SlideShare a Scribd company logo

3rd Part Cyber Risk Report - 2018

NormShield
NormShield

THE WEAKEST LINK MAY NOT BE IN YOUR SYSTEM - 3rd Party Cyber Risk Report @Normshield - 2018

Technology
1 of 11
1 THE WEAKEST LINK MAY NOT BE IN YOUR SYSTEM Phone +1 (571) 335-0222 Email info@normshield.com 8200 Greensboro Dr. Ste 900 McLean, VA 22102 NormShield 3rd Party Cyber Risk Report
www.normshield.com 2 NormShield 3rd Party Cyber Risk Report The weakest link may not be in your system Matt, CISO of a large company, comes to office on Friday. He is a very successful Chief of Information Security Office and he is very confident of capabilities of his team. They handle all vulnerabilities inside their own system, continuously scan and monitor their system, they use cutting-edge security tools such as firewalls, WAFs, IDS/IPS, and Data Leak Protection technologies. The cyber security awareness of the employees is quite high and they do everything to avoid phishing-type attacks. The possibility that something goes wrong is very low. However, that Friday morning, when Matt looks at online news, he shockingly discovers that many of their client information is leaked. He starts to investigate the situation and finds nothing in their own system. But later, he finds out that the leak is originated from a 3rd party, a data management company which manages emails of large companies.
www.normshield.com 3 NormShield 3rd Party Cyber Risk Report Recently, we have heard similar stories about breaches because of 3rd parties such as vendors, subsidiaries, web hosting companies, law firm partners, firms in supply chain, etc. Large companies such as financial institutions, e-commerce companies have been improving their cyber security system for external or even internal attacks. They can internally identify vulnerabilities of their own system by monitoring and/or scanning tools and take necessary precautions. However, all these efforts might be for nothing if 3rd party cyber risk is unknown. 3rd party risk management and data governance are growing concerns. It is not surprising that, very recently, the revised version of the U.S. National Institute of Standards and Technology’s Cybersecurity Framework (NIST) now includes supply chain cyber risk management1. 1 https://www.wsj.com/articles/amid-national-security-warnings-nist-adds-supply-chain-security-to-cyber- framework-1524175900
www.normshield.com 4 NormShield 3rd Party Cyber Risk Report What is 3rd Party? 3rd parties include broad range of companies you directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company some of whose employees have somewhat access to your system or your data. However, third party cyber risk is not limited to these companies. Any external software or hardware that you use for your system also poses a cyber risk. Even the JavaScript that is added to your website for analytics may cause a breach by collection information of people that visited your website. Considering some recent hacks by putting backdoors to well-known software, such as CCleaner in 2017, the definition of 3rd party should not be limited to only the companies that you work. Even IoT devices can be considered as a third party and can be source of a breach. Very recently a casino was hacked through its Internet-connected thermometer in an aquarium in the lobby of the casino.
www.normshield.com 5 NormShield 3rd Party Cyber Risk Report GDPR perspective on third party The upcoming European Union’s General Data Protection Regulation (GDPR) has the terms third-party data processor and controller. As the name suggests, a third-party data processor is an entity that processes personally identifiable information (PII) on behalf of a controller. Basically, it can be e-mail service providers, customer relationship management services, etc. A controller is defined by the GDPR as an entity that determines how that data will be processed and for what reason. All companies work with third-party data processors have to ensure that these third-parties comply or intent to comply the upcoming GDPR rules.
www.normshield.com 6 NormShield 3rd Party Cyber Risk Report Recent breaches caused by 3rd parties The figure below shows recent breaches/incidents caused by third parties. As seen from these breaches/incidents, the third party that caused a breach might be a law firm (usually the weakest link), an accounting firm, or even a firm that handles HVAC jobs; or it might be companies that provides web hosting, data management, e-mail services, etc.
www.normshield.com 7 NormShield 3rd Party Cyber Risk Report How much do you trust the cyber security measurements of 3rd-party companies? A recent survey conducted by Ponemon Institute reveals that 56% have experienced a 3rd-party breach in 2017, which is an 7% increase compared to previous year2 . Another survey conducted by Deloitte in 2016 gives more depressive numbers, reporting that 87% of organizations have experienced a disruptive incident with third parties in the last 2-3 years. Another research in 2016, sourced by Soha Systems, reports that 63% of all breaches were related to third parties. The fines paid because of the breaches are as quite large as more than 7 million $US per breach. For instance, Target paid more than $116 million in civil settlements related to its 2013 breach caused by an HVAC company. The total cost to company because of this breach exceeded $290 million. With upcoming GDPR, we shall see higher fines for each breach related to EU citizens. The GDPR fines can go up to 20 million Euros or 4% of annual global turnover (whichever is the highest). 2 https://www.opus.com/ponemon/
www.normshield.com 8 NormShield 3rd Party Cyber Risk Report How much do you know about third parties? The Ponemon Institute report shows that 57% of companies do not know if they share sensitive information with third parties and they don’t know either if the third parties’ security measurements would prevent a breach. As a result, only 17% feel that they are highly capable of mitigating third party risk and 60% feel unprepared to check or verify their third parties.
www.normshield.com 9 NormShield 3rd Party Cyber Risk Report How to assess 3rd party risk? Many companies either do not have any assessment on cyber risk of third parties or use old-school questionnaire methodology (sending a bunch of questions for third party to answer and assessing the risk based on the answer). First of all, questionnaire-based assessment is very time consuming (even though there are some online tools for it) and answers are not reliable. Even if we assume that answers are correct and we collect the results quickly, there might be some cyber risks that are invisible to third party. This type of “hidden” risks can only be detected by gathering cyber threat intelligence and evaluating the risk. Fortunately, there are several platforms that gather third party data and provide a risk score or security rating for companies related to a certain company. NormShield, BitSight, Security Scorecard, UpGuard, and RiskRecon are top players in the third-party risk scoring business. They all provide risk scores or security rating for any company added as a third-party and assess its cyber risk and how it affects the main company. This type of information can also be used for mergers and acquisitions.
www.normshield.com 10 NormShield 3rd Party Cyber Risk Report Using NormShield Cyber Risk Scorecard to assess third parties? As an example, we explain how to use NormShield Cyber Risk Scorecard to assess the third parties for a company. In NormShield Cyber Risk Scorecard, you can create an ecosystem that will includes the main company and all the third- parties to be added. More than one ecosystem can be created such as an ecosystem including the companies/branches owned by the main company or an ecosystem for third-parties or you can even create an ecosystem which includes only law firms that you work with. Then, a third-party can easily be added by only typing its website. NormShield first discover the digital footprint of the third party (domains, subdomains, IP addresses, DNS Records, services, social media accounts, ASN, e-mails, company info, etc.) to see what hackers see on this third party. Then NormShield evaluates the cyber risk by its proprietary algorithm on 20 different categories and how the cyber risk of this third party affects the overall ecosystem. Below is a list of some categories taken into consideration; Main company then can contact to third company and discuss the issues found by NormShield Cyber Risk Scorecard and remediate and mitigate the risk.
www.normshield.com 11 NormShield 3rd Party Cyber Risk Report About NormShield We provide Cyber Risk Scorecard for companies just like FICO score. Cyber security is on every Board’s agenda, and the average total cost of a data breach has risen to $4 million (Ponemon/IBM). NormShield Cyber Risk Scorecards provide the information necessary to protect business from cyber-attacks. The scorecards provide a letter grade and a drill down into the data for each risk category so that remediation of vulnerabilities can be prioritized. Unified Threat & Vulnerability Orchestration Platform and Cyber Risk Scorecard. To learn your company’s risk score, please visit https://www.normshield.com/ and click on Learn Now. www.normshield.com 1 (571) 335 02 22 info@normshield.com NormShield HQ 8200 Greensboro Drive Suite 900 McLean, VA 22102

Recommended

idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
Entersoft Security
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?
Guy Pearce
 
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring ToolsReview on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
NormShield
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
Meg Weber
 

Recommended

idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
Entersoft Security
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?
Guy Pearce
 
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring ToolsReview on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
NormShield
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
Meg Weber
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
- Mark - Fullbright
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Argyle Executive Forum
 
Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo. Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo.
Luis Noguera
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
- Mark - Fullbright
 
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
Symantec
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce website
Dr. Raghavendra GS
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
Nexon Asia Pacific
 
Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018
Proofpoint
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 
2011 Annual Study - U.S. Cost of a Data Breach - March 2012
2011 Annual Study - U.S. Cost of a Data Breach - March 20122011 Annual Study - U.S. Cost of a Data Breach - March 2012
2011 Annual Study - U.S. Cost of a Data Breach - March 2012
Symantec
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
- Mark - Fullbright
 
11 Reasons Why Your Company Could Be In Danger
11 Reasons Why Your Company Could Be In Danger11 Reasons Why Your Company Could Be In Danger
11 Reasons Why Your Company Could Be In Danger
Copper Mobile, Inc.
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson
 
Verizon DBIR 2021
Verizon DBIR 2021Verizon DBIR 2021
Verizon DBIR 2021
SOCRadar Inc
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
Constantine Karbaliotis
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
sukiennong.vn
 

More Related Content

What's hot

WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson
 

What's hot (20)

2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
 
Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo. Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo.
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce website
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
2011 Annual Study - U.S. Cost of a Data Breach - March 2012
2011 Annual Study - U.S. Cost of a Data Breach - March 20122011 Annual Study - U.S. Cost of a Data Breach - March 2012
2011 Annual Study - U.S. Cost of a Data Breach - March 2012
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
11 Reasons Why Your Company Could Be In Danger
11 Reasons Why Your Company Could Be In Danger11 Reasons Why Your Company Could Be In Danger
11 Reasons Why Your Company Could Be In Danger
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Verizon DBIR 2021
Verizon DBIR 2021Verizon DBIR 2021
Verizon DBIR 2021
 

Similar to 3rd Part Cyber Risk Report - 2018

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
galagirishp
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
rsouthal2003
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 

Similar to 3rd Part Cyber Risk Report - 2018 (20)

Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Third party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligenceThird party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligence
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrime
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Big Data Analytics Solutions
Big Data Analytics SolutionsBig Data Analytics Solutions
Big Data Analytics Solutions
 

More from NormShield

More from NormShield (9)

HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOUHOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
 
Major 3rd-Party Data Breaches Of 2018
Major 3rd-Party Data Breaches Of 2018Major 3rd-Party Data Breaches Of 2018
Major 3rd-Party Data Breaches Of 2018
 
Normshield 2018 Airlines Phishing Report
Normshield 2018 Airlines Phishing ReportNormshield 2018 Airlines Phishing Report
Normshield 2018 Airlines Phishing Report
 
Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?
 
NormShield Cyber Risk Rating October 18
NormShield Cyber Risk Rating October 18NormShield Cyber Risk Rating October 18
NormShield Cyber Risk Rating October 18
 
NormShield Supply Chain Risk Management Infographic
NormShield Supply Chain Risk Management InfographicNormShield Supply Chain Risk Management Infographic
NormShield Supply Chain Risk Management Infographic
 
Third-Party Risk in Regulations
Third-Party Risk in RegulationsThird-Party Risk in Regulations
Third-Party Risk in Regulations
 
NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018
 
NormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk BriefNormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk Brief
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

3rd Part Cyber Risk Report - 2018

  • 1. 1 THE WEAKEST LINK MAY NOT BE IN YOUR SYSTEM Phone +1 (571) 335-0222 Email info@normshield.com 8200 Greensboro Dr. Ste 900 McLean, VA 22102 NormShield 3rd Party Cyber Risk Report
  • 2. www.normshield.com 2 NormShield 3rd Party Cyber Risk Report The weakest link may not be in your system Matt, CISO of a large company, comes to office on Friday. He is a very successful Chief of Information Security Office and he is very confident of capabilities of his team. They handle all vulnerabilities inside their own system, continuously scan and monitor their system, they use cutting-edge security tools such as firewalls, WAFs, IDS/IPS, and Data Leak Protection technologies. The cyber security awareness of the employees is quite high and they do everything to avoid phishing-type attacks. The possibility that something goes wrong is very low. However, that Friday morning, when Matt looks at online news, he shockingly discovers that many of their client information is leaked. He starts to investigate the situation and finds nothing in their own system. But later, he finds out that the leak is originated from a 3rd party, a data management company which manages emails of large companies.
  • 3. www.normshield.com 3 NormShield 3rd Party Cyber Risk Report Recently, we have heard similar stories about breaches because of 3rd parties such as vendors, subsidiaries, web hosting companies, law firm partners, firms in supply chain, etc. Large companies such as financial institutions, e-commerce companies have been improving their cyber security system for external or even internal attacks. They can internally identify vulnerabilities of their own system by monitoring and/or scanning tools and take necessary precautions. However, all these efforts might be for nothing if 3rd party cyber risk is unknown. 3rd party risk management and data governance are growing concerns. It is not surprising that, very recently, the revised version of the U.S. National Institute of Standards and Technology’s Cybersecurity Framework (NIST) now includes supply chain cyber risk management1. 1 https://www.wsj.com/articles/amid-national-security-warnings-nist-adds-supply-chain-security-to-cyber- framework-1524175900
  • 4. www.normshield.com 4 NormShield 3rd Party Cyber Risk Report What is 3rd Party? 3rd parties include broad range of companies you directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company some of whose employees have somewhat access to your system or your data. However, third party cyber risk is not limited to these companies. Any external software or hardware that you use for your system also poses a cyber risk. Even the JavaScript that is added to your website for analytics may cause a breach by collection information of people that visited your website. Considering some recent hacks by putting backdoors to well-known software, such as CCleaner in 2017, the definition of 3rd party should not be limited to only the companies that you work. Even IoT devices can be considered as a third party and can be source of a breach. Very recently a casino was hacked through its Internet-connected thermometer in an aquarium in the lobby of the casino.
  • 5. www.normshield.com 5 NormShield 3rd Party Cyber Risk Report GDPR perspective on third party The upcoming European Union’s General Data Protection Regulation (GDPR) has the terms third-party data processor and controller. As the name suggests, a third-party data processor is an entity that processes personally identifiable information (PII) on behalf of a controller. Basically, it can be e-mail service providers, customer relationship management services, etc. A controller is defined by the GDPR as an entity that determines how that data will be processed and for what reason. All companies work with third-party data processors have to ensure that these third-parties comply or intent to comply the upcoming GDPR rules.
  • 6. www.normshield.com 6 NormShield 3rd Party Cyber Risk Report Recent breaches caused by 3rd parties The figure below shows recent breaches/incidents caused by third parties. As seen from these breaches/incidents, the third party that caused a breach might be a law firm (usually the weakest link), an accounting firm, or even a firm that handles HVAC jobs; or it might be companies that provides web hosting, data management, e-mail services, etc.
  • 7. www.normshield.com 7 NormShield 3rd Party Cyber Risk Report How much do you trust the cyber security measurements of 3rd-party companies? A recent survey conducted by Ponemon Institute reveals that 56% have experienced a 3rd-party breach in 2017, which is an 7% increase compared to previous year2 . Another survey conducted by Deloitte in 2016 gives more depressive numbers, reporting that 87% of organizations have experienced a disruptive incident with third parties in the last 2-3 years. Another research in 2016, sourced by Soha Systems, reports that 63% of all breaches were related to third parties. The fines paid because of the breaches are as quite large as more than 7 million $US per breach. For instance, Target paid more than $116 million in civil settlements related to its 2013 breach caused by an HVAC company. The total cost to company because of this breach exceeded $290 million. With upcoming GDPR, we shall see higher fines for each breach related to EU citizens. The GDPR fines can go up to 20 million Euros or 4% of annual global turnover (whichever is the highest). 2 https://www.opus.com/ponemon/
  • 8. www.normshield.com 8 NormShield 3rd Party Cyber Risk Report How much do you know about third parties? The Ponemon Institute report shows that 57% of companies do not know if they share sensitive information with third parties and they don’t know either if the third parties’ security measurements would prevent a breach. As a result, only 17% feel that they are highly capable of mitigating third party risk and 60% feel unprepared to check or verify their third parties.
  • 9. www.normshield.com 9 NormShield 3rd Party Cyber Risk Report How to assess 3rd party risk? Many companies either do not have any assessment on cyber risk of third parties or use old-school questionnaire methodology (sending a bunch of questions for third party to answer and assessing the risk based on the answer). First of all, questionnaire-based assessment is very time consuming (even though there are some online tools for it) and answers are not reliable. Even if we assume that answers are correct and we collect the results quickly, there might be some cyber risks that are invisible to third party. This type of “hidden” risks can only be detected by gathering cyber threat intelligence and evaluating the risk. Fortunately, there are several platforms that gather third party data and provide a risk score or security rating for companies related to a certain company. NormShield, BitSight, Security Scorecard, UpGuard, and RiskRecon are top players in the third-party risk scoring business. They all provide risk scores or security rating for any company added as a third-party and assess its cyber risk and how it affects the main company. This type of information can also be used for mergers and acquisitions.
  • 10. www.normshield.com 10 NormShield 3rd Party Cyber Risk Report Using NormShield Cyber Risk Scorecard to assess third parties? As an example, we explain how to use NormShield Cyber Risk Scorecard to assess the third parties for a company. In NormShield Cyber Risk Scorecard, you can create an ecosystem that will includes the main company and all the third- parties to be added. More than one ecosystem can be created such as an ecosystem including the companies/branches owned by the main company or an ecosystem for third-parties or you can even create an ecosystem which includes only law firms that you work with. Then, a third-party can easily be added by only typing its website. NormShield first discover the digital footprint of the third party (domains, subdomains, IP addresses, DNS Records, services, social media accounts, ASN, e-mails, company info, etc.) to see what hackers see on this third party. Then NormShield evaluates the cyber risk by its proprietary algorithm on 20 different categories and how the cyber risk of this third party affects the overall ecosystem. Below is a list of some categories taken into consideration; Main company then can contact to third company and discuss the issues found by NormShield Cyber Risk Scorecard and remediate and mitigate the risk.
  • 11. www.normshield.com 11 NormShield 3rd Party Cyber Risk Report About NormShield We provide Cyber Risk Scorecard for companies just like FICO score. Cyber security is on every Board’s agenda, and the average total cost of a data breach has risen to $4 million (Ponemon/IBM). NormShield Cyber Risk Scorecards provide the information necessary to protect business from cyber-attacks. The scorecards provide a letter grade and a drill down into the data for each risk category so that remediation of vulnerabilities can be prioritized. Unified Threat & Vulnerability Orchestration Platform and Cyber Risk Scorecard. To learn your company’s risk score, please visit https://www.normshield.com/ and click on Learn Now. www.normshield.com 1 (571) 335 02 22 info@normshield.com NormShield HQ 8200 Greensboro Drive Suite 900 McLean, VA 22102