As part of the much talked about Cyber Security Strategy, the UK Government is “committed to helping reduce vulnerability to attack and ensure that the UK is the safest place to do business”. One strand of the strategy was an executive briefing, which targeted the most senior levels in the UK’s largest companies and provided them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property.

In September 2012 the UK Government launched Cyber Security Guidance for Business at an event that was attended by FTSE 100 CEOs and Chairs. The guidance included detailed information and advice for 10 critical areas covering technical, process and cultural areas for businesses.

With this in mind, Trustwave looked at the UK FTSE 100 companies, examining the most recent annual reports and identified whether the board had explicitly itemised cyber security as a material risk to the business, or at the very least called out the potential impact that the loss of customer data may cause.

Using the standard Industry Classification Benchmark, the data was broken down by industry, where Trustwave identified that 49% of UK FTSE 100 companies specifically highlighted cyber security in their annual reports. It comes as no surprise that Telecommunications, Technology and Financial organizations fared well in identifying cyber risk in their reports.


However, Health Care and Basic Materials companies overall give little to no mention of cyber risk, whilst four Consumer Services firms did not make any explicit mention at all which is concerning considering they are likely to hold sensitive customer data.

An important point to note about this research is that although an organization may not have directly identified cyber-risk in their annual report, it is not to say that they are not already aware of the risks in operating online. However, as we so often see, organizations are run from the board room and for cyber security to be taken seriously throughout an organization it needs to be the board that sets the agenda for the business. If many of the UK’s largest firms are not considering cyber risk as being part of the equation that could be harmful to their business then the outlook is pretty bleak for small and medium-sized enterprises.

What is evident is that the UK Government has identified cyber security as an increasingly important topic for discussion within businesses, and the Cyber Security Strategy has made it a priority to educate companies on the risk associated with being online. At a high level this certainly is noble, but the implementation of the any security strategy still falls to the individual company, and no matter what guidance the UK Government may provide, there is not necessarily a requirement to follow or adhere to that guidance.