Cyber Risk for U.S. Enterprises Remains Steady
Although cybersecurity risk varies by several factors (such as company size and industry), it hasn't declined in the last quarter across all U.S. enterprises measured by FICO.
- By James E. Powell
- April 17, 2019
You can't manage what you can't measure. By introducing a way to measure and quantify risk, the U.S. Chamber of Commerce and FICO are hoping to inspire U.S. enterprises to lower their risk of a serious cyberattack. Unfortunately, according to the Assessment of Business Cyber Risk (ABC) report released last week, the level of cyber risk to U.S. businesses hasn't budged in the last quarter. The ABC as a scoring metric was launched in October 2018.
The ABC national risk score (unchanged from last quarter at 687) measures the aggregate cybersecurity risk and is a revenue-weighted average of the FICO Cyber Risk Score for about 2,400 companies of all sizes. According to FICO, "the score calculates the probability of an organization suffering a material data breach in the next 12 months." The score is intended to "advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs." Like the more familiar consumer FICO score, the ABC uses a scale of 300 (high risk) to 850 (low risk), putting the latest measurement in the medium-low range.
When broken out by employee size, small enterprises (those with fewer than 250 employees) have the lowest risk (with a score of 740); midsize companies (250-1999 employees) have a score of 716; and large enterprises (2000 or more employees) are at the greatest risk of the three categories, with a score of 643. Overall, scores hardly budged; for example, the score for small firms moved from 737 to 740, making them only marginally less risky.
According to Doug Clare, vice president for cybersecurity solutions at FICO, the difference in risk scores between small and large organizations "is due to the fact that large firms have a wider attack surface and are more frequently the target of cybercriminals." Financial firms are more often in the "large" category, for example. Larger companies are also at greater risk, the report says, because they tend to have larger networks (with over 65,000 IP addresses), have more data, operate in sensitive areas (such as healthcare, finance, and retail), and be more well-known brands.
"As businesses review the results for their organizations, it's important to note that industries carry different levels of risk, which are outside the control of individual firms," said Clare. "Banks are riskier than bakeries because they are richer targets with more data to steal and that data is more valuable. The FICO Cyber Risk Score looks at both security preparedness and sector-level risk factors, and both are reflected in the ABC."
Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the U.S. Chamber of Commerce, pointed out that "a lower score -- whether for a company or a sector -- does not necessarily imply that insufficient diligence is being applied by those entities. Such entities may simply have a higher risk profile (i.e., they face greater risk of breach) due to the nature of their businesses."
The report includes six recommendations for reducing cybersecurity risk, such as using the NIST Cybersecurity Framework to develop an information security program.
More information about the report and the methodology of the ABC is available at https://cyberscore.fico.com. Enterprises can receive an individual assessment at no cost at www.cyber-abc.com .
James E. Powell is the editorial director of TDWI, including research reports, the Business Intelligence Journal, and Upside newsletter. You can contact him
via email here.