Energy, transport, water and health firms must do cyber security or face fines for being vulnerable to attack. Fines could be up to £17m if those critical infrastructure firms fail to have the most robust safeguards in place against cyber attack, the Government is proposing.
Under the European Union-wide Security of Network and Information Systems (NIS) Directive new regulators will be able to assess critical industries to make sure plans are as robust as possible. A reporting system will be set up for reporting cyber breaches and IT failures so they can be identified and acted upon. The NIS Directive becomes UK law (like the separate GDPR – general data protection regulation) in May.
Also covered will be other threats affecting IT such as power outages, hardware failures and environmental hazards. Recent cyber breaches such as WannaCry and high profile systems failures would be covered by the NIS Directive. These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties.
Margot James, Minister for Digital and the Creative Industries, said the cyber security measures were to help ensure the UK is the safest place in the world to live and be online. “We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”
The UK’s National Cyber Security Centre (NCSC), set up in 2017, has published guidance on the security measures to help organisations comply.
National Cyber Security Centre CEO Ciaran Martin said: “Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures. Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”
Comments
Lorena Marciano, EMEAR Data Protection and Privacy Officer at Cisco said that the financial implications of these sanctions are set to go well beyond the suggested £17m fines. “According to Cisco’s Data Privacy Benchmarking Study, 74pc of organisations which are seen as privacy-immature experienced losses of more than £350,000 in 2017, as a result of data breaches. This comes in stark comparison to those companies which went beyond data privacy compliances, with only 39pc of privacy mature organisations seeing losses of a similar amount. These figures indicate that provisions shouldn’t be adopted for the single purpose of avoiding fines, but that organisations which are willing to go beyond the set compliances will reap the long-term financial benefits as well as protecting customer data.”
Azeem Aleem, Director – Advanced Cyber Defence Practice EMEA at RSA Security, said: “While the Data Protection Act and GDPR cover loss of personal data, the NIS applies to Critical Infrastructure providers to ensure they maintain an appropriate level of service with incident response plans, information sharing and Cyber Incident Response Team (CIRT) capabilities. Protecting our critical infrastructure is a matter of national security, but cybersecurity is often more complex within these environments.
“Critical infrastructure providers have a long way to go if they are to comply with the directive. Firstly, it is only in recent years that old manual systems have been ‘digitised’ and connected, which means these companies are often years behind those in banking and retail. They are unable to correlate security events to specific business outcomes – a problem we call the ‘Gap of Grief’. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible as patching systems without proper testing could actually cause more damage.
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.”
Steve Malone, director of security product management at Mimecast, welcomed the NIS Directive as a clear risk-based approach to building cyber resilience around essential services. “WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have our critical national infrastructure. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards. It’s only a matter of time before we see a category 1 attack and we need to be prepared. GDPR compliance stole many of the headlines last year but the NIS Directive is most important deadline in May for the future protection of the nation.”
Rob Norris VP Head of Enterprise and Cyber Security EMEIA at Fujitsu, said: “In light of recent attacks, which highlighted the enormous cost of a major security breach, it’s promising to see new guidance published in order to ensure organisations are doing their bit to bolster cyber security. With our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today (above global economic uncertainty and the skills gap), every single organisation has an obligation to make data protection as much of a priority as the public, who are regularly asked to hand over financial and other personal data.
“Although organisational awareness of potential attacks is on the rise, online criminals are finding new and creative ways to dupe people into compromising sensitive financial and personal data. This means that “unusual behaviour” is getting harder to detect and might not seem unusual at all. With employees on the front line of this battle, upskilling employees and making them more cyber aware is one of the most cost effective ways of reducing the probability and impact of human error.
“Despite this, organisation still need to adopt a two-pronged approach by complementing employee training and awareness with continued investment in technical and security controls. In doing so, organisations can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen. Even the best-run company could suffer from a hack or data breach. The ripple effects of an attack no longer stay within the four walls of an organisation, and businesses of all sizes must rethink their approach and stop defying cybersecurity practices.”
