Despite the average company using 75 separate cyber defence systems to police their network, during his 2014 speech Martin Wheatley (the then CEO of the FCA) stated that nine in ten firms had suffered security breaches in the course of the year.
Similarly alarming is the sheer number of potential attacks that companies are vulnerable to. Action Fraud lists over thirty potential attacks, both cyber and non-cyber, that could harm companies. These include: account takeover, domain name scams and investment share and sale fraud. Recently publicised cases, however, all suffered what is called a Distributed Denial of Service, or DDoS. This attack overwhelms a website with traffic, taking it offline, and is often used as a smokescreen for other attacks.
Given this information, one might expect the risk management section of any PLC’s annual report to be littered with cyber information and risk mitigating actions. On the contrary, EY’s report, ‘Annual reporting in 2014: reflections on the past, direction for the future’ claims that only 17% of companies report cyber security as a risk. Furthermore, whilst 90% of the 292 respondents to the CFA’s annual survey on Financial Reporting and Analysis stated that the principal risks and uncertainties section of a report were useful, it was also the section deemed to be in the most need of improvement.
As argued by Deloitte, cyber attacks are already causing significant damage to organisations with business disruption, financial fraud and customer data loss being just the short term problems along with long term reputational damage also being a significant consequence. Stakeholders need to be assured that the company they support is secure with the right controls in place, vigilant in understanding how these threats are changing and resilient in ensuring that they are prepared to deal with an attack should it be successful.
Having explored some of the statistics behind cyber security here, watch out for the second article of this series which will contain research examining all of the FTSE 100 companies and a sample of the FTSE 250 to determine if they include cyber breach as a risk, and if so, to what degree.