In September 2012 the UK Government launched Cyber Security Guidance for Business at an event that was attended by FTSE 100 CEOs and Chairs. The guidance included detailed information and advice for 10 critical areas covering technical, process and cultural areas for businesses.
With this in mind, Trustwave looked at the UK FTSE 100 companies, examining the most recent annual reports and identified whether the board had explicitly itemised cyber security as a material risk to the business, or at the very least called out the potential impact that the loss of customer data may cause.
Using the standard Industry Classification Benchmark, the data was broken down by industry, where Trustwave identified that 49% of UK FTSE 100 companies specifically highlighted cyber security in their annual reports. It comes as no surprise that Telecommunications, Technology and Financial organizations fared well in identifying cyber risk in their reports.
However, Health Care and Basic Materials companies overall give little to no mention of cyber risk, whilst four Consumer Services firms did not make any explicit mention at all which is concerning considering they are likely to hold sensitive customer data.
An important point to note about this research is that although an organization may not have directly identified cyber-risk in their annual report, it is not to say that they are not already aware of the risks in operating online. However, as we so often see, organizations are run from the board room and for cyber security to be taken seriously throughout an organization it needs to be the board that sets the agenda for the business. If many of the UK’s largest firms are not considering cyber risk as being part of the equation that could be harmful to their business then the outlook is pretty bleak for small and medium-sized enterprises.
What is evident is that the UK Government has identified cyber security as an increasingly important topic for discussion within businesses, and the Cyber Security Strategy has made it a priority to educate companies on the risk associated with being online. At a high level this certainly is noble, but the implementation of the any security strategy still falls to the individual company, and no matter what guidance the UK Government may provide, there is not necessarily a requirement to follow or adhere to that guidance.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.