Ensuring cybersecurity measures up

  • Staying protected: Jacob Olcott, of BitSight Technologies, has been speaking about cybersecurity solutions in Bermuda (Photograph by Scott Neil)

    Staying protected: Jacob Olcott, of BitSight Technologies, has been speaking about cybersecurity solutions in Bermuda (Photograph by Scott Neil)


When it comes to cybersecurity, companies need to do much more than make themselves a difficult-to-crack fortress.

Because no matter how solid its own cyberdefences are, an organisation can suffer a damaging data breach or cyberattack through an exploited weakness at a third party business partner.

Jacob Olcott, an expert in the field who is currently in Bermuda, said smart companies recognise they are only as strong as the weakest link in the chain.

A cyberattack can breach a weak third party doing business with the another company, and as a consequence gain access to shared sensitive data.

Massachusetts-based BitSight Technologies has devised ways to eliminate or greatly reduce that type of risk. Mr Olcott is vice-president of strategic partnerships with the Cambridge company, and he is visiting Bermuda this week to speak about cyber-risks and some solutions available.

High profile data breaches, such as those at US retailer Target and more recently at credit bureau Equifax, have focused the minds of company executive on the major damage that a significant breach can inflict on a business.

A challenge for companies that share sensitive data with third party business is how to evaluate those partners when it comes to cybersecurity.

BitSight has been analysing the security performance of organisations, and in the last few years has been marketing its security ratings system.

It gauges companies and organisations from external observations and then rates them, in the style of credit rating system, on a scale from 250 to 900.

Companies pay to see the ratings of other firms so they can evaluate who they are doing business with, or planning to do business with, or who they might be considering investing in.

“The dynamic is changing and organisations are asking a lot about their vendors,” said Mr Olcott.

“Equfiax is an example of a company that had a lot of sensitive data. What happens when your business partner is a security risk?”

Companies can ask to have their business security graded in order to compare themselves with peers and rivals, and to make adjustments where weaknesses are identified.

“Organisations are shifting from treating cybersecurity as a compliance exercise to more dynamic, continuous monitoring and being alerted when something happens.”

Mr Olcott said it was once common practice for security assessments to be done by questionnaire but that is now an outdated mode, and real-time, continuous monitoring is vital for an accurate picture.

“Our ratings are based on real time data coming out.”

As an example of how outside monitoring can be applied, Mr Olcott described a situation where a malicious phishing attack against a company is unwittingly activated by one of its employees. When the malware sends a signal back across the internet to a cyberattacker to report its successful activation, the signal often hits a sensor network owned by BitSight.

“That is an example of an infection that can be seen from outside,” said Mr Olcott.

It is also possible to evaluate from afar the “security hygiene” of a company by checking if it is following best practice, such as patching its operating system and browsers in a timely fashion, or ensuring it has an up-to-date SSL certificate.

“You can observe all this from outside. You can see what they are doing and how well they are doing it.”

It is this type of information that BitSight uses in its security grading assessments. The company captures, analyses and interprets the data before presenting it in an accessible form for clients.

“What we wanted to do was take this problem of having a massive amount of data. We wanted to put it in terms that business executives would understand and would make them want to take action,” said Mr Olcott, who explained that company executives are becoming more aware and involved in the implementation of cybersecurity strategies.

The information can be used in many ways, such as assessing potential third party risk when sharing data with an outside company.

“You have to come to some judgment about a company before you go into a business relationship. You evaluate them on security, and if that is changing during the relationship,” said Mr Olcott.

“The insurance dynamic is another example. How do you decide who to offer a policy to. How do you make them a better risk?”

He added that increasing regulation of cybersecurity requirements was another major talking point for many executives.

During his time on the island Mr Olcott is speaking at events organised by Bermudian-based Independent Consulting Solutions, a management consulting and Microsoft-centric technology services company.

BitSight has a website at https://www.bitsighttech.com/

You must be registered or signed-in to post comment or to vote.

Published Oct 4, 2017 at 8:00 am (Updated Oct 3, 2017 at 9:21 pm)

Ensuring cybersecurity measures up

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon

  • Take Our Poll

    Today's Obituaries

    eMoo Posts