Lax cyber security measures could cost UK infrastructure firms £17m

Government proposes tough fines to protect essential UK services from hackers

UK companies running essential services and critical infrastructure may face eye-watering fines if their systems' cyber security is found lacking.

Failure to implement effective cyber security measures could see organisations fined up to 17 million, or 4% of their global turnover, under a consultation launched by the Department for Digital, Culture, Media and Sport (DCMS), which is the same penalty facing firms who fail to protect people's personal data under the government's new Data Protection Bill.

The proposals come after the havoc wrought by May's WannaCry ransomware attack on critical targets like the NHS, which saw a swathe of its hospitals effectively grind to a halt as the ransomware shut out access to core IT systems.

DCMS has been deciding how to best implement the Network and Information Systems (NIS) directive due to come into effect in May 2018, in order to make Britain's essential infrastructure resilient against future cyber attacks.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards," explained Matt Hancock, minister for digital.

"The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim."

However, the fines will be used as a last resort and will not be applied to service operators who have put in appropriate cyber security defences but have still suffered a hack attack.

Under the proposals out for consultation, critical infrastructure organisations will need to develop a cyber security strategy and adopt policies that both understand and manage the potential cyber attack risks they could face.

This will require them to do more than just protect their IT systems, taking responsibility for ensuring staff are aware of the attacks they might face and how to monitor for signs of a breach and be ready to report them as they develop.

Cyber security experts have welcomed the government's proposal, believing it will prompt organisations to move away from systems that lack robust cyber security in the face of relentless hackers.

Advertisement - Article continues below

"This government proposal once again highlights the need for better security across the nation's most essential services," said Dan Sloshberg, cyber resilience expert at Mimecast.

"Studies consistently show that email is the number one attack method used to spread malware that holds critical services, such as energy and transport, to ransom. Despite this, many of these organisations still rely on outdated email security controls that were never designed to stop advanced attacks. It is vital organisations who manage critical services invest in a cyber resilience strategy that involves strong methods of protection, combined with a reliable archive and recovery strategy for data and operational systems, to get back on their feet if something does get through."

The proposed fines and the NIS all forms part of the UK government's 1.9 billion National Cyber Security Strategy, aimed at bolstering the UK's cyber defences and its cyber security industry in the face of significant cyber attacks that can cause economic and reputational damage, like WannaCry and the NotPetya malware spread.

Picture: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/strategy/28223/cio-job-description-what-does-a-cio-do
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020
Visit/careers/28219/it-manager-job-description-what-does-an-it-manager-do
Careers & training

IT manager job description: What does an IT manager do?

28 Oct 2019
Visit/careers/28228/ciso-job-description-what-does-a-ciso-do
Careers & training

What does a CISO do?

25 Sep 2019
Visit/security/28196/the-cybersecurity-skills-your-business-needs
Security

The cyber security skills your business needs

24 Sep 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020