BitSight launches information security risk rating service
BitSight launched a cybersecurity offering that delivers ratings on the information security effectiveness of organizations. The ratings, which are based on externally visible network behavior, are generated daily to keep track of the continuously shifting nature of an organization’s security state.
BitSight Partner SecurityRating provides objective and up-to-date ratings on the information security health of a company’s partner ecosystem so it can better protect data shared with third-party vendors. The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures.
According to a February 2013 Ponemon Institute survey, 65 percent of organizations transferring consumer data to third-party vendors reported a breach involving the loss or theft of their information. In addition, nearly half of organizations surveyed did not evaluate their partners before sharing sensitive data.
“Traditional approaches to measuring and mitigating partner security risk, including network security audits and assessments, have fallen short,” said Stephen Boyer, co-founder and CTO of BitSight. “These methods fail to deliver an objective and simple way to understand the effectiveness of an organization’s network security practices. BitSight Partner SecurityRating delivers a single, daily rating that encapsulates the information security integrity of any third-party network, allowing customers to make data-driven, risk-based decisions.”
Using online sensors placed at strategic points around the Internet, the BitSight platform collects and analyzes publicly available Internet traffic flowing to and from an organization. Suspicious behaviors, such as participation in a DDoS attempt or communication with a known botnet, are analyzed for severity, frequency, duration and confidence to create an overall rating of the organization’s current security health. Ratings are derived entirely from the outside; no special disclosures are required and no intrusive testing is conducted on the rated company.