“BitSight data notifies you about areas of vulnerability, indications of a lack of security controls and continuous performance issues with these third parties, so you can get ahead of potential risks ,” says Boyer.
Focusing on third-party risk predictions, BitSight’s security ratings platform quantifies its findings with an objective, data driven numerical rating, ranging from 250 to 900 (much like a consumer credit rating). The lower a company’s BitSight security rating, the more insecure their digital assets are and the more likely they are to suffer a ransomware attack. Findings have shown organizations with a low rating (say, between 300 and 500) are almost 8 times as likely to experience ransomware activity as a company with a rating of 750 or above (link to article on website).
Driving risk reduction with BitSight and integrator partners
BitSight Assessment Accelerator (BAA) is a product that empowers organizations with a trusted third-party cyber risk assessment snapshot on demand, via API integration into tools such as ServiceNow, ProcessUnity, ThirdPartyTrust and Venminder. BitSight Assessment Accelerator provides a company’s BitSight Security Rating, Rating Categories, Risk Vectors, and performance against standard risk assessment questionnaires such as the NIST CSF or the SIG.
“With the growth of digital supply chains that all companies are building, ransomware attacks targeting third parties are becoming a bigger issue and causing massive business disruption across all industries,” says Anders Norremo, CEO of ThirdPartyTrust. “We’ve been proud to work with BitSight on bringing the latest research on ransomware and third party risk to companies who can benefit from our findings.”
Integrated into an organization’s third-party risk management (TPRM) platform, the goal of BitSight Assessment Accelerator is to provide a reliable cyber security risk picture during onboarding and reassessment. This data allows risk managers to enable their businesses by tiering third parties based on risk, optimizing the level of risk assessment required, improving validation of questionnaire-based responses (and flagging discrepancies and problem areas), and leveraging up-to-date data on their vendors to make informed decisions about risk.
Aaron Kirkpatrick, Chief Information Security Officer at Venminder, mirrors Norremo’s assessment: “Risks posed by ransomware attacks on your third parties are high [as] vendors are a more enticing target for cyber criminals. This is because vendors store information from multiple organizations and often are not assessed, audited or held to the same level of cyber hygiene as their clients, especially in regulated environments.”
Kirkpatrick says organizations need to ensure they’re doing their initial “due diligence” and continuous monitoring of vendors appropriate to the level of risk that the vendor poses; Venminder assesses what security controls the vendor says they have in place, while BitSight assesses how they have implemented those controls on their externally-facing infrastructure.
“Even with effective third-party risk management activities, vendors may not inform their clients of an attack either due to not knowing themselves yet, or from fear of reputational damage and legal action against them,” advises Kirkpatrick. “This has caused some ransomware attackers to blackmail the individuals or organizations whose data they’ve collected from the vendor directly.”
“In many cases there are signs a third-party is vulnerable to an attack, and so it’s important to utilize automation as much as possible to generate issues and raise risks immediately for a timely and appropriate response,” says Vasant Balasubramanian, VP and GM of Risk at ServiceNow. “BitSight alerts provide the early warning signs and trigger actions in ServiceNow Vendor Risk Management, helping organizations better manage risk.”
“And through our integration with BitSight we are able to provide an objective assessment of cyber security risk to aid our customers in initial third-party tiering, risk analysis, and continuous monitoring,” adds Balasubramanian.
Grading an organization’s ‘patching cadence’
By studying thousands of varying ransomware incidents, Stephen Boyer says you begin to see a pattern emerge: organizations that don’t have their systems up-to-date–meaning they're not applying the latest patches in a reasonable timeframe–are 7 times more likely to have a ransomware incident than an organization who is keeping their systems up to date.
“This is where BitSight comes in, as we are looking at and tracking this performance over time and across your entire third-party ecosystem., Although we don’t see everything, what we can do is give you indications of where there might be gaps in your security controls, which increase the likelihood of something negative happening that impacts you,” says Boyer.
In other words, BitSight measures an organization’s “patching cadence,” by looking at the presence and duration of vulnerabilities observed on a company’s external-facing digital infrastructure. Not surprisingly, poor performance on patch management is highly correlated with ransomware risk.
Todd Boehler, Senior Vice President of Strategy at ProcessUnity, agrees ransomware attacks on your third parties can become attacks on you, “making it mission-critical that you gain visibility into third party risks.”
“You must understand your vendor’s cybersecurity practices, policies and controls, validate that these standards are upheld throughout the relationship, assign owners to establish cybersecurity accountability throughout the supply chain and raise issues as needed, ahead of security incidents,” says Boehler. “Periodic assessments and ongoing monitoring ensure potential risk is identified and mitigated throughout the relationship.”
While there are modules to gauge third-party risk, including onboarding questionnaires, Boyer says BitSight provides an empirical view from a cybersecurity performance standpoint on risks worth flagging, and so all that data and analytics is embedded in and within integrated workflows, for customers.
“So, essentially, you are accelerating your ability to work with a new vendor in a risk free manner, so you can better make that decision to onboard a third-party with real data–as opposed to self-attestation through cyber risk assessment questionnaires, which tends to be be more aspirational than empirical,” adds Boyer.
Stay Ahead of Ransomware
In order to fight back against the growing threat of ransomware, BitSight suggests incorporating leading indicators of ransomware into your vendor risk management workflows via integrators, take a prioritized view to help your team focus on the highest cyber risks, in order to mitigate them, and work with your vendors, to create mutual accountability, which can translate into a more holistic resilience against risks such as ransomware.