If you’re a business executive or a risk leader, you’re likely familiar with “proxy season,” the time of year when public companies hold their annual general meetings. During these meetings, investors have the opportunity to vote on important issues such as the election of board members and executive compensation.

Third-party risk is everywhere and the cybersecurity posture of those third parties is more important now than ever before. With organizations using 130 SaaS solutions on average, onboarding the “wrong” vendor — one that doesn’t share the same cyber practices or hygiene as you do, or that sharing sensitive data with would be cause for concern — could land an organization in hot water.

The problem with shadow IT isn’t really the need for new tools, it’s the fact that people use them without IT security teams knowing. This usually happens because they perceive security policies as restrictive and antagonistic toward their productivity. In this way, Shadow IT is a process issue—not a software issue. Hidden risk is increasingly challenging cybersecurity leaders as digital supply chains grow and more apps are added to the network.

While security ratings are a great way to demonstrate that you’re paying attention to the standard cyber health of the organization, you also need to show that you’re adhering to industry and regulatory best practices for IT security and making informed decisions for the long-term. A cybersecurity framework can help.

The recent SEC breach disclosure rules place enormous pressure on CISOs. The new SEC disclosure requirements for public companies require companies to report annually on their cybersecurity risk management and governance efforts and publicly announce cybersecurity incidents that prove "material." Determining materiality may be one of organizations' most prominent challenges with the new rules. What exactly is a material cybersecurity incident?

One study found that 65% of SaaS applications in use are unsanctioned. And 59% of IT professionals find SaaS sprawl challenging to manage. In other words, shadow IT risks are growing—but that’s just the tip of the iceberg when it comes to hidden risks across today’s expanding attack surface. Missed software patches, outdated certificates, and stealth malware are some examples. Many security teams still struggle to keep their networks safe from ever-growing digital supply chains.

The annual doctor wellness check always interests me. It’s generally the same routine every year: The doctor and I exchange pleasantries. She asks about any noticeable health changes while looking in my ears with that cool little penlight. If I’m lucky, she uses the mini-hammer to see how high my leg kicks after a gentle knee tap (I just love that for some reason). But it’s all a bit of a show, isn’t it?

The annual doctor wellness check always interests me. It’s generally the same routine every year: The doctor and I exchange pleasantries. She asks about any noticeable health changes while looking in my ears with that cool little penlight. If I’m lucky, she uses the mini-hammer to see how high my leg kicks after a gentle knee tap (I just love that for some reason). But it’s all a bit of a show, isn’t it?

As organizations increasingly rely on external vendors and enterprise buying patterns continue to decentralize, the challenge of managing risk associated with third parties becomes critical. Unfortunately, even uncovering vendor relationships within an organization can be a struggle, with over 80% of workers admitting to using non-approved SaaS applications. This ‘Shadow IT’ is not only frustrating; it introduces tremendous risk.

AgentTesla is a Windows malware written in.NET, designed to steal sensitive information from the victim's system. It’s considered commodity malware given its accessibility and relatively low cost. Commodity malware poses a significant threat as it enables less sophisticated cybercriminals to conduct various types of cyberattacks without requiring extensive technical knowledge. AgentTesla has been a persistent and widespread threat since its emergence in 2014.