The impact from a data breach on an enterprise can be a mixed bag. For some, like small suppliers, a compromise of sensitive data and credentials can lead to a few hundred or thousand dollars fraudulently obtained from a business client, often via the Business Email Compromise scam.
Then, there are events like the Target breach, a security lapse rooted at one of the retailer’s suppliers, that resulted in millions of dollars in costs to the company.
But whether it’s $1,000 or $1 million stolen, corporations cannot afford to ignore the growing cyberthreat. It’s no surprise, then, that the cybersecurity market, already worth billions, is slated to hit a $170 billion market value by 2020, according to Forbes.
So far, enterprise security solutions focus on strengthening the detection and mitigation of potential breaches within a corporate IT system or involve businesses taking out insurance in the event of a data breach. Often, cybersecurity measures involve an intensive process by a third-party provider, which visits a company and scrutinizes the entity to assess its risk.
According to FICO Vice President of Cybersecurity Solutions Doug Clare, there should be a more efficient way to examine a business’ cybersecurity threat level.
Earlier this month, FICO revealed plans to roll out a new kind of score: the Enterprise Security Score. Like its credit scoring solution, the Enterprise Security Score will be a three-digit number that analyzes a company’s risk of data compromise.
While the cybersecurity tide levels are rising, causing corporations to take their security efforts more seriously, Clare argued that the market lacks a comprehensive, streamlined mechanism for assessing an entity’s cybersecurity risk.
“We’re looking to assess the entire security of the enterprise,” he said. “It’s all about accelerating our ability to bring a product to market that doesn’t just look at individual computers or devices that a network might contain but kick it up a notch to assess the overall security of the whole enterprise.”
As FICO prepares to roll out this tool, Clare said there are a couple use cases particularly positioned to benefit.
The first, and perhaps obvious, one is for insurance underwriters.
“They don’t have the tools for risk-based pricing,” he said of cyberbreach insurance providers. “The tools they have are to go tear up the floorboards and assess those organizations — to send out a team of people to do security audits, inspections, questionnaires. It’s all resource-intensive, time-consuming and not necessarily a compassionate view.”
“There’s a need for quantitative tools, kind of like what banks use to assess consumers in underwriting a loan. These insurance providers need tools to assess organizations to underwrite for breach insurance,” he continued.
The second is promoting the Enterprise Security Score to financial institutions — in particular, their procurement teams — to assess and mitigate vendor risk.
The banking industry, Clare explained, is pressured to take responsibility for its suppliers’ security as the sector works with regulators and adheres to new compliance measures.
“Regulators are requiring banks to be accountable for vendor performance, and one of the key risks with vendors is their security,” Clare stated. “Having a metric allows banks to be able to assess the security of their vendor infrastructure and the whole supply chain.”
Assessing vendor risk is especially key when onboarding new partners, the VP added, as is having the capability of monitoring that risk over the length of a business relationship.
Just as the rise in eProcurement and other digital tools is often attributed to the need for greater security and transparency in the procurement process, Clare said banks’ procurement teams are the first point of attack to assess vendor risk and, therefore, should have access to a tool to help them do so.
“Usually, within the banks, it’s the procurement function that’s accountable for managing vendor risk,” Clare explained. “They’re the front line in terms of knowing who the vendors are, contractual relationships, driving accountability with those vendors.”
Targeting vendor management and risk mitigation is key for any industry, however, and the executive pointed to other verticals — health care and government, for example — that may also benefit from such a tool.
That’s because any company needs to protect itself from financial losses, which almost always result from a cyberattack. And those financial losses stem from beyond any money that might be stolen from hackers.
“The risk of experiencing a data breach, either yourself or in your supply chain, is relatively high,” Clare said. “We hear about these things all the time. The impact, from a bottom-line perspective, can be a little difficult to project.”
He took the 2013 Target data breach as an example. A compromise at one of the company’s suppliers led to the data of more than 40 million cards being vulnerable. In turn, Clare said, that led Target to face financial losses from covering the cost of reissuing cards, covering credit protection monitoring services to customers affected by the breach, legal action and massive damage done to Target’s market cap.
“It’s hard to estimate what the whole impact on Target was,” he said, “but from the bottom-line perspective, certainly in the hundreds of millions of dollars.”
“If they would have had better insight into the security of those vendors, they would have made some different choices,” Clare said, “or at least been able to provide better oversight.”
Sure, a cyberattack on a supplier of a major, multinational corporation is a big deal. But far more common are those one-off scams that hit smaller companies, with hackers obtaining company data by hacking into email accounts at suppliers and sending fraudulent invoices and requests for payment.
According to the Federal Bureau of Investigation, there have been more than 22,000 incidents of this kind reported since Oct. 2013, resulting in $3.1 billion worth of corporate funds at risk. Supplier email scams, the FBI said, are rising at massive rates.
A credit score-like number rating the potential that a corporation will experience a cybersecurity breach resulting in the loss of data won’t eradicate cybercrime and can’t replace security audits, insurance and other solutions. But, said Clare, it’s a start, especially for the financial services industry.
“Banks have become a lot more active in assessing security positions of their vendors,” he said. “It’s important to have a cost-effective means of doing that; it’s important to have a means of doing it at all.”