Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

FTSE100: Cyber and The Board – Where Are We Now?

Back in February 2013 I spent some time (armed with coffee) going through every annual report of each Financial Times Stock Exchange 100 (FTSE100) company to determine which of them were giving a mention to cybersecurity / information security, typically in their principal risks and uncertainties section as a risk, but also elsewhere in the report.

The objective for this was two-fold. Firstly, to understand whether cybersecurity was actively being discussed at a board level. Secondly, to identify and understand any trends that may be apparent based on the results – for example, are specific industries really good at acknowledging all things cyber while others not so much, and to try and ask (and answer) the question as to why this might be.

The results were interesting, and probably not that surprising to anyone who worked in the field of information security at the time. The highlights were:

  • In total, 49 percent of companies highlighted cyber risk.
  • Telecommunications, technology and banking companies fared well.
  • Health care and basic materials (with some exceptions) gave cyber risk little to no mention.
  • The only real surprise was that four consumer services firms did not make a more explicit mention of cyber risk.

A year is a long time in information security, so with that, a year later in February 2014 I spent some more time with the updated annual reports of the 51 FTSE100 companies which previously didn’t refer to cyber in any shape or form, with the one burning question – had there been any progress made in getting cyber onto the corporate menu? The high notes were:

  • The situation had improved, but only slightly from the previous year (up 11%) – a total of sixty percent of FTSE100 companies now highlighted cybersecurity in their annual report.
  • All industries showed an increase in cybersecurity awareness at the board level, with the exception of the utilities industry, which remained unchanged.
  • The most dramatic increases were in the industries of consumer goods, health care, and oil and gas. In health care, the number of companies taking cybersecurity seriously has doubled from the previous year. The consumer goods industry fell just short of repeating this performance, but the trend was clear to see. 

Enter 2021

Fast forward now on seven years to 2021 and the world is a very different place than it was back then (in almost every way!). But cyber now gets mainstream media coverage on an hourly basis. Hacks, breaches, ransomware attacks and phishing are very much on an ‘upward’ trend and that’s putting it politely. That burning question… how are all of these FTSE100 companies and their boardrooms coping with these cyber challenges now?

I filled the coffee up to the brim once again and took a walk down memory lane, Annual Report Avenue to be exact. DRUM ROLL PLEASE 

You’ll be pleased to know that all FTSE100 companies (yes, all 100 of them!) now make reference to the newer (some may say cooler) “cyber” term or the more matured and old school (but just as equal) “information security” term in their latest annual report. CUE LIGHTING OF FIREWORKS

I could leave it there, but I won’t don’t worry. I’m going to dig a little deeper.

As I was going through the reports, probably from about 20 reports in, it was clear that companies (and with that, boards) were starting to pay attention to cybersecurity. It was becoming clear at 20 reports in that it may be a good assumption to make that we’d have 100% ‘compliance’ with cyber, but I would of course verify this. I instead changed tact, I wanted to get some quantifiable data out of this one, to be able to tell the middle part of the story – and hopefully uncover some trends, and you got it, ask (and answer) the question as to why these exist. The approach I took was this:

  • Record the number of instances the word “cyber” featured in the annual report
  • Record the number of instances the words “information security” (together) featured in the annual report
  • Record this against the “subsector” in which the company exists using the new updated Industry Classification Benchmark
  • Average the collective total of all the companies in the same “subsector”

This time I’ve gone a little deeper with the analysis than in the previous years – I’m using the “subsector” Industry Classification Benchmark definitions which, to be fair, didn’t exist last time around, however, it provides us the ability to really drill down into the specific industry further.

Surprise surprise (well not really!) with banks coming in at the top of the list for an average of 47.6 (we’ll call it 48) instances of “cyber” or “information security” in their annual reports. The financial industry in the UK is probably the second most regulated industry, after health. The threat of fines and other such punishments for breaches has historically and continues to be a real thing in this industry. I think that this fact alone helps focus minds at a board level on investment in cybersecurity. This industry is very mature when it comes to cybersecurity, really leading the way with intelligence-led red teaming through the creation of CREST CBEST/STAR-FS engagements which have board level stakeholder buy in.

One massive thing which has arrived onto the scene since I last carried out this research is, CUE TRUMPET SOUND, the EU’s General Data Protection Regulation (or “GDPR” to you and me) in 2018, related to the processing of UK and EU residents’ personal data. This has been implemented into UK law so even Brexit can’t touch this one. Maximum fines of about £18 million or 4% of annual global turnover (whichever is greater) for infringements. I think this has focused the minds of every remaining FTSE100 company who previously wanted to stay out of the cyber party. This is probably why we have compliance across the board now.

At the opposite end of the scales there are what I would class as the more traditional or industrial companies. The instances of all things cyber don’t even make it out of single figures! I think these industries have been a bit slower to react (based on the external perspective of this from the annual report anyway) and perhaps have other more pressing priorities based on their principal risks and uncertainties, of which the board has decided needs more investment and attention.

On a positive note, overall, the direction of travel is the correct way. I honestly didn’t know what I would find revisiting this research 7 years on. It is good to see we’ve made some progress with getting cyber discussed in the boardroom.


RESEARCH REPORT

2020 Trustwave Data Security Index

The 2020 Trustwave Data Security Index report depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the United States, United Kingdom, Australia and Singapore.

 

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More