The latest cybersecurity report by SecurityScorecard contains analysis of the UK’s FTSE 100 companies with respect to their cybersecurity postures and the risks associated with them.
According to the report, historically, there has been a lack of stringent breach reporting requirements for companies. This, argues SecurityScorecard, has left stakeholders without important information on cybersecurity incidents.
Therefore, the authors of the report claim that the necessity for a universal framework to measure cybersecurity risk has become apparent, much like how credit scores standardise financial assessments.
SecurityScorecard says it has addressed this need by developing a system that uses threat intelligence data to rate cybersecurity risk with an “A” through “F” letter-grade system.
Industry-specific cybersecurity performance
In the report, cybersecurity performance is segmented by industry, with businesses in the Basic Materials and Energy industry scoring particularly well. Indeed, no companies in either sector had a C rating or below.
The data in the report also suggests that the financial sector has demonstrated robust cybersecurity, with only 5% of companies rated C or worse.
However, in stark contrast, SecurityScorecard’s research found that the Communications sector has the weakest cybersecurity posture, with 70% of its companies having a C rating or below. Similarly, the Healthcare sector appears to have cybersecurity shortcomings, with 50% of companies receiving a C rating or below.
Supply chain vulnerabilities
Supply chain vulnerabilities are another major concern highlighted in the report.
SecurityScorecard research found that 97% of UK companies had a breach in their third-party ecosystem, and the same percentage had a breach in their fourth-party ecosystem.
UK compared to 3 European nations
The report also benchmarks UK companies against their counterparts in Germany, France, and Italy, revealing that UK companies have a stronger overall cybersecurity, with only 24% rated C or below, compared to 34% in Germany, 40% in France, and 41% in Italy.
Despite this relatively strong performance, UK companies still face significant risks from third and fourth-party breaches, similar to other European countries.
“Third-party risk management is a key component of any robust cybersecurity program, and the companies represented in this report would benefit by making it a priority. The sectors and organisations in the UK (and in Europe as a whole) need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 directive,” says SecurityScorecard’s Will Gray, Director of Northern Europe, commenting on the study.
Gray adds:
“The rise of data breaches across Europe demonstrates that UK companies need to make third-party risk management (TPRM) an integral component of not only their security program but of their vendor selection process as well.”
The report also notes that vendors experiencing a 3rd or 4th-party compromise “could affect a large number of its customers, or even customers of its customers, in one fell swoop”.
One of the high profile examples referred to in the report concerns the exploitation of the Moveit file sharing service last year, which SecurityScorecard says is projected to cost at least $65 billion.
Economic correlation with cyber resilience
An interesting aspect highlighted by the report is the correlation between a nation’s GDP and its cyber resilience.
Wealthier countries, including the UK, tend to exhibit better cybersecurity practices due to their ability to invest in advanced security measures. This economic advantage translates into more robust cybersecurity infrastructures and better overall security postures.
“While more capital does not always translate into better cybersecurity programs, it does provide companies with the resources necessary to invest in robust measures. Any company—regardless of size, industry, value, or revenue—can be a target for cybercriminals if it doesn’t have strong cyber defences,” states the report.
Recommendations for enhancing cybersecurity
The authors of the report conclude that in order to mitigate risk and enhance overall cybersecurity posture, all companies should prioritise improving application and network security.
The authors of the report also stress that for high-risk businesses, DNS health, endpoint security and patching credence should be a priority. This would involve ensuring the health and integrity of DNS configurations as well as securing laptops, desktops, mobile devices, and BYOD devices.
SecurityScorecard also underlines that such companies should have “a consistent and timely patching cadence for your systems, software, and hardware”.
Photo by cottonbro studio via Pexels