"WHSmith data breach spams confidential customer details," "Bank of England probes insurers' cyber defences," "Thomson data breach exposes hundreds of customer details" and "780 HIV patients' personal information disclosed in massive data breach." All headlines in the last 12 months from British publications talking about breaches in the UK. I've worked in the security industry for most of my career, and for years I've heard that businesses in the UK and the rest of Europe do not feel urgency around IT security because they aren't suffering breaches like companies in the US. Headlines like these demonstrate that just isn't true – at least not any more.
This misconception has caused UK companies to lag behind US companies when it comes to security. And this has monetarily impacted enterprises in the UK, and thus the UK economy. For example, a study conducted by Center for Economics and Business Research (CEBR) and commissioned by Veracode found that cyberattacks cost UK businesses £18 billion in lost revenue a year. And the issue is widespread, 81 percent of UK businesses reported a breach in 2014.
But not believing they are a target is only one reason UK companies lag behind US companies in terms of security. At UK companies, 66 percent of internally developed applications remain untested for critical vulnerabilities such as SQL injection. This is startling as applications are one of the most common ways cyberattackers gain access into enterprise data. An IDG study from 2014 found that UK companies are more likely to focus their application security programs on only a subset of business-critical apps, rather than the entire application portfolio. Conversely, US organizations are more likely to issue mandates for enterprise-wide application security assessment programs – making programs at US enterprises, on average, more mature than those at UK enterprises.
What's a CISO at a UK company to do? One solution is to look at industry benchmarks for companies in the US and the UK and see how your company stands up. CISOs at UK companies should also talk to their peers overseas about their security programs and see if they can use this information to mature their own programs.
You can also get information on how the UK is lagging behind and tips for how to improve your security programs during a special SC Magazine webinar. For this webinar, Veracode's John Smith will discuss the key findings of the CEBR report as well as analyze why UK enterprises are falling behind in cybersecurity. You can register for the webinar here: https://engage.vevent.com/rt/scwc~veracode17septuk?code=VERA