Experts give their views to news that ‘essential infrastructure’ operators could be fined if service is disrupted due to poor cybersecurity
The Department for Digital, Culture, Media and Sport (DCMS) has outlined proposals that would see operators of ‘essential infrastructure’ find up to £17 million (or four percent of global turnover) if they suffered a cyberattack after failing to take adequate measures.
The proposals form part of a consultation on how to implement the Network and Information Systems (NIS) directive from next year.
You can read the full story here, but what do the experts think?
TechUK: Talal Rajab, Head of Programme for Cyber
“In order to protect the UK’s digital economy, we agree that operators of essential services need to be resilient to the growing cyber threat. This includes putting in place effective security measures, such as security monitoring and the training of staff, and developing policies to respond to a cyber incident.
“Questions remain, however, over the scope of ‘essential services’ that the Directive should cover as well as the timelines with which companies should be expected to report an incident. techUK will be consulting with its membership in particular to see how these measures will affect Digital Service Providers and will be providing feedback to DCMS via workshops.”
ZoneFox: Jamie Graves, CEO
“May’s WannaCry attack is a clear proof point for why the NISD is much needed. The way in which businesses need to secure themselves is no different from a phone shop to the National Grid.
“Data is the key piece of the puzzle, or more specifically, an awareness of data. Making sure that you have network visibility of information – and those accessing it – while it is stored, on the move or taken off the network is the first line of defence against any attack or potential attack.
“Coupling this with a reporting system that can alert the necessary authorities as quickly as possible and a robust backup will mean essential services are kept online and are in a much stronger position to protect themselves.”
Fujitsu: Sarah Armstrong-Smith, Head Continuity & Resilience, UK & Ireland
“This latest warning from the DCMS demonstrates the reality we now all live in, where cyber-attacks and data breaches are always going to be a threat.
“The worrying reality is that security is often an afterthought and security fundamentals are still not being followed such as changing default passwords. Hopefully the news of such fines will wake organisations up to the seriousness of the consequences from a financial stand point, never mind a reputational one.
“In security we talk about when not if a security breach will occur, but that does not mean organisations should not be taking all the necessary precautions to limit the potential impact of a breach. In fact, the fast approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems. Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.
McAfee: Gordon Morrison, Director of Government Relations
“Recent global cyber events have highlighted the need to protect essential services from cyberattack. It is not surprising that the government is introducing greater responsibilities to organisations providing essential services and penalties to firms that suffer cyberattacks without adequate security measures being in place.
“This new regulation will potentially prove crucial in ensuring that a minimum standard of cybersecurity is maintained and help avoid unnecessary disruption to these essential public services.
Smoothwall: Rob Wilkinson, Corporate Security Specialist
“On the face of it, it could seem like an empty threat, but the government’s plans to fine firms for failing to protect themselves from cyber attacks is an important step in protecting the services that keep our country running.
“The companies that provide water, energy, transport and health services are the ones in the government’s line of sight; as we’ve seen with the WannaCry attacks recently on the public health service, such a similar attack on our infrastructure can have seriously debilitating consequences.
“It’s not just data exploitation that’s the issue here – companies need to ensure they are protected as fully as possible from DDoS attacks, site outages and the risk of malware. Only by shoring up their web defences that span encryption, firewalls, web filtering and ongoing threat monitoring – and offering training to staff to teach them the dangers that cyber attacks pose – can a company truly say that they have a properly layered cyber defence.
“It’s not just small businesses that are at risk here; the very fabric of our country could be unwoven with an unprecedented attack on some of our most important services.”