A growing percentage of cybersecurity incidents against businesses are the result of initial compromises against third parties, allowing malicious actors to gain access through a trusted relationship, move laterally and escalate privileges, and ultimately attain their target.
This risk is highlighted in a new report by the U.S. Chamber of Commerce and underscores the need for effective third-party risk management (TPRM).
The Q2 Assessment of Business Cyber Risk (ABC) report released this month by the U.S. Chamber of Commerce and FICO recorded a National Risk Score of 688, a slight improvement over the previous quarter’s score of 687. Since last quarter, the average score for large firms rose from 643 to 649 and small firms moved from 740 to 736.
The ABC’s National Risk Score is the revenue-weighted average of the FICO® Cyber Risk Score for nearly 2,400 small, medium, and large companies. The score calculates the probability of an organization suffering a material data breach within the next 12 months.
“For years, the Chamber has urged organizations to adopt internet security fundamentals, including using the NIST Cybersecurity Framework for enterprise risk management,” said Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the Chamber. “But we are seeing that organizations are being targeted through third parties and must take steps to integrate a tailored third-party risk management into an overall risk management plan.”
New Business Imperative: Third-Party Risk Management
Larger and more sophisticated firms will typically have well-developed TPRM programs. However, the increase of highly publicized breaches, awareness of cyber risk, and emerging and evolving compliance frameworks are driving small and midsize firms to adopt these programs as well.
“Knowing your cyber risk is invaluable and knowing the cyber risk of third parties you work with is essential,” said Doug Clare, vice president of cybersecurity solutions at FICO. “Third-party risk management is emerging as one of the most important priorities for IT and security departments nationwide, and cybersecurity risk assessments are an increasingly important component of the broader TPRM framework.”
To help businesses recognize and mitigate third-party risk, the ABC report offers four key steps that organizations should include within a broader third-party management framework:
- Build a framework for third-party categorization
- Develop workflow to address the intersection of risk and criticality
- Assess high-impact suppliers frequently
- Ensure appropriate risk transfer
Organizations that choose to learn more about their specific security performance can register for a free subscription at http://cyberscore.fico.com. A new report from Chartis Research named FICO as a category leader in cyber risk quantification.