According to a recent Assessment of Business Cyber Risk report, released by the U.D. Chamber of Commerce and FICO, the level of cyber risk to the U.S. business community held steady for the first quarter of 2019, with a national risk score of 687.
The ABC measures the aggregate cybersecurity risk faced by the U.S. business community. Based on data from the FICO Cyber Risk Score, the ABC is intended to advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs.
The report revealed that since the fourth quarter of 2018, small firms showed a slight improvement — up to 740 from 737 — while large firms moved from 646 to 643. These changes indicated relatively stable risk performance from quarter to quarter.
“The disparity in risk scores between small and large organizations is due to the fact that large firms have a wider attack surface and are more frequently the target of cybercriminals,” said Doug Clare, vice president for cybersecurity solutions at FICO.
The ABC is the revenue-weighted average of the FICO Cyber Risk Score for nearly 2,400 small, medium and large companies. The score calculates the probability of an organization suffering a material data breach in the next 12 months. Just like a FICO credit score, the range is 300 to 850. For individual companies, the higher the score, the lower the likelihood that an organization will experience a data breach in the next 12 months. Similarly, a lower score indicates greater risk of a successful data breach, based on five years of historic data breach data. The score analyzes billions of cyber risk indicators and uses machine learning to produce a forward-looking metric for measuring cyber risk.
“As businesses review the results for their organizations, it’s important to note that industries carry different levels of risk, which are outside the control of individual firms,” said Clare. “Banks are riskier than bakeries because they are richer targets, with more data to steal and that data is more valuable. The FICO Cyber Risk Score looks at both security preparedness and sector-level risk factors, and both are reflected in the ABC.”
Tips for Improving Cybersecurity
“When we launched the ABC in October 2018, it was a wake-up call to many businesses across the country,” said Christopher D. Roberti, senior vice president for cyber, intelligence and security policy at the U.S. Chamber of Commerce. “Our focus this quarter is to help businesses understand how to improve their cyber posture. It is important to emphasize that a lower score — whether for a company or a sector — does not necessarily imply that insufficient diligence is being applied by those entities. Such entities may simply have a higher risk profile (i.e., they face greater risk of breach) due t to the nature of their businesses.”
Managing risk in the world of cybersecurity is about managing behavioral risk and skills gaps, as well as technical flaws. Based on the observations of thousands of businesses scored for the ABC, the U.S. Chamber and FICO offer these six recommendations:
- Use the National Institute of Standards and Technology Cybersecurity Framework to develop an information security program. The framework enables organizations — regardless of their size, risk profile or cyber sophistication — to develop a cybersecurity plan or improve an existing one.
- Develop a reliable understanding of one’s network. This includes identifying assets to apply security management based on risk.
- Identify functions and teams whose process and policy maturity are not performing adequately. This will enable organizations to identify weak links in technology, personnel, policy and leadership.
- Oversee an organization’s network team to confirm alignment to the details of network management policies. Avoid unnecessarily exposing network infrastructure assets and ensure correct configuration for those that much be exposed.
- Protect and monitor network endpoints. Organizations that monitor endpoints are able to provide an early warning of potential problems.
- Develop a process to confirm that active certificate management programs are in place and are being implemented.