The banking and finance sector earned the second lowest score in the first Assessment of Business Cybersecurity report released Thursday by the U.S. Chamber of Commerce and FICO, with only the media, telecommunications and technology sector performing worse.
The assessment is meant to give businesses a quarterly benchmark for assessing their cybersecurity risk over time. It looks at the cybersecurity risk of over 2,500 firms across 10 sectors.
U.S. businesses earned a weighted overall score of 687 out of a possible 850, with the banking and finance sector scoring 642 and the media, telecommunications, and technology sector rounding out the bottom with a score of 619.
By comparison, the construction sector earned the highest marks, with a score of 764.
The assessment addresses the wide gap between sector scores:
“This range in values represents a significant difference in relative risk across the evaluated sectors. Because the assessment and resulting sector values are based on the FICO Cyber Risk Score, and because the score-to-odds relationship is such that the odds double with every 84-point increment in the score (i.e., a company with a score of 500 is twice as likely to suffer a material breach event in the next 12 months as is a company with a score of 584), the net result is that the range of sector assessment values represents an almost 200% differential in risk across the represented sectors.”
A summary of risk ratings grouped by company size indicated small companies (1-249 employees) and medium companies (250-1,999 employees) were at quite a lower risk than large companies (2,000 or more employees) for both the banking and finance sector and the media, telecommunications, and technology sector. Other sectors showed similar results in this regard.
“Larger organizations are more likely to be targeted,” the assessment’s key findings said. “While no one is immune from becoming a target of malicious cyber actors, the data suggests that larger firms make better targets from the standpoint of threat actors. Moreover, the opportunity to gain access to thousands or millions of consumer data is more appealing than applying the same effort to smaller organizations holding less data.”
The assessment says individual organizations, depending on size and sector, with a score of 687 would represent a “reasonably good performance very near the overall population average,” and that companies operating in this range are considered to be at a “lower level of risk.”
According to the assessment, the FICO Cyber Risk Score is “an empirically derived assessment of an organization’s cyber breach risk, used by forward-thinking businesses to assess their own posture as well as that of their supply chain partners” and that insurers use it to underwrite and price cyber breach insurance.
“Businesses are on the front line of cybersecurity threats,” Christopher D. Roberti, senior vice president for cyber intelligence and security policy for the U.S. Chamber of Commerce, said in a statement. “Their risk impacts our economy’s health and our national security. That’s why we are pleased to partner with FICO to ensure businesses know their level of security.”1 - Reader Likes This Post