Over 2,100 organizations are using BitSight Security Ratings to continuously monitor cyber risk in their business ecosystem. Using an approach similar to credit ratings for financial risk, BitSight customers are able to gain insight into the security posture of third parties as well as their own organization. BitSight Security Ratings are calculated on a scale of 250-900 with a higher rating indicating better security performance.
Great! BitSight grants you complimentary portal access to understand your BitSight Security Rating and investigate details behind it. If you have any questions about your rating details or would like a walkthrough of the
See how BitSight’s Enable Vendor Access feature allows customers to have data-driven, evidence-based conversations, making vendor risk management a more collaborative process.
You may have received a BitSight report from a company you work with. Your BitSight report includes your rating and details behind each risk vector in our platform. However, to get detail into specific security issues occurring within your organization’s digital footprint including IP addresses, you must access the BitSight platform.
All organizations have the right to access to BitSight platform to receive these details free of charge. To inquire about gaining access to the BitSight Security Rating Platform, please email EVA@bitsight.com.
BitSight uses externally observable data on compromised systems, security diligence, user behavior, and public disclosures to compute a company’s security rating. All companies—regardless if they are a customer or not—are rated on the same criteria. For more details, see “How BitSight Calculates Ratings.”
All BitSight customers can subscribe to view the rating of any other company within their portfolio. However, forensics information, such as IP addresses affected, server name, and observed behavior are only disclosed to the organization itself or a third party with some sort of permission [and in compliance with our internal guidelines].
Any organization has the ability to tag portions of their networks and specify which of their IP addresses are reserved for guests, security research and testing, or other purposes. Tagging these portions of the network provides the relevant context should a security event occur. BitSight also enables organizations to create self-published ratings that reflect the security posture of particular parts of their networks.If you’d like to do this, please reach out to email@example.com.
Yes, all the information we gather is from the public Internet; our product is non-intrusive and requires no agents or software to be deployed. The information is available to anyone who chooses to collect it. Moody’s, Dun & Bradstreet and others have set a market precedent for collecting data and presenting a score. Similar to these companies that have established industry standards, our ratings algorithm is based only on fully objective, verifiable and actionable data.
Absolutely, BitSight firmly believes in the transparency of its ratings for all organizations. In the event you believe there is a discrepancy with your rating, you can reach out to our customer support team. BitSight’s customer success team will review any records within your rating that you believe are incorrect. If ultimately necessary, rating disputes can be brought to the Office of the Ombudsman to ensure an unbiased and accurate resolution.
Security ratings are a measurement of security performance based on historical data — over years — meaning they won’t necessarily change dramatically overnight.
A company’s security rating includes a Remediation Strategy which highlights risk vectors that have had a high rating impact in the last 60 days. Organizations should start with items that have affected their rating the most. For context, organizations with ratings in BitSight’s advanced category (740-900) tend to: ensure security configurations are up to industry standards, continuously monitor their networks for compromised systems, and remediate issues as soon as they are discovered.
BitSight Security Ratings are subject to a rigorous review process by members of BitSight’s technical research team. This process is designed to surface any inconsistencies in the ratings methodology, data collection, and conclusions. Rating quality is based upon the accuracy of the risk vectors that comprise them. Security events, which make up 55% of a BitSight Security Rating, are especially important. Billions of new security events are observed around the globe on a daily basis, but many of these are simply noise or false positives. What really matters for security ratings is evidence of actual compromise, such as a botnet that has invaded your network and may be sending sensitive personally identifiable information (PII) to a command and control center. BitSight is able to detect evidence of actual attacks and measure information such as frequency, duration, and confidence. We do this through correlation and cross-checking against internally-developed sources, external vendors, and publicly accessible data.
For BitSight to accept a security event, it must pass our event quality criteria based on different data factors. We have over 490 criteria and 160 factors; different checks are applied to different data, ensuring that unreliable data is filtered out and never makes it into a BitSight Security Rating. We thoroughly test and cross-check new data sources and risk vectors against existing data sources to ensure quality. We continually check the quality of existing data sources, which is why the number of quality criteria and factors is continuously increasing.
Mapping IPs to companies is a highly complex and dynamic challenge: IP addresses are continually sold, exchanged, or reallocated. Entirely automated processes very often misallocate IPs or miss entire IP blocks. As a result, IP mappings based on automated processes alone are highly unreliable. BitSight combines automated processes with human validation. We maintain teams of researchers who create and maintain maps of IP addresses of companies. To keep our error rate as low as possible, their IP allocations are cross-checked before they are incorporated into the BitSight Security Ratings.