60 percent of FTSE companies mention cyber security risks in annual reports

"Data breaches have become a fact of life for most companies," says John Yeo, Trustwave SpiderLabs EMEA director.

IT under threat from 'major' cyber attacks
IT under threat from 'major' cyber attacks

Research published today shows that the message on cyber-security amongst FTSE 100 companies in the UK is at last getting through, with 60 percent of major corporates including cyber risks in their annual report - up on the 49 percent reported this time last year. 

SCMagazineUK.com caught up with John Yeo, director of Trustwave SpiderLabs EMEA for his observations on the research from Trustwave's SpiderLabs ethical hacking team.

Yeo said that the methodology behind the annual analysis involves scanning each company's annual/periodic reports in order to discover if the business is actively seeking to reduce its cyber-security risks.

"What we discovered is very encouraging, as it shows that companies now understand the cyber risks they are running with their IT systems. It's now quite difficult for most companies to underestimate the data breach risks for their organisation," he said. 

Yeo added that this year's analysis showed that 75 percent of companies in the retail and consumer sale space now `call out' cyber security in their annual report - up from 42 percent last year. 

This shows, he says, how sensitive that retailers have become to the risks of losing their customer's data - and the consequences of a breach on their reputation. 

They key takeout from the research, he told SCMagazineUK.com, is that the costs of a data breach - and its consequences - are now relatively easy to quantify, even it remains difficult to assess the Return On Investment (ROI) that the business generates from its IT security budget. 

"It's also clear that FTSE 100 management are having to become more accountable to their shareholders. Data breaches have become a fact of life for most companies, but it's also quite clear that the management must be focused on tackling the issue," he said. 

"It's also positive to hear that senior management is becoming more responsive to security issues," he added. 

The SpiderLabs research reveals that industries are now showing an increase in cyber security awareness at a board level, with the exception of the utilities industry, which remained unchanged. 

Delving into the research reveals that the energy, healthcare and consumer goods industries showed the most dramatic increases. 

For example, in the latest analysis, 86 percent of companies in the oil and gas industry noted cyber security as a concern in their annual report - up from 57 percent a year earlier. And on the healthcare front, the figures doubled from 25 percent a year ago to 50 percent this time around. 

According to SpiderLabs, all industries showed an increase in cyber security awareness at a board level, with the exception of the utilities industry, which remained unchanged. 

What is interesting, says the ethical hacking team's analysis, is that the companies who never mentioned cyber security before have really stressed the point in their annual reports that successful cyber-attack instances will seriously affect how they are able to carry out their usual day-to-day business operations. 

"A number of these annual reports have even discussed cyber security risks in their open letter to shareholders, outlining what they have done, or plan to do, in order to manage these risks," says the analysis.