SecurityScorecard has released a comprehensive analysis of the cybersecurity landscape of the FTSE 100 in the UK.
Using the world’s largest proprietary risk and threat intelligence dataset, SecurityScorecard analysed cybersecurity breaches across the UK’s 100 largest companies by market capitalisation.
Many companies have increased the cyberprotection of their ‘front doors’ through measures such as firewalls, stronger passwords and multi-factor identification. As a result, adversaries seek other ways to get in. Often, that means coming in through third-party vendors’ systems.
The new research spotlights why a company’s cybersecurity strength is directly linked to the security measures of even its smallest vendor. Globally, companies are increasing oversight of suppliers after major supply-chain cyberattacks have affected thousands of businesses and breached data on millions of customers.
Key findings include:
97% of the UK’s largest companies had a breach in their third-party ecosystem
This is in comparison to 94% of German companies; 98% of French companies; and 95% of Italian companies. Adversaries are increasingly incentivised to target smaller vendors to bypass robust and well-funded cybersecurity programs. Using an organisation as an unwitting Trojan Horse is far easier than directly compromising a major company with a fully staffed Security Operations Center and several layers of security controls.
The energy and basic materials sectors (mining and raw materials) have the strongest security posture in the UK
Only 12% and 16% respectively of the companies in these sectors had third-party breaches, and none of them received a C rating or below. Meanwhile, the financial sector is the second strongest in the UK, with only 5% of companies receiving a C rating or below. The communications sector had the lowest overall security posture, with 70% having a C rating or below.
UK has the strongest average cybersecurity rating compared to its neighbours
Our data shows that companies in the UK have the strongest overall cybersecurity (24% with a C or below) compared to their French, Italian and German counterparts, with 40%, 41% and 34% having a C or below, respectively. 85% of UK companies with an A grade have not been breached in the last year (demonstrating the importance of having an A grade), compared to 87%, 100% and 95% in France, Italy and Germany respectively.
UK companies with a higher market capitalisation have stronger cybersecurity
The 25 companies in the UK with the highest market capitalisation (over US$ 29 billion) have a stronger cybersecurity posture (12% with C rating or below) than the 75 companies with lower market capitalisation (US$5 Billion to US$28 billion) had an average of 28% with a C rating or below.
97% had a breach in their fourth-party ecosystem
By comparison to 95% of German companies; 100% of French companies; and 97% of Italian companies. A vendor experiencing a third- or fourth-party compromise could affect a large number of its customers, or even customers of its customers, in one fell swoop. The MOVEit exploit was discovered in the spring of 2023, and organisations are still dealing with the fallout of the breach, which is projected to cost at least US$65 billion.
12% experienced a direct breach in the last year
Compared to 8% of German companies; 7% of French companies; and 3% of Italian companies. All companies should prioritise improving application and network security. These two aspects are fundamental to safeguarding against a wide range of cyberthreats. Any company – regardless of size, industry, value or revenue – can be a target for cybercriminals if it doesn’t have strong cyberdefences.