We’ve entered the fourth and final week of National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems and ensuring they stay resilient. I started off the month with a post about maturing your third-party risk management program, and followed that up with two more posts dedicated to securing the small business supply chain and streamlining procurement.

The White House’s ambitious national cyber strategy— which represents a shift away from decades-old voluntary compliance guidelines to a more aggressive regulatory approach of critical infrastructure firms—couldn’t come at a better time. A recent study found that local governments were the organizations least capable of disrupting ransomware attacks, and that they were also among the ransomware victims to pay ransoms most frequently (43% paid a ransom after an incident).

As a security manager, you have a wide variety of tasks you need to complete in order to protect your organization — as well as your employee and customer data. Of course, some of these responsibilities are performed on a quarterly or yearly basis, such as gathering information for audits or conducting annual assessments. But there are certain tasks that you should be completing daily in order to maintain the desired security posture and reduce cyber risk across your expanding attack surface.

As part of SecurityScorecard’s commitment to making the world a safer place, we are now the first and only security ratings platform to integrate with OpenAI’s GPT-4 system. With this natural language processing capability, cybersecurity leaders can find immediate answers and suggested mitigations for high-priority cyber risks.

Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.

After COVID, enterprise IT security got turned on its head. As the world adjusted to working from home, and continues to, IT teams worked overtime to enable remote access for millions of employees. This transition has gone smoothly for most organizations, but many security gaps still remain years later. The SolarWinds data breach is a worrying example. It shows how vulnerable organizations are to malicious activity in our changing risk environment.

When a major security event like SolarWinds or Log4j happens, how do you assess the impact across your third-party supply chain? Most organizations struggle to effectively react to zero day attacks and other critical vulnerabilities at scale, often following manual and cumbersome workflows. But our latest capability is here to change that.

A recent study found that financially material cyber attacks are increasing in frequency and that the top 5% of such attacks lead to an average $52M in losses. As these types of cyber attacks become more frequent and more severe, it has become increasingly critical for risk managers outside of enterprise security functions —such as compliance and credit officers—to consider cybersecurity risk in their assessment of customers, suppliers and investments.

Today we are announcing updates to the Bitsight ratings algorithm. Bitsight is committed to creating the most meaningful, trustworthy, and actionable security ratings and analytics in the marketplace. As part of this commitment, we periodically make updates to our ratings algorithm based on new data observations and capabilities, internal and external research, and market feedback. For this year’s update, we have made several adjustments, including modifying the weights of several risk vectors.

In 2011, Bitsight invented the security ratings industry. As the market leader, we are still the standard in how organizations quantify, manage, and monitor cyber risk. Today, that universal metric is used by entities from national governments to global enterprises to Fortune 500 companies to interpret cyber risk. And now, we’re disrupting the industry once again. Waves of change are constantly disrupting companies of all sizes around the world, particularly when it comes to cybersecurity.

Risk used to be a word thrown around as if it could be defined generally and, once defined, consistently applied to all business and technology use cases. This didn’t work out so well for customers, CISO’s, or vendors. Risk was a “four-letter-word” and it fell out of common use.

We’ve entered Week #3 of National Supply Chain Integrity Month, an initiative that CISA and other government agencies started to highlight the importance of securing our nation’s most critical systems and ensuring they stay resilient. For Weeks #1 and #2, I wrote about maturing your third-party risk management program and securing the small business supply chain.

Running a business is full of surprises. Unexpected events can pop up at any time, potentially leading to the derailment of your organization’s goals. If everything suddenly went haywire, would you and your team know what to do in the heat of the moment? That’s precisely why having a robust risk management program is crucial, and it all starts with a risk register – a tool used to identify and mitigate potential problems.

The cybersecurity threat landscape is rapidly evolving as cloud computing, the Internet of Things (IoT), mobile devices, and remote work become more widely adopted. As a result, Security Operations Center (SOC) teams are increasingly overwhelmed. In addition to responding to cyber threats, teams must continuously identify emerging vulnerabilities and move quickly to apply and test patches and updates. A failure to do so significantly increases cyber risk. Consider the statistics.

In response to the growing number of cyber incidents, policymakers and regulators around the world are creating new cybersecurity requirements for companies to comply with, including mandates to disclose cyber risks and incidents. For example, new cyber risk disclosure requirements from the U.S. Securities and Exchange Commission (SEC) are anticipated to be adopted in 2023 and would have a major impact on corporate cybersecurity initiatives.

Leading cybersecurity experts Major General John F. Wharton, (US Army ret); Oleg Strizhak, Shell’s Digital Supply Chain Risk Manager; and Sam Curry, the CISO of Zscaler, recently sat down with SecurityScorecard’s President of International Operations Matthew McKenna to discuss how organizations can prepare themselves and their supply chains for zero-day attacks as well as best practices for supply chain risk management.

Small and medium-sized businesses account for 4.17 percent of private sector employees and almost half of the United States’ gross domestic product , yet—due to limited finances, resources, and staff—many have difficulties when it comes to supply chain management. Geopolitics, inflation, and worker shortages are just a few variables that can impact supply chains; 86% of SMB supply chains have already been or expect to be impacted by Russia’s war in Ukraine.

We all accept a certain degree of risk in our lives. So, to varying degrees, we’re all operating – to use cybersecurity parlance – with an assume breach mindset. Meaning, we accept that attacks are inevitable and, as such, we focus time and effort on protecting the assets that matter most. In short, we buckle up for safety.

The expanding attack surface of an increasingly interconnected digital world comes with a high degree of risk due to ransomware, phishing attempts, supply chain attacks, data breaches, and other cyber incidents. And while many organizations recognize the need for cyber insurance, a recent Forrester Research report found that only 55% of organizations in North America have purchased cyber insurance. 1

With the rise of remote work and shadow IT, more devices and apps (both sanctioned and unsanctioned) are connecting to your organization’s network. Today, there are approximately five million mobile apps currently in circulation: approximately three million for Android and two million for iOS. That’s great for productivity, but less than ideal when it comes to security.

If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing. To help you better understand your organization's regulatory environment and the standards and controls they stipulate, let's break down key cyber compliance regulations by industry.

This week kicks off the 6th annual National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems. This year’s theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience,” is meant to encourage all stakeholders to apply a comprehensive approach in their efforts to strengthen cyber defenses.

A risk register is a tool used to manage potential problems or risks within an organization. It helps to identify and prioritize risks, their likelihood of occurrence, and provides ways to mitigate them. Risk registers allow you to play offense and defense – you’re proactively planning for potential challenges and minimizing their impact on your project’s success in the event that the roadmap does veer off course.

Are you aware of the risks involved in doing business with parties sanctioned by the Office of Financial Assets Control (OFAC)? How does this impact your vendor management? OFAC stands for Office of Foreign Assets Control within the Treasury Department. As part of the U.S. government measure to enforce anti-money laundering/counter terrorism financing regulations, OFAC oversees economic and trade sanctions. These sanctions are against countries, individuals, or outfits engaged in disreputable actions.

Optimize your security workflows and deliver intelligence everywhere you work with the largest ecosystem of integrated technology partners in cyber risk ratings. SecurityScorecard provides Application Programming Interface (API) access for all our data allowing you to get more contextual security insights, app integrations, and detailed information about your current or prospective vendors. You can leverage our APIs and Integrations in the following ways.

In today’s ever changing cyber risk landscape, your organization must adopt a vulnerability management framework to control exposure and remediate risks in a timely manner. In an earlier blog, we explained the vulnerability management process. Here, we explore a key part of that process – vulnerability monitoring – in greater depth.

The threat of ransomware has been ever present in 2020, especially within the high-stakes industries like healthcare and those involved in the election. According to Verizon's 2019 Data Breach Investigations Report, 24% of security incidents that involved specific malware functionality exhibited ransomware functionality.