DOCSLIB.ORG

Examining Approaches to Quantifying Cyber Risk for Improved

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Examining Approaches to Quantifying Cyber Risk for Improved Examining Approaches to Quantifying Cyber Risk for Improved Cybersecurity Management by Sravya Bhamidipati Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Engineering in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2019 c Massachusetts Institute of Technology 2019. All rights reserved. Author.............................................................. Department of Electrical Engineering and Computer Science August 29, 2019 Certified by. Michael Siegel Cybersecurity at MIT Sloan, Co-Director Thesis Supervisor Accepted by . Katrina LaCurts Chair, Master of Engineering Thesis Committee 2 Examining Approaches to Quantifying Cyber Risk for Improved Cybersecurity Management by Sravya Bhamidipati Submitted to the Department of Electrical Engineering and Computer Science on August 29, 2019, in partial fulfillment of the requirements for the degree of Master of Engineering in Computer Science and Engineering Abstract As technology's societal influence continues to grow, cyber risk management is be- coming a serious priority. Individuals are putting their important assets and personal data, such as social security numbers, passwords, medical history, and more into the cloud. As a result, security breaches pose a drastic threat. To properly address this, rigorous risk management needs to be in place, and it is a well-known adage that you can not manage what you can not measure. This thesis first shows that there is room in the industry for better quantitative cyber risk measurement and then provides an assessment of current players that are trying to approach this issue. As one solution to the problem, a Failure Modes and Effects Analysis is performed on well-known cybersecurity breaches to provide common failure modes, causes, and effects within an organization. Cyber risk must be evaluated quantitatively in order to effectively approach it. Thesis Supervisor: Michael Siegel Title: Cybersecurity at MIT Sloan, Co-Director 3 4 Acknowledgments I would like to first and foremost thank my advisor, Michael Siegel, for his vision, encouragement, and invaluable guidance throughout my thesis process. I would also like to thank George Wrenn for his wealth of ideas on potential contribu- tions to the field, and for providing me with direction once I picked a path. I thank the rest of the Cybersecurity at MIT Sloan team for sharing new work with me at weekly meetings, and for giving me advice as I shared my own ideas. I would like to thank Saket Bajoria, Nitin Aggarwal, Jyoti Yadav, and Saket Modi for providing me with relevant resources and sharing their analysis metrics and meth- ods with me. My research has been supported in part by their company, Lucideus Incorporated. Lastly, I would like to thank my friends and family, particularly my parents, Jagan and Lakshmi Bhamidipati, for constantly motivating me during this journey! None of this would be possible without my pillars of support. 5 6 Contents 1 Introduction 13 1.1 Contributions . 15 2 Hole in the Industry 17 2.1 Statistical Evidence of a Problem . 18 2.2 Present-Day Cyber Risk Management . 19 2.2.1 National Institute of Standards and Technology . 19 2.2.2 C2M2 . 20 2.2.3 Risk Matrices . 22 2.3 Human Role in Cyber Risk Exposure . 23 2.3.1 Insider Threat . 23 2.3.2 The Government . 24 2.4 Conclusion . 25 3 Current Players 27 3.1 BitSight . 27 3.2 Security Scorecard . 28 3.3 Value at Risk . 29 3.3.1 Factor Analysis of Information Risk . 30 3.3.2 RiskLens . 30 3.4 Lucideus Security Assessment Framework for Enterprise (SAFE) . 31 3.5 Cyber Doppler . 33 3.6 Conclusion . 35 7 4 Failure Modes and Effects Analysis for Cybersecurity Management 37 4.1 What is FMEA? . 38 4.2 Background . 38 4.3 Applicability to the Cyber World . 39 4.4 FMEA Literature Review . 39 4.5 Prevalence of Breaches caused by People and Policies . 46 4.6 Methodology . 47 4.7 FMEA Example . 49 4.7.1 Yahoo, 2014 . 49 4.7.2 Marriott International, 2014-2018 . 49 4.7.3 Adult Friend Finder, 2016 . 49 4.7.4 Equifax, 2017 . 50 4.7.5 eBay, 2014 . 50 4.7.6 Target Stores, 2013 . 50 4.7.7 JP Morgan Chase, 2014 . 50 4.7.8 Uber, 2016 . 51 4.7.9 US Office of Personnel Management (OPM), 2012-2014 . 51 4.7.10 Sony Playstation Network, 2011 . 51 4.8 Results . 51 4.9 Analysis and Future Work . 52 5 Discussion 55 5.1 Future Work . 55 A Tables 57 B Figures 59 8 List of Figures 2-1 An example of MIL usage for effective management[10] . 21 3-1 Security Scorecard sample report[80] . 28 3-2 Value at Risk Flowchart[78] . 29 3-3 SAFE Model flow of information[33] . 32 3-4 BCG Cyber Doppler loss and impact calculation methodology[84] . 34 4-1 Assigning risk based on likelihood and impact[93] . 41 4-2 The FAIR model assessment of risk[37] . 43 4-3 Example analysis across various failure modes[2] . 45 4-4 Six Sigma's[81] severity, occurrence, detectability scoring recommen- dations, Part 1 . 48 4-5 Six Sigma's[81] severity, occurrence, detectability scoring recommen- dations, Part 2 . 48 B-1 A bar chart ranking the top 10 cyber breaches by Risk Priority Number 60 B-2 A scatter plot comparing the RPNs to number of stolen records . 61 9 10 List of Tables A.1 A sample FMEA conducted on the top 10 breaches of the past decade. 58 11 12 Chapter 1 Introduction The presence of cyber crime and efforts to thwart it have been around for about fifty years. The first known usage of the word "hacking" came in 1960, although it was seen as a positive way to improve systems at that time. By the 1970s, there was a darker turn when hackers began using their skills to act as operators and extort personal information from unsuspecting clients. Controlling this was difficult, as technology was still new at the time, and there was no legislation in place to stop cyber crime as there was for other crimes. In 1986, Congress finally passed the Federal Computer Fraud and Abuse Act, making it a felony to tamper with computers. While this helped some cases, law enforcement became far too vigilant and nearly ruined some innocent companies based on suspicions of cyber crime activity. To counter this, the Electronic Frontier Foundation, a group dedicated to preventing illegal prosecution of organizations, was formed in 1990[87]. The technological industry has been dealt the challenge of striking the delicate balance between protecting information from malicious hackers and ensuring that searches for these criminals are done lawfully. The management side of such attacks has not evolved as fast as the cyber criminals have. For example, between 2016 and 2017, there was a reported 600% increase in Internet of Things (IoT)1 attacks. Though 1"The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction"[74] 13 companies are cracking down on vulnerabilities, attackers are now injecting malware earlier in the supply chain to exploit organizations. In fact, a recent Internet Security Threat Report by Symantec claims that 1 out of every 13 web requests have led to malware[13]. As a result of such aggressive and consistent attacks, Cybersecurity Ventures, a leading computer and network security company, predicts that cyber crimes in the five-year period up to 2021 will total total one trillion dollars[53]. The cost per stolen record in the United States has shot up to about $233, with the cost per health care record at a much higher marking of $408[82]. The stakes are high, yet a lot of companies have ignored cyber threat altogether. A recent survey[45] found that seven in ten companies are unprepared for a cyber attack. 45% of companies surveyed reported experiencing at least one cyber attack in the past year, and two-thirds of that group suffered at least two. This is an especially scary statistic given that about two thirds of small to mid-size companies shut down entirely after a cyber attack[8]. To address this large issue, some players have recently come out with quantifiable risk assessment tools and techniques, but they are still new and imperfect. There is a significant need for improved measurement and management of cy- ber risk. The aftermaths of recent major data breaches and cyberattacks affecting organizations like Yahoo[46], Target[66], T-Mobile[20], Sony Pictures[21], and JP Morgan[29] reveal how critical it is for organizations to remain vigilant and act effec- tively in protecting against cyber incidents. Beyond the financial impact, a cyberat- tack may, for example, cause irreparable damage to a firm in the form of corporate liability, a weakened competitive position, and loss of credibility. When the potential impacts of cyber incidents reach this level of damage, corporate leaders including board members get involved[22]. In addition, attacks on critical infrastructure have resulted in physical damage to production environments, as was the case with the cyber attack on a German steel mill[22] in 2014, and energy delivery systems like pipelines and electric distribution systems. Cyber risk measurement and manage- ment are cornerstones for protection of the enterprise. However, both are addressed by multiple standards, frameworks and approaches. It is essential that improvements 14 be made to existing approaches so that cyber leaders can better measure and manage cyber risk as an end-to-end process.
Load more

Recommended publications
  • Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring
    M T R 1 8 0 3 1 4 Approved for Public Release; MITRE TECHNICAL REPORT Distribution Unlimited. Public Release Case Number 18-2579 Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring Dept. No.: T8A2 Project No.: 5118MC18-KA The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by Enabling Systems Engineers and Program other documentation. Approved for Public Release; Distribution Managers to Select the Most Useful Unlimited. Public Release Case Number 18- 2579 Assessment Methods NOTICE This technical data was produced for the U. S. Government under Contract No. FA8702- 18-C-0001, and is subject to the Rights in Technical Data-Noncommercial Items Clause Deborah J. Bodeau DFARS 252.227-7013 (JUN 2013) Richard D. Graubart ©2018 The MITRE Corporation. All rights reserved. Rosalie M. McQuaid John Woodill Bedford, MA September 2018 Abstract This report is intended to serve as a general reference for systems engineers, program management staff, and others concerned with assessing or scoring cyber resiliency for systems and missions; selecting cyber resiliency metrics to support cyber resiliency assessment; and defining, evaluating, and using cyber resiliency measures of effectiveness (MOEs) for alternative cyber resiliency solutions. Background material is provided on how cyber resiliency scores, metrics, and MOEs can be characterized and derived; based on that material, a wide range of potential cyber resiliency metrics are identified. Topics to address when specifying a cyber resiliency metric are identified so that evaluation can be repeatable and reproducible, and so that the metric can be properly interpreted.
    [Show full text]
  • Piper Jaffray Cybersecurity Earnings Update
    Piper Jaffray Cybersecurity Earnings Update Third Quarter 2017 Marc Steifman Greg Klancher Co-Head of Technology Principal Investment Banking Piper Jaffray & Co. Piper Jaffray & Co. MINNEAPOLIS | BOSTON | CHICAGO | HOUSTON | LONDON | LOS ANGELES | NEW YORK | SAN FRANCISCO | ZÜRICH Piper Jaffray Companies (NYSE: PJC) is an investment bank and asset management firm headquartered in Minneapolis with offices across the U.S. and in London, Zurich and Hong Kong. Securities brokerage and investment banking services are offered in the United States through Piper Jaffray & Co., member NYSE and SIPC, in Europe through Piper Jaffray Ltd., authorized and regulated by the Financial Conduct Authority, and in Hong Kong through Piper Jaffray Hong Kong, authorized and regulated by the Securities and Futures Commission. Asset management products and services are offered through three separate investment advisory affiliates registered with the U.S. Securities and Exchange Commission: Advisory Research Inc., Piper Jaffray Investment Management LLC and PJC Capital Partners LLC. Piper Jaffray & Co., Member SIPC and FINRA 11/17 Piper Jaffray Case Study: Vista Equity Partners acquires majority stake in Jamf Vista Equity Partners: Undisclosed . Vista Equity Partners is a U.S.-based investment firm with more than $30 billion in cumulative capital commitments, currently invests in software, data and technology-enabled organizations. The firm invests in middle market management and leveraged buyouts, growth and acquisition Has purchased a majority financing, recapitalizations, private transactions, spin-outs and corporate divestitures. stake in . The firm was founded in 2000 and is headquartered in Austin, Texas. Jamf: . Jamf focuses on helping businesses, education and government organizations succeed with November 2017 Apple through its Jamf Pro and Jamf Now solutions.
    [Show full text]
  • Collected from the Internet That Internet the from Collected Data of Off Based Profile Risk a Builds Score Risk Cyber FICO’S “FICO® Cyberriskscore,”FICO,2019
    TABLE OF CONTENTS 4 Overview 6 General Methodology Bibliography Entries 7 Frameworks & Scorecards 8 Barrett, Matthew P. (2018). Framework for Improving Critical Infrastructure Cybersecurity 1.1 8 Freund, Jack and Jack Jones (2014). Measuring and Managing Information Risk: a FAIR approach 8 Information Systems and Control Association (2019). Cobit 2019 8 International Organization for Standardization (2018). ISO/IEC 27000 family - Information security management systems 9 Center for Information Security (2019). Cybersecurity Tools 9 Global Cyber Alliance (2019). GCA Cybersecurity Toolkit for Small Business 9 European Telecommunications Standards Institute (2019). TC Cyber 9 Information Security Forum (2018). The ISF Standard of Good Practice for Information Security 2018 10 SWIFT (2019). SWIFT Customer Security Control Framework 10 BSA (2019). BSA Framework for Secure Software 10 American Public Power Association (2019). Cybersecurity Scorecard 10 BitSight (2019). BitSight Security Ratings 10 FICO (2019). FICO® Cyber Risk Score 11 F-Secure (2019). THE CYBER SECURITY Stress Test 11 NormShield (2019). The Comprehensive Cyber Risk Scorecard 11 NormShield (2019). The Rapid Cyber Risk Scorecard 11 RiskLens (2019). Risk Portfolio 11 Security Scorecard (2019). Security Scorecard 11 UpGuard (2019). BreachSight 11 Upguard (2019). VendorRisk 12 Cyber Insurance Metrics 13 European Union Agency for Network and Information Security (2016). Cyber Insurance: Recent Advances, Good Practices & Challenges 13 Böhme, Rainer and Galina Schwartz (2010). Modeling Cyber-Insurance: Towards A Unifying Framework 13 Marotta, Angelica et al. (2017). Cyber-insurance survey 13 Pal, Ranjan et al. (2014). Will Cyber-Insurance Improve Network Security? A Market Analysis 14 ROI/ROSI 15 European Union Agency for Network and Information Security (2012). Introduction to Return on Security Investment 15 Brangetto, Pascal and Mari Kert-Saint Aubyn (2015).
    [Show full text]
  • The Legality of Securityscorecard Data Collection European Market Edition
    The Legality of SecurityScorecard Data Collection European Market Edition SecurityScorecard.com 214 West 29th St, 5th Floor [email protected] New York, NY 10001 ©2018 SecurityScorecard Inc. 1.800.682.1707 Executive Summary SecurityScorecard delivers security ratings that empower enterprises to instantly and accurately monitor, assess and understand their own cybersecurity posture as well as the cyberhealth of all vendors and business partners in their ecosystems. SecurityScorecard does not collect or use personal data or other personal information related to its product offerings, which limits the applicability of the General Data Protection Regulation (GDPR) to its B2B operations. However, as part of its alignment with best business practices, SecurityScorecard is committed to compliance with GDPR and all applicable U.S. federal regulations, including the Federal Trade Commission (FTC) Act, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act, which dictate how SecurityScorecard acquires, uses and discloses data. Since SecurityScorecard engages with clients in heavily regulated industries that are subject to GDPR and U.S. federal laws on personal data privacy, the company also focuses on requirements of laws that impact customers and how those laws apply to its own business operations. SecurityScorecard believes it is critical to be responsible, transparent and compliant with applicable global and federal laws, and respectful of third-party notices and agreements regarding data collection, storage and aggregation. SecurityScorecard understands that the collection and protection of data in accordance with applicable laws and identified best practices is not only a legal requirement but is also key to business success and of paramount importance to customers.
    [Show full text]
  • Scoring Methodology
    Table of Contents Cybersecurity Ratings 3 What do Scores Mean? 3 Factor Scores 4 Cybersecurity Signals 5 Signal Processing Workflow 14 Signal Collection 15 Attribution Engine 15 Cyber Analytics 17 Scoring Engine 17 Scoring Methodology 17 Size Normalization 18 Calibration Process 20 Calculating Factor Scores 20 Calculating Total Score 21 Breach Penalty 22 Keeping the Scoring Framework Current 22 Calibration Cadence 23 Industry Comparisons 23 Collaboration with End Users Validation 24 Limitations 25 FAQ 26 Cybersecurity Ratings The rise of the internet and its global role in e-commerce, business operations, communications, and social media, has created both opportunities and risks. While it can fuel economic growth and speed up the dissemination of news and ideas, the existence of vulnerabilities in commonly used software products and services, and poor adherence to recommended security practices can expose organizations to significant financial and reputational harm at the hands of malicious actors - including both individuals and nation-states. SecurityScorecard evaluates Cybersecurity ratings provide a means for objectively organizations’ security profiles monitoring the security hygiene of organizations and non-intrusively, using an gauging whether their security posture is improving or ‘outside-in’ methodology. This deteriorating over time. The ratings are valuable for approach enables vendor risk management programs, determining risk SecurityScorecard to operate at premiums for cyber insurance, credit underwriting and scale, measuring and updating financial trading decisions, M&A due diligence information, executive-level reporting, and for self-monitoring. cybersecurity ratings daily on Cybersecurity ratings and the extensive information on more than one million which they are based are also helpful for assessing organizations globally compliance with cybersecurity risk standards.
    [Show full text]
  • Cyber Defense Emagazine for February 2021
    Key Business Lessons Learned from The SolarWinds Hack Data Loss Prevention in Turbulent Times A Digital Journey: A Long and Winding Road Why Ensuring Cyber Resilience Has Never Been More Critical or More Challenging Than It Is Today …and much more… Cyber Defense eMagazine – June 2021 Edition 1 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide. CONTENTS Welcome to CDM’s June 2021 Issue ------------------------------------------------------------------------------------------------ 6 Key Business Lessons Learned from The SolarWinds Hack ---------------------------------------------------------32 By, George Waller, CEO of Strikeforce Technologies Data Loss Prevention in Turbulent Times -------------------------------------------------------------------------------35 By Otavio Freire, CTO & Co-Founder at SafeGuard Cyber A Digital Journey: A Long and Winding Road --------------------------------------------------------------------------39 By David Jemmett, CEO and Founder, Cerberus Sentinel Why Ensuring Cyber Resilience Has Never Been More Critical or More Challenging Than It Is Today -43 By Don Boxley, Co-founder and CEO, DH2i Uncovering hidden cybersecurity risks -----------------------------------------------------------------------------------46 By Adam Nichols, Principal of Software Security at GRIMM The Solution to Overcoming Cyber Threats in A 5g World ---------------------------------------------------------50 By Michael Abad-Santos, Senior Vice President of Business Development and Strategy, BridgeComm How An
    [Show full text]
  • Tulsa Enterprise for Cyber Innovation, Talent And
    Tulsa Enterprise for Cyber Innovation, Talent and Entrepreneurship (TECITE) Cybersecurity at TU A leader in cybersecurity research and education for more than 20 years FEDERAL CENTERS OF ACADEMIC EXCELLENCE n Information Assurance and Cyber Defense Education since 2000; one of the first 14 institutions awarded this distinction n Information Assurance Research n Cyber Operations n One of the few universities awarded all three distinctions PATENTS U.S. Patent No. 9,471,789, issued Oct. 18, 2016. Compliance method for a cyber-physical system. Inventors: J. Hale, P. Hawrylak, and M. Papa. U.S. Patent No. 9,038,155, issued May 19, 2015. Auditable multi-claim security token. Inventors: R. Gamble and R. Baird. U.S. Patent No. 6,732,180, issued May 4, 2004. A method to inhibit the identification and retrieval of proprietary media via automated search engines utilized in association with computer compatible communications networks. Inventors: J. Hale and G. Manes. EDUCATIONAL OPPORTUNITIES n Cyber Corps - NSF Scholarship-For-Service and DoD Information Assurance Scholarship Programs - Substantial number of graduates placed in government positions n MS in Cybersecurity Professional Track degree offered online along with a traditional residential program n Undergraduate Exposure in Cybersecurity - Substantial curriculum offerings -Research engagement through funded support and the Tulsa Undergraduate Research Challenge - Minor that attracts undergraduate students from computer science, engineering and business RESEARCH n Interdisciplinary research
    [Show full text]
  • Elite 80 the Hottest Privately Held Cybersecurity and It Infrastructure Companies
    Cybersecurity & IT Infrastructure APRIL 2021 ELITE 80 THE HOTTEST PRIVATELY HELD CYBERSECURITY AND IT INFRASTRUCTURE COMPANIES Copyright: Shutterstock/Paopano Erik Suppiger [email protected] (415) 835-3918 FOR DISCLOSURE AND FOOTNOTE INFORMATION, REFER TO JMP FACTS AND DISCLOSURES SECTION. Cybersecurity & IT Infrastructure TABLE OF CONTENTS Executive Summary ....................................................................................................................................................................................... 4 Funding Trends .............................................................................................................................................................................................. 5 Index by Venture Capital Firm ..................................................................................................................................................................... 11 Aqua Security ............................................................................................................................................................................................... 15 Arctic Wolf .................................................................................................................................................................................................... 16 Armis ...........................................................................................................................................................................................................
    [Show full text]
  • 2019 Healthcare Cybersecurity Report
    2019 Healthcare Report securityscorecard.com [800] 682 1707 Overview The healthcare industry still needs improvement in its cybersecurity posture. Meanwhile, malicious actors increasingly target electronic protected health information (ePHI) because the data it contains provides enough information to steal a person’s full identity. Healthcare databases store a plethora of information “It’s no secret in healthcare, significant including social security numbers, financial, health insurance, risk exists in the supply chain and and driver’s license data. Online toolkits make targeting this information easier, increasing the number of malicious actors. it's increasing as systems supporting In December 2018, Dark Reading described how attackers can clinical and administrative processes remotely launch attacks that render firmware and hardware are migrating out of our data centers inoperable.¹ and into the hands of service providers In this year’s report, SecurityScorecard looked at 26,204 more and more. SecurityScorecard companies from September 2, 2018 to January 28, 2019 and gives us a lens into how seriously our analyzed terabytes of information to assess risk across ten risk service providers take the security factors. of their platforms. We’re using it as an input into selecting the right service providers, getting the contracts Key Insights and service levels right, monitoring y The healthcare industry ranks eighth out of eighteen other adherence to those contracts, and major U.S. industries. to drive honest conversations about y Ranks eighth out of eighteen for application security when security – which are most important.” compared to other major U.S. industries. y Ranks thirteenth out of eighteen in DNS health when Taylor Lehmann compared to other major U.S.
    [Show full text]
  • SSC-2017-Financial-Report.Pdf
    Overview In 2016, the financial services sector was attacked 65 times more often than any other sector, according to the IBM Security Trends in the Financial Services Sector Report. And with the sensitive and high- value nature of data held by financial institutions, these hacker threats have not slowed down in the past year. The frequency and amount of attacks in combination with the increase in regulatory mandates and enforcement in 2017 mean that maintaining good cybersecurity hygiene is increasingly important for financial institutions. The recent Equifax breach serves as a reminder that financial institutions, in particular, are businesses that are based on trust. With customers becoming more informed on cybersecurity risks, it’s paramount for financial institutions to develop and maintain risk mitigation practices that foster good cybersecurity health. To take a look at the cybersecurity health of financial institutions, this September, SecurityScorecard analyzed 2,924 financial institutions in the SecurityScorecard platform to find existing vulnerabilities within banks, investment firms, and other financial firms to determine the cybersecurity performance of the financial sector, especially as compared to other industries. Our team also analyzed the cybersecurity posture of the Top 20 highest performing FDIC-insured banks to understand what security factors pose risks to these financial institutions. 3 Key Insights A SecurityScorecard rating is a comprehensive indicator of relative security health, or security posture. The SecurityScorecard platform looks at ten primary risk factors. Within each factor, a breadth of unique data points is scored and weighted to determine an overall factor grade. Each factor grade is then appropriately weighted and used to calculate an organization’s overall rating.
    [Show full text]
  • Transforming Insights Into Cyber Resilience Via Technology Integration
    Transforming Insights into Cyber Resilience via Technology Integration FEBRUARY 2018 SECURITYSCORECARD.COM ARAVO.COM Aravo and SecurityScorecard Partner to Persistently Assess Third-Party Cyber-health Aravo, an industry leader third-party risk management solutions, and SecurityScorecard, the industry leader in security ratings, have partnered to integrate their solutions to provide today’s global extended enterprises with a unique approach to assessing their third party ecosystem for cybersecurity vulnerability, and ensuring the appropriate remediation plans are in place. This ability to take predictive insight and embed into action plans is a critical requirement for securing vulnerable vendor ecosystems that are evolving and expanding as rapidly as the modern cyberattack surface. Overview Enterprises continue to struggle with the increasingly difficult mandate to consistently improve, maintain, and document cybersecurity in order to protect and enhance brand reputation, customer trust, and the bottom line. Top of mind on the cybersecurity agenda is adopting a more agile approach to managing emerging risks across an organization’s third-party portfolio. The staggering cost of data breaches continues to escalate and is predicted to exceed $2 trillion by next year, according to Juniper Research. The average cost of a single breach is more than $4 million, estimates the Ponemon Institute. Industry analysts suggest that nearly two-thirds of data breaches can be attributed to third-party vendors. 2 Third parties are woven into the very fabric of the modern enterprise, and are intrinsically linked to business success and reputation. Today’s complex and dynamic third-party networks, which can comprise thousands of suppliers, distributors, franchises, resellers, contractors, service providers, and other business partners, bring strategic advantages to a relationship; but they also bring vulnerabilities.
    [Show full text]
  • Zirra Market Analysis Cybersecurity Trends in Israel and New York
    Zirra Market Analysis Cybersecurity Trends in Israel and New York Methodology The Zirra Analysis Market Report is synthesized from many inputs, most notably the wisdom of the crowd, the output of aggregation and data collection technology, and the ratings and metrics produced by our proprietary algorithms. The report is built on external and public information on a company or companies, and provides insights and conclusions obtained from that information. None of the opinions or insights belong to any Zirra employees. All of them are grounded in the integration of a variety of sources. Some statements may sound opinionated, but these are the composite of relevant inputs and crowd opinions, vetted against similar historical situations of comparable companies. Fact We use no inside information. Information offered in the report that is usually non-public by nature, such as revenue figures, trade secrets, share structures and others, may be missing or somewhat inaccurate in the report. In some cases, such as with valuations, the numbers are generated by our algorithmic models. We do get help from industry experts. We factor their opinions into the algorithm as well as into the qualitative sections. Experts that speak on the record are usually accessible for further questions. Some experts choose to stay anonymous, and in these cases we can provide detailed logs of their contributions (that still maintain their anonymity). Mathematical figures such as ratings and valuations are based on our proprietary algorithms. The intended purpose is as a benchmark for your own process; we cannot “prove” validity of these outputs. In addition, we provide a lot of raw collected data.
    [Show full text]