Trustwave Research: More U.K. Companies Identifying Security as a Major Risk, Uncertainty

No longer is cybersecurity solely an "IT issue" - and that's mainly because more than just the IT department is feeling the pain these days.

As we have seen from the well-publicized string of destructive compromises that have occurred over the past 12 months and beyond, data breaches are like a tornado: They spare no victim in their path of mayhem, from the CEO to the IT team to employees to customers. Still, not enough individuals at the top of the chain are making security a top priority. According to our 2014 State of Risk Report, 45 percent of businesses have board- or senior-level management who take only a partial role in security matters; 9 percent do not at all.

But improvement is happening. For the past two  years, I have researched how data protection is perceived in the boardroom at some of the U.K's largest companies. The research is based on references to "cybersecurity" in their annual reports - both in discussion and explicitly highlighted under the "principal risks and uncertainties" section, a telling barometer to where their priorities lie.

This year, I did it again - and found the results keep getting better.

For example, during the past couple of years, cybersecurity has increasingly become commonplace on the executive board's radar. In 2012, just 49 percent of the FTSE 100 companies referenced cybersecurity. In 2013, however, the number increased to 60 percent. And in 2014, more than three-quarters of companies (76 percent) mentioned it.

I saw significant improvement across all industries. Between 2012 and 2013, the utilities sector remained stagnant, with 60 percent referencing cybersecurity as a primary risk. In 2014, that number rose to 80 percent.

The financial and health care industries both showed an increase of 25 percent. The oil-and-gas sector, meanwhile, saw no change, but a solid majority - 85 percent - attributed cybersecurity in their annual reports.

So why are more companies paying attention to cybersecurity?

Major data breaches that made news headlines in 2013 may be a contributing factor, as well as government involvement to improve cybersecurity across all businesses, through initiatives like the Cyber Essentials Scheme. In some sectors, the increases in cybersecurity mentions could be due to the rise of internet-connected SCADA control systems and concerns over the security of critical infrastructure.

Whatever the reason, the increased awareness about cybersecurity at the board level is a step in the right direction. C-level executives must take a proactive approach to understanding the risks facing their businesses. They need to identify where their valuable information lives and moves, as well as isolate security weaknesses that could compromise that data. They should then remediate those deficiencies and deploy security controls and services that protect attack vectors. Finally, they should create and test an incident response plan so that if they are breached, they can respond and mitigate the damage as quickly as possible.

Also, a security program is only as good as the people who manage it. If businesses lack the manpower and skillsets to ensure their controls are installed, updated and working properly, they should augment their in-house staff and partner with a third-party team of experts whose sole responsibility is to protect their information.

Tom Neaves is a managing consultant at Trustwave.