Organizations need to do more to manage third party risks says US Chamber of Commerce
- Published: Tuesday, 20 August 2019 07:08
The Q2 Assessment of Business Cyber Risk (ABC) report released by the US Chamber of Commerce and FICO recorded a National Risk Score of 688, a slight improvement over the previous quarter's score of 687. Since last quarter, the average score for large firms rose from 643 to 649 and small firms moved from 740 to 736.
While these scores reveal the nation's cyber security risk was virtually unchanged, FICO and the Chamber urge businesses to do more to measure and manage risk posed by third parties.
"For years, the Chamber has urged organizations to adopt internet security fundamentals, including using the NIST Cybersecurity Framework for enterprise risk management," said Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the Chamber. "But we are seeing that organizations are being targeted through third parties and must take steps to integrate a tailored third-party risk management into an overall risk management plan."
A growing percentage of cyber security incidents against businesses are the result of initial compromises against third parties, allowing malicious actors to gain access through a trusted relationship, move laterally and escalate privileges, and ultimately attain their target. As a result, third party risk management (TPRM) is a high priority for many organizations.
Larger and more sophisticated firms will typically have well-developed TPRM programs. The increase of highly publicized breaches, awareness of cyber risk, and emerging and evolving compliance frameworks are driving small and midsize firms to adopt these programs as well.
"Knowing your cyber risk is invaluable, and knowing the cyber risk of third parties you work with is essential," said Doug Clare, vice president of cyber security solutions at FICO. "Third-party risk management is emerging as one of the most important priorities for IT and security departments nationwide, and cyber security risk assessments are an increasingly important component of the broader TPRM framework."
To help businesses recognize and mitigate third-party risk, the ABC report offers four key steps that organizations should include within a broader third-party management framework:
- Build a framework for third-party categorization;
- Develop workflow to address the intersection of risk and criticality;
- Assess high-impact suppliers frequently;
- Ensure appropriate risk transfer.