When it comes to cybersecurity, companies need to do much more than make themselves a difficult-to-crack fortress.

Because no matter how solid its own cyberdefences are, an organisation can suffer a damaging data breach or cyberattack through an exploited weakness at a third party business partner.

Jacob Olcott, an expert in the field who is currently in Bermuda, said smart companies recognise they are only as strong as the weakest link in the chain.

A cyberattack can breach a weak third party doing business with the another company, and as a consequence gain access to shared sensitive data.

Massachusetts-based BitSight Technologies has devised ways to eliminate or greatly reduce that type of risk. Mr Olcott is vice-president of strategic partnerships with the Cambridge company, and he is visiting Bermuda this week to speak about cyber-risks and some solutions available.

High profile data breaches, such as those at US retailer Target and more recently at credit bureau Equifax, have focused the minds of company executive on the major damage that a significant breach can inflict on a business.

A challenge for companies that share sensitive data with third party business is how to evaluate those partners when it comes to cybersecurity.

BitSight has been analysing the security performance of organisations, and in the last few years has been marketing its security ratings system.

It gauges companies and organisations from external observations and then rates them, in the style of credit rating system, on a scale from 250 to 900.

Companies pay to see the ratings of other firms so they can evaluate who they are doing business with, or planning to do business with, or who they might be considering investing in.

“The dynamic is changing and organisations are asking a lot about their vendors,” said Mr Olcott.

“Equfiax is an example of a company that had a lot of sensitive data. What happens when your business partner is a security risk?”

Companies can ask to have their business security graded in order to compare themselves with peers and rivals, and to make adjustments where weaknesses are identified.

“Organisations are shifting from treating cybersecurity as a compliance exercise to more dynamic, continuous monitoring and being alerted when something happens.”

Mr Olcott said it was once common practice for security assessments to be done by questionnaire but that is now an outdated mode, and real-time, continuous monitoring is vital for an accurate picture.

“Our ratings are based on real time data coming out.”

As an example of how outside monitoring can be applied, Mr Olcott described a situation where a malicious phishing attack against a company is unwittingly activated by one of its employees. When the malware sends a signal back across the internet to a cyberattacker to report its successful activation, the signal often hits a sensor network owned by BitSight.

“That is an example of an infection that can be seen from outside,” said Mr Olcott.

It is also possible to evaluate from afar the “security hygiene” of a company by checking if it is following best practice, such as patching its operating system and browsers in a timely fashion, or ensuring it has an up-to-date SSL certificate.

“You can observe all this from outside. You can see what they are doing and how well they are doing it.”

It is this type of information that BitSight uses in its security grading assessments. The company captures, analyses and interprets the data before presenting it in an accessible form for clients.

“What we wanted to do was take this problem of having a massive amount of data. We wanted to put it in terms that business executives would understand and would make them want to take action,” said Mr Olcott, who explained that company executives are becoming more aware and involved in the implementation of cybersecurity strategies.

The information can be used in many ways, such as assessing potential third party risk when sharing data with an outside company.

“You have to come to some judgment about a company before you go into a business relationship. You evaluate them on security, and if that is changing during the relationship,” said Mr Olcott.

“The insurance dynamic is another example. How do you decide who to offer a policy to. How do you make them a better risk?”

He added that increasing regulation of cybersecurity requirements was another major talking point for many executives.

During his time on the island Mr Olcott is speaking at events organised by Bermudian-based Independent Consulting Solutions, a management consulting and Microsoft-centric technology services company.

BitSight has a website at https://www.bitsighttech.com/