The UK Government is “committed to helping reduce vulnerability to attacks and ensure that the UK is the safest place to do business” . It’s all part of the much talked about UK Cyber Security Strategy .
One strand of the strategy was an executive briefing on cyber security to UK businesses – which included a top 10 focus areas for businesses to concentrate on.
Within that briefing document, Ian Lovain (The Diretor of GCHQ) put it most frankly, “Value, Revenue and Credibility are at stake. Don’t let cyber security become the agenda – put it on the agenda” .
Isn’t it already on the agenda? We’re glad you asked.
We looked at UK FTSE 100 companies, examined the most recent annual reports (as it's common practice to state the principal risks and uncertainties that a business may face) and identified whether the board (and the companies auditors) had explicitly itemised cyber security as a material risk to the business - or at least called out the potential impact that the loss of customer data may cause.
We broke the data down by Industry (using the standard Industry Classification Benchmark ). The findings are probably not that surprising to those who work in the field of Information Security:
- In total 49% of companies highlighted Cyber Risk.
- Telecommunications, Technology and Financials (actually only Banking) faired well.
- Health Care and Basic Materials (with some exceptions) give Cyber Risk little to no mention.
- The only real surprise was that four Consumer Services firms did not make a more explicit mention of Cyber Risk.
No doubt the other industries will catch up, but at least for the time being we’re pretty confident that the gap isn’t in boardroom appreciation of cyber risk – but revolves more around middle management execution.
In case there was a lack of clarity about how the UK government cyber security strategy is architected and implemented, you don’t need to look any further than the cabinet office website :
“The Office of Cyber Security & Information Assurance (OCSIA) supports the Minister for the Cabinet Office, the Rt Hon Francis Maude MP and the National Security Council in determining priorities in relation to securing cyberspace. The unit provides strategic direction and coordinates action relating to enhancing cyber security and information assurance in the UK.
The OCSIA alongside the Cyber Security Operations Centre work with lead government departments and agencies such as the Home Office, Ministry of Defence (MoD), Government Communications Headquarters (GCHQ), CESG, the Centre for the Protection of National Infrastructure (CPNI), the Foreign and Commonwealth Office and the Department for Business, Innovation and Skills (BIS) in driving forward the cyber security programme for UK government and give the UK the balance of advantage in cyberspace.”
Glad that’s clear.
John Yeo and Tom Neaves