To be open in your annual report about security risks facing the company is now a determinant of corporate success.
Information security is a significant challenge to business and therefore to traditional corporate reporting. Board papers and annual reports typically do not provide any insight into the new and challenging IS risks companies are facing.
Too many reports display the dead hand of the traditional compliance and editorial committees and do not reflect the fresh challenges faced in a world that relies on the internet for so many business-critical services.
The credit crunch and subsequent economic crisis have highlighted the need for companies to monitor, manage and document emerging risks – and even explore the potential opportunities. This is all the more pertinent as a new wave of security breaches is hitting UK organisations, costing them billions of pounds, according to PwC's 2010 Information Security Breaches Survey (ISBS).
Of 1,007 UK companies polled in PwC's previous ISBS in 2008, 35 per cent indicated they had suffered malicious security breaches. However, the 2010 survey of 539 organisations showed a huge increase, with 90 per cent of large organisations and 74 per cent of smaller ones saying they had been hit by malicious security breaches. Most did not report these breaches in their corporate reports.
Emerging risks can be turned into opportunities if they are managed for competitive advantage. This should be reflected in the way companies communicate and report on their IS investments. For instance, several banks have turned their investment in protecting online customers into a unique selling point in their marketing.
As companies become more collaborative, stakeholders demand that the potential for systemic disruption is considered and kept in check.
However, many company reports suffer from tunnel vision – focusing on a narrow range of financial data. They are ticking boxes to meet regulatory requirements, but are struggling to communicate clearly to key stakeholders what are the IS risks they are facing and how they are delivering on protecting their business and clients.
Key risks and challenges are either ignored or referred to only briefly. However, there are finally signs boardrooms are taking it seriously. This is partly due to the fact that a number of well-known firms have recently suffered serious IS breaches – which the international press has covered in great detail.
But it's not just the press or board directors that are worried about cyber threats. More and more frequently, tech-savvy stakeholders are asking questions about the robustness of a company's information security.
So how can companies cover information security risks – and the required safeguards – more clearly in their annual reports?
The level of disclosure about IS depends on the type of business. Companies that do a large amount of business online, such as banks and retailers, need to provide assurance that their security programmes are up to scratch.
One of the first steps is to perform a thorough review. A risk assessment can be used to understand the possibility of harm being caused as a result of loss of confidentiality, integrity or availability of business-critical information.
When discussing security risks with board directors, security managers need to use clear language and quantify the possible financial costs.
For those that need to give a higher level of assurance, it may be worthwhile seeking certification to a recognised standard, such as ISO 27000.
Securing your organisation against the myriad of threats to information that exist in the wired world has never been more important. With a well-informed strategy and close alignment to the business, you will be well placed to mitigate – and then report on – the information risks facing your organisation.
By doing so you will ensure that your stakeholders and investors have confidence that your organisation takes information security seriously.
Although only a few companies currently excel in this space, we at PwC believe it is a sign of a well-managed business and a determinant of corporate success.