As cybersecurity leaders, we're all too familiar with the challenges posed by Shadow IT—a persistent thorn in the side of IT and security teams worldwide. And when high-profile supply chain attacks make headlines, the urgency to understand our reliance on third parties becomes all too real.

Insecure software is significantly impacting our world. In a recent statement, CISA Director Jen Easterly declared: “Features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion. That has to stop... We are at a critical juncture for our national security.”

The SecurityScorecard Global Third-Party Breach Report uses the world’s largest proprietary risk and threat dataset to provide unique insights into the intricate web of supply chain vulnerabilities exploited by ransomware groups. As the digital landscape continues to evolve, so too do the tactics of cyber adversaries. Ransomware groups, in particular, have honed in on a prime target: the software supply chain.

It’s no longer a question of ‘if’, but ‘when’ and ‘how’ cyber threats will target an organization. This reality demands a proactive approach to digital security. Recent data shows that over 85% of organizations have experienced a cyber attack supporting this need for vigilance. These incidents range from data breaches to brand impersonation, each carrying significant risks to business integrity and continuity.

A Statement of Applicability (SOA) is a document you draft as part of achieving compliance with ISO 27001 and other ISO standards. The SOA reviews the internal controls you have decided to include in your information security management system (ISMS) and why you selected those controls. Writing a thoughtful, comprehensive SOA is crucial to your ISO 27001 compliance journey.

If your business takes debit or credit card payments online or in person, you’ve most likely heard of “PCI DSS” or “PCI SSC.” These words relate to sensitive data security procedures, namely the controls that a retailer or payment processor should have to protect payment card data from cyber attacks. Being PCI compliant does not ensure a company’s systems are safe; nonetheless, it is a significant step in that direction.

PCI DSS compliance is crucial for any business that processes, stores, or transmits cardholder data. But who exactly is responsible for implementing and enforcing PCI DSS requirements? This blog post will unpack PCI data security standard controls, who owns them, the penalties for non-compliance, and how a Governance, Risk management, and Compliance (GRC) platform like ZenGRC can help streamline compliance.

Since July 2022, Bitsight has been tracking PrivateLoader, the widespread malware downloader behind the Russian Pay-Per-Install (PPI) service called InstallsKey. At the time, this malware was powering the now decommissioned ruzki PPI service. Figure 1 presents a brief description of the service, which was found in their sales telegram channel. Fig. 1 - Service description on telegram channel profile (Russian and English).

Vulnerability scans are essential to an effective cyber defense strategy, offering a proactive approach to uncover and mitigate potential threats before they can exploit your systems. At the forefront of this crucial practice are Tenable and RiskOptics, each offering comprehensive solutions designed to conduct thorough vulnerability assessments. These tools identify weaknesses and help prioritize and address them, significantly strengthening your overall security posture.