As part of the much talked about Cyber Security Strategy, the UK Government is “committed to helping reduce vulnerability to attack and ensure that the UK is the safest place to do business”. One strand of the strategy was an executive briefing, which targeted the most senior levels in the UK’s largest companies and provided them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property.
In September 2012 the UK Government launched Cyber Security Guidance for Business at an event that was attended by FTSE 100 CEOs and Chairs. The guidance included detailed information and advice for 10 critical areas covering technical, process and cultural areas for businesses.
With this in mind, Trustwave looked at the UK FTSE 100 companies, examining the most recent annual reports and identified whether the board had explicitly itemised cyber security as a material risk to the business, or at the very least called out the potential impact that the loss of customer data may cause.
Using the standard Industry Classification Benchmark, the data was broken down by industry, where Trustwave identified that 49% of UK FTSE 100 companies specifically highlighted cyber security in their annual reports. It comes as no surprise that Telecommunications, Technology and Financial organizations fared well in identifying cyber risk in their reports.
However, Health Care and Basic Materials companies overall give little to no mention of cyber risk, whilst four Consumer Services firms did not make any explicit mention at all which is concerning considering they are likely to hold sensitive customer data.
An important point to note about this research is that although an organization may not have directly identified cyber-risk in their annual report, it is not to say that they are not already aware of the risks in operating online. However, as we so often see, organizations are run from the board room and for cyber security to be taken seriously throughout an organization it needs to be the board that sets the agenda for the business. If many of the UK’s largest firms are not considering cyber risk as being part of the equation that could be harmful to their business then the outlook is pretty bleak for small and medium-sized enterprises.
What is evident is that the UK Government has identified cyber security as an increasingly important topic for discussion within businesses, and the Cyber Security Strategy has made it a priority to educate companies on the risk associated with being online. At a high level this certainly is noble, but the implementation of the any security strategy still falls to the individual company, and no matter what guidance the UK Government may provide, there is not necessarily a requirement to follow or adhere to that guidance.
However, the European Union has proposed a new data protection Regulation in an attempt to mandate companies that process, store or transmit personal data to appropriately protect it. Failure to do so would, under the proposed Regulation, bring about this requirement, and also breached organizations would have to disclose breaches to the national supervisory authority (i.e. The ICO in the UK) and to notify each customer whose data was subject to the unauthorized access. Mandatory breach disclosure will mean that cyber risk will have a greater impact and visibility at the board level and could result in major loss of revenues, through bad publicity, loss of consumer confidence, and in the severe cases likely affecting the company share price.
As identified in the Cyber Security Strategy in 2011, there exists a present cyber security threat to UK businesses; which are continuously growing as we become more heavily reliant on the Internet to conduct business. It is time for those at the board level to realise that technology has increasingly become the heart of their business rather than something that aids it. Attacks on this technology have the potential to disrupt business operations permanently. As Iain Lobban, Director of GCHQ, points out “Value, Revenue and Credibility are at stake. Don’t let cyber security become the agenda – put it on the agenda.”