FICO and the U.S. Chamber of Commerce have produced our second quarterly Assessment of Business Cybersecurity Risk — think of it as the FICO Score for the nation’s cybersecurity risk. For the first quarter of 2019, the National Risk Score is 687, holding steady from the fourth quarter of 2018.
The National Risk Score is a revenue-weighted average of the FICO® Cyber Risk Score for 2,376 random companies. Based on the methodology, the higher the score, the lower the likelihood that an organization will experience a data breach in the next 12 months. Similarly, a lower score indicates greater risk of a successful data breach, based on five years of historic breach data.
For an individual organization, and depending on size and sector, a score of 687 represents a level of risk that is comparable to the current average. Since the previous quarter, small firms showed a slight improvement—up to 740 from 737—while large firms fell from 646 to 643.
Here’s how the aggregate risk for different size classes of companies looks:
As noted above, risk is a function of both the threat landscape and vulnerability. For example, larger organizations generally face more sophisticated and persistent threats. The scores reflect the probability of a data breach. A low score does not imply that an organization is destined to suffer a data breach. Similarly, a high score does not indicate that an organization is impervious to the risk of a breach, it just implies that the likelihood of that organization experiencing one is lower.
Here are the big three questions we tend to get on this report:
How can I use it?
Organizations can use the ABC and their individual cyber risk score as a basis for the following:
- Objective self-assessment
- Third-party and supply chain risk assessment
- Comparative assessments (between organizations or over time)
- Discussions with insurance carriers and brokers
Why are larger companies a bigger risk?
- First, they have larger networks, with more than 65,000 IP addresses.
- Second, they have more data on more people, making them more attractive to criminals.
- Third, they operate in sensitive areas like health care, finance, and retail.
- Fourth, they are better known, which also attracts criminals.
How can my organization lower our risk and raise our score?
FICO and the Chamber have six recommendations for reducing your cybersecurity risk, which you can read about in my blog post from last week.
For more information, download our report and see the latest ABC metrics at www.cyber-abc.com.
You can also learn more about your security performance by registering for a free subscription at cyberscore.fico.com.