named to Fast Company’s prestigious annual list of the World’s Most Innovative Companies for 2023. This list highlights companies at the forefront of their respective industries, who are rethinking business and culture, while paving the way for future innovations. We’re honored to join the ranks of other innovators, such as OpenAI, Disney, and Tiffany & Co.

In today’s world organizations rely on computer systems and data for pretty much everything, including mission-critical processes and interactions with customers. And given the relentless increase in cybersecurity threats, this means that organizations’ need to protect themselves and their customer data from such threats is paramount. The average cost of a single data breach in the United States is now $9.44 million.

The Dutch Police have arrested three individuals for suspected ransomware activity, which generated at least 2.5M Euro in extortion fees. The actors are believed to have attacked thousands of organizations, compromising the data of tens of millions of individuals. This is another example of successful law enforcement activity against ransomware operations. Such activity has increased over the past year, leading to the arrest of several prominent ransomware group members, such as Revil and Netwalker.

While things can sometimes seem “back to normal” in the rest of the world, the devastating war is still going on in Ukraine, affecting millions of innocent civilians. Reflecting on the past year’s suffering of the Ukrainian people, we’d like to summarize the cyber warfare aspect of this conflict. In 2022, Russian government-backed cyberattacks targeted users in Ukraine more than any other country.

Companies and their many stakeholder groups depend on accurate information. Whether you’re a manager, investor, board director, or employee, it’s crucial to have an accurate picture of what is happening in a company. Publicly traded companies provide this picture through financial data, collected and shared through formal, published financial reports.

Today’s release of the White House’s National Cybersecurity Strategy is the result of more than a year of government and industry collaboration that sets new boundaries for the government approach needed to improve global cyber defenses. The strategy clearly represents a shift away from decades-old voluntary compliance regimes to a more aggressive regulatory construct that seeks to shift cyber burdens onto providers/developers and owners and operators of critical infrastructure.

On average, 55 new cybersecurity vulnerabilities were published every day in 2021. This goes on to show that preparing for every single vulnerability and running a hundred percent risk-free business is an extremely difficult task, but not entirely impossible.

Some of the biggest prevailing challenges in the cybersecurity world over the last year have been those revolving around securing the software supply chain across the enterprise. The software that enterprises build for internal use and external consumption by their customers is increasingly made up of third-party components and code that can put applications at risk if they aren't properly secured.