The U.S. Chamber of Commerce and credit scoring company FICO released its Q2 Assessment of Business Cyber Risk (ABC) report on Aug. 19.
The report found a National Risk Score of 688, based on its scale of 350-800. The National Risk Score is a “revenue-weighted average of the FICO Cyber Risk Score for 2,376 companies … A higher score indicates a lower likelihood that an organization will experience a data breach in the next 12 months; a lower score indicates greater risk of a successful data breach, based on a five-year sample of data collected.” This quarter’s score shows a slight improvement over last quarter’s score of 687. The average score for large firms also raised from 643 to 649
“While these scores reveal the nation’s cybersecurity risk was virtually unchanged, FICO and the Chamber urge businesses to do more to measure and manage risk posed by third parties,” a press release said.
Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the Chamber, stressed the need for third-party risk management (TPRM) as part of their risk management plan.
“For years, the Chamber has urged organizations to adopt internet security fundamentals, including using the NIST Cybersecurity Framework for enterprise risk management,” said Roberti. “But we are seeing that organizations are being targeted through third parties and must take steps to integrate a tailored third-party risk management into an overall risk management plan.”
As for why TPRM is needed, the report said increasingly businesses are being compromised as a result of initial compromises against third parties. These instigating incidents allow “malicious actors to gain access through a trusted relationship, move laterally and escalate privileges, and ultimately attain their target.”
The ABC report did note that typically larger firms have well-developed TPRM programs. And the increase of highly publicized breaches, awareness of cyber risk, and emerging and evolving compliance frameworks are encouraging small and midsized firms to strengthen their TPRM programs.
“Knowing your cyber risk is invaluable, and knowing the cyber risk of third parties you work with is essential,” said Doug Clare, vice president of cybersecurity solutions at FICO. “Third-party risk management is emerging as one of the most important priorities for IT and security departments nationwide, and cybersecurity risk assessments are an increasingly important component of the broader TPRM framework.”
The report offered up four steps that all organizations should include in their third-party management framework:
- Build a framework for third-party categorization
- Develop a workflow to address the intersection of risk and criticality
- Assess high-impact suppliers frequently
- Ensure appropriate risk transfer