Cyber security executives and teams—and for that matter organizations as a whole—could certainly use some good news when it comes to risk assessment, and perhaps a recent report provides just that.
The Assessment of Business Cyber Risk (ABC) report released in April 2019 by the U.S. Chamber of Commerce, which represents the interests of more than 3 million businesses, and predictive analytics company FICO, revealed that the level of cyber risk to the U.S. business community held steady for the first quarter of 2019.
The national risk score was 687. The ABC measures the aggregate cyber security risk faced by the U.S. business community. It’s based on data from the FICO Cyber Risk Score, and is intended to advance cyber security awareness and improve the overall effectiveness of cyber defense programs.
The ABC is a revenue-weighted average of the FICO Cyber Risk Score for nearly 2,400 small, medium, and large companies. The score calculates the probability of an organization experiencing a material data breach in the next 12 months. Similar to the FICO credit score, the range is 300 to 850. The higher the score the lower the likelihood that an organization will experience a data breach in the next 12 months.
The score analyzes billions of cyber risk indicators, the report said, and uses machine learning to produce a metric for measuring cyber risk.
The report shows that since the fourth quarter of 2018, small businesses showed a slight improvement, up to 740 from 737, while large organizations moved from 646 to 643. These changes indicated relatively stable risk performance from quarter to quarter, the report said.
It’s important to note that a lower score, whether for a company or a sector, doesn’t necessarily imply that those entities are applying insufficient diligence, said Christopher Roberti, senior vice president for cyber, intelligence, and security policy at the U.S. Chamber of Commerce. Those entities might have a higher risk profile—for example, they face greater risk of a data breach—due to the nature of their businesses, he said.
The researchers offered a number of tips for improving cyber security, based on the observations of thousands of businesses scored.
One is to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework or a similar risk management framework to develop an information security program.
The framework allows organizations, regardless of their size, risk profile, or cyber sophistication, to create a cyber security plan or improve an existing one. It’s one way to reduce network weaknesses and deter malicious actors.
A second recommended practices is to develop a reliable understanding of the organization’s network. This includes identifying assets to apply security management based on risk.
Changes in the scope of a network can result from mergers, acquisitions, or divestitures, the report said. They might also result from geographic expansion or changes in an organization’s offerings that require modifications. Change that’s not fully managed can lead to vulnerabilities.
Another good step is identify functions and teams whose process and policy maturity are not performing adequately. This will help organizations to identify weak links in their technology, personnel, policy, and leadership. Most technology and security teams operate as separate functions, and therefore require coordination and interaction, the report noted.
Many companies will have a network engineering team, an IT team, and one or more software engineering teams. They also likely will have multiple security teams interfacing with the engineering groups. Team performance is often highly inconsistent, even within the same organization.
Organization's should also oversee their network team to confirm that there is alignment with the details of network management policies. They should avoid unnecessarily exposing network infrastructure assets and ensure correct configuration for those that must be exposed.
A fifth recommended practice is to protect and monitor network endpoints. Organizations that monitor endpoints are able to provide an early warning of potential problems, the report said. One way the Cyber Risk Score assesses the health of endpoint security is by looking for evidence of endpoint compromise. While a compromised endpoint isn’t the same as a material data breach, research has shown a correlation between incidents of malicious behavior due to compromise.
Finally, organizations should develop a process to confirm that active certificate management programs are in place and are being implemented. Expired or otherwise non-standard certificates might pose a serious risk to networks, the report said. The failure to effectively manage certificates often is indicative of a failure to implement and maintain best practices more broadly, it said
The U.S. Chamber of Commerce has been focusing on cyber security for years. In 2014, the organization launched a new comprehensive campaign under the banner, “Improving Today. Protecting Tomorrow,” to advance cyber security policies and legislation while educating businesses of all sizes about cyber threats and how to protect against them.