On December 20, 2013, soon after news of Target’s data breach broke, Venky Ganesan (Managing Director at Menlo Ventures and BitSight Board Member) talked about BitSight on CNBC. When asked about cutting edge technology in the cyber risk management space, Venky responded, “I think the most important thing we find right now is that security has become a board room issue. Everybody in the board room wants to know how secure are we, how can we measure security, and how can we manage it. We have an investment in a company called BitSight that lets us get a rating on how secure your infrastructure is.”
Venky goes on to explain how BitSight’s SecurityRatings can be used to measure risk. In the case of Target, which announced last week that it had been breached, BitSight saw an increase in security incidents during the fourth quarter of this year. Although Target’s SecurityRating is higher than that of the average retailer, BitSight did observe a rise in malicious activity occurring on Target’s network in November and December. In particular, there was an increase in adware and botnet activity - including Zero Access and Zeus. While we have no evidence suggesting that this particular activity lead to the breach, it is clear that Target’s security posture declined in the last few months. Target’s BitSight SecurityRating fell nearly 10% from July 2013 to December 2013.
What we have learned from the attack on Target is that a company’s security posture can change rapidly. A company that had few security incidents in one month could be plagued with botnet infections the next. As cyber attacks increase in sophistication, risk managers must continuously monitor risk and proactively manage it. And, increasingly in 2014, we will see cyber security becoming a more prevalent topic of discussion in corporate boardrooms._