Epiq

Epiq experienced a cyber-attack in early 2020. Shortly afterwards, they hired a new CISO, Jerich Beason, who was tasked to work incredibly efficiently and effectively to lead the overhaul of the cyber security program and help restore confidence in Epiq’s cyber security.

In order to implement an effective cybersecurity program moving forward, Epiq needed to first understand their risk exposure within their enterprise and subsidiary IT environments. Were different IT environments adding more risk than others? Was the risk impacting their program manageable? Gaining an understanding of their internal risk posture was essential, but the company also needed to be able to better articulate their risk posture. Jerich Beason states that there are a few things that are important in doing business today in this digital era that go beyond feature parity and product capabilities. Trust is critical for a myriad of reasons and empirical data is one of the ways to preserve or create trust.

Previously, most vulnerabilities were handled by scanning, patching, and moving on to the next fire, but they weren’t consistently identifying the underlying cause of the risk. The 2020 cyber-attack also caused considerable damage to the company’s reputation with some of its partners and customers, and was the final catalyst for initiating a process of technological renewal to identify the risks and their root causes. Epiq needed to improve their security posture, improve their reputation, and be seen as trustworthy to regain the market’s confidence.

With BitSight for Security Performance Management, Epiq gained clear visibility of risk across their attack surface and how they are exposed to possible security threats. As Jerich Beason explains, BitSight is helping me understand my externally facing systems», and more than that, BitSight provides a clearer picture of the types of risks, vulnerabilities, and mis-configurations in a single console. Previously, this required a combination of data sources and tools. That said, they are not only focused on targeting systems and devices that BitSight alerts them of, but also getting to the root of the vulnerability to prevent further reoccurrence of the same exposure. As said by Beason, BitSight gives me a starting point to get to the root cause that then helps me improve my entire environment from the foundation up.

With BitSight’s technology, Epiq can get additional context and clarity around which subsidiaries in their network are following cybersecurity standards, and which are causing more risk. When widespread breaches like SolarWinds or Microsoft Exchange happened, BitSight helped Epiq get answers to questions, like “Do we have this version of the vulnerable software? Do we have this vulnerability present anywhere on our network? Are any of our suppliers exposed to this vulnerability and in turn a potential threat to Epiq”. When vulnerabilities are located, Epiq’s Cyber & IT Teams are able to act efficiently with the information BitSight provides them.

Using BitSight, Epiq has set up alerts to notify us if a score goes down in any category or if any new findings arise» says Beason. If a new system has a vulnerability, Epiq’s team gets the information daily and often, ahead of scheduled vulnerability scan reports and can efficiently identify situations that can be exploited by a bad actor. Together with Epiq’s other cybersecurity tools, BitSight’s data enables the visibility needed to properly identify truly risky areas and prioritize remediation. With the information from BitSight, Epiq can assess and implement a mitigation strategy that prevents, for example, systems from being updated before addressing the root cause of the problem. Epiq has relied on BitSight to complement their other cybersecurity monitoring platforms and to ensure their security controls are consistently applied throughout all of their systems and environments.

BitSight’s rating is one of the most effective ways that security enables the business», states Jerich Beason, referring to the trust that BitSight Security Ratings help to build. Epiq’s CISO explains that «trust is lost in buckets and gained in drops», and BitSight is a key component in building that trust with Epiq’s customers and partners. «Deals were lost because of security concerns after the 2020 attack, and Epiq has done a lot with BitSight Security Ratings to demonstrate that they are trustworthy since the cyber-attack. Jerich Beason knows that any blip on that trajectory gives room for a competitor to pounce and for a customer to lose confidence in our ability to protect their data.

With the use of BitSight’s solution, internal stakeholders are given more visibility into the company’s cybersecurity performance through generated BitSight reports and gain a more universal understanding of cybersecurity through the BitSight rating. Although it is Epiq’s security team that receives the alerts, they are shared with the CIO and the IT leadership teams weekly, and often with the CEO for a better alignment of business performance and where risk lies in their network. Epiq also includes their BitSight Security Rating as a monthly key risk indicator when discussing cybersecurity with business leaders.

At Epiq, both the C-Suite and the Board use BitSight to understand the impact of business decisions and the security strategy implemented. Beason believes that being a leader in the market is largely about using cybersecurity to promote business success without being burdened by cyber-attacks. Epiq’s CISO states that My team is regularly brought in pre-sales to speak with a customer about our cyber security strategy, current security posture and what tactical things we’re doing to improve – that often times becomes the deciding factor in whether we secure the business from that prospective customer or not – that makes it a lot easier to articulate the value of security.

Epiq has also turned to BitSight as a verification tool when measuring effectiveness of new cybersecurity controls as they’re rolled out. By tracking the change in their BitSight rating in response to new controls, Epiq is more confident and in control of their cybersecurity management systems. With BitSight for Security Performance Management, Epiq is able to add an additional level of near real time assurances of the security controls on their perimeter.