In September 2012 the UK Government launched Cyber Security Guidance for Business at an event that was attended by FTSE 100 CEOs and Chairs. The guidance included detailed information and advice for 10 critical areas covering technical, process and cultural areas for businesses.
With this in mind, Trustwave looked at the UK FTSE 100 companies, examining the most recent annual reports and identified whether the board had explicitly itemised cyber security as a material risk to the business, or at the very least called out the potential impact that the loss of customer data may cause.
Using the standard Industry Classification Benchmark, the data was broken down by industry, where Trustwave identified that 49% of UK FTSE 100 companies specifically highlighted cyber security in their annual reports. It comes as no surprise that Telecommunications, Technology and Financial organizations fared well in identifying cyber risk in their reports.
However, Health Care and Basic Materials companies overall give little to no mention of cyber risk, whilst four Consumer Services firms did not make any explicit mention at all which is concerning considering they are likely to hold sensitive customer data.
An important point to note about this research is that although an organization may not have directly identified cyber-risk in their annual report, it is not to say that they are not already aware of the risks in operating online. However, as we so often see, organizations are run from the board room and for cyber security to be taken seriously throughout an organization it needs to be the board that sets the agenda for the business. If many of the UK’s largest firms are not considering cyber risk as being part of the equation that could be harmful to their business then the outlook is pretty bleak for small and medium-sized enterprises.
What is evident is that the UK Government has identified cyber security as an increasingly important topic for discussion within businesses, and the Cyber Security Strategy has made it a priority to educate companies on the risk associated with being online. At a high level this certainly is noble, but the implementation of the any security strategy still falls to the individual company, and no matter what guidance the UK Government may provide, there is not necessarily a requirement to follow or adhere to that guidance.
However, the European Union has proposed a new data protection Regulation in an attempt to mandate companies that process, store or transmit personal data to appropriately protect it. Failure to do so would, under the proposed Regulation, bring about this requirement, and also breached organizations would have to disclose breaches to the national supervisory authority (i.e. The ICO in the UK) and to notify each customer whose data was subject to the unauthorized access. Mandatory breach disclosure will mean that cyber risk will have a greater impact and visibility at the board level and could result in major loss of revenues, through bad publicity, loss of consumer confidence, and in the severe cases likely affecting the company share price.