'Cyber' Security must become a board level issue in the UK

The UK Government is “committed to helping reduce vulnerability to attacks and ensure that the UK is the safest place to do business”. [1] It’s all part of the much talked about UK Cyber Security Strategy [2].

One strand of the strategy was an executive briefing on cyber security to UK businesses – which included a top 10 focus areas for businesses to concentrate on.

Within that briefing document, Ian Lovain (The Director of GCHQ) put it most frankly, “Value, Revenue and Credibility are at stake. Don’t let cyber security become the agenda – put it on the agenda.” [3]

I looked at UK FTSE 100 companies, examined the most recent annual reports (as it’s common practice to state the principal risks and uncertainties that a business may face) and identified whether the board (and the companies auditors) had explicitly itemised cyber security as a material risk to the business - or at least called out the potential impact that the loss of customer data may cause.

I broke the data down by Industry (using the standard Industry Classification Benchmark [4]). The findings are probably not that surprising to those who work in the field of Information Security:

• In total 49% of companies highlighted Cyber Risk.
• Telecommunications, Technology and Financials (actually only Banking) faired well.
• Health Care and Basic Materials (with some exceptions) give Cyber Risk little to no mention.
• The only real surprise was that four Consumer Services firms did not make a more explicit mention of Cyber Risk.

No doubt the other industries will catch up, but at least for the time being I’m pretty confident that the gap isn’t in boardroom appreciation of cyber risk – but revolves more around middle management execution.