The UK is proposing a hefty fine for critical national infrastructure (CNI) companies that fail to protect against loss of service due to cyberattacks.[1] For companies that do not comply with the new regulations, the fine could be as high as £17 million, or up to four percent of annual turnover.
Among other criteria, the fine would be assessed against companies that fail to:
- Develop a strategy and policies to understand and manage their cybersecurity risks
- Implement security measures to detect and prevent attacks or system failures
- Deploy security monitoring
- Take steps to raise staff awareness and require training
- Assess their risks adequately or take appropriate security measures
The proposed measures will also cover threats affecting IT such as power and hardware failures and environmental hazards. This mandate comes on the heels of the EU’s impending General Data Protection Regulations (GDPR), which sets guidelines for how sensitive data should be protected. While GDPR focuses more on data loss prevention, this proposed legislation shifts the focus to comprehensive cybersecurity resilience and preparedness.
The legislation will help strengthen the security standards of industries that operate critical infrastructure that people depend upon. UK companies that operate electricity, transport, water, energy, health and digital infrastructure will be forced to take necessary measures to meet the challenges presented by modern cyber threats.
This proposal comes just months after several organisations in the United Kingdom fell victim to global cyberattacks including WannaCry – a ransomware campaign that held more than one million computer systems hostage – and Petya – the wiper attack that destroyed files on machines in more than 60 countries.
This fine will address the changing dynamics of the nation’s CNIs. As they move towards increasingly connected large networks that allow for monitoring and remote automated control via computer networks, the potential for cyberattacks rises.
According to a report released by the UK government, cyberattacks on CNIs can be motivated by financial gain (e.g. by ransom), to manipulate public opinion, demonstrate an attacker’s prowess, conduct espionage or cause physical disruption.[2] Potential attackers range from individuals and activists with limited capability to organised crime groups and nation-states with significant expertise and resources.
The report also notes that foreign states or state-sponsored groups regularly attempt to penetrate UK networks, specifically targeting the defence, finance, energy, telecommunications and government sectors.
Is your company prepared for similar legislation? Here are some measures you can take to boost your cybersecurity:
- Encryption – store sensitive data that is only readable with a digital key
- Integrity checks – regularly check for any changes to system files
- Network monitoring – use tools to help you detect for suspicious behaviour
- Penetration testing – conduct controlled cyberattacks on systems to test their defenses and identify vulnerabilities
- Education – train your employees in cybersecurity awareness and tightly manage access to any confidential information
Although cybersecurity regulations will require significant effort for the companies that are affected, this new legislation by the UK government demonstrates that they understand the severity of cyber threats in today’s digital world and the destruction they can cause, if undeterred.
Even if you’re not a CNI, cyber threats should concern you. With cybercriminals constantly adjusting their tactics, it is imperative that companies never stop defending themselves by constantly improving and expanding their cybersecurity practices. Managed detection and response (MDR) and incident response planning are common ways companies can stay ahead of their attackers.
MDR is an all-encompassing cybersecurity service used to detect and respond to cyberattacks. Using the best of signature, behavioral and anomaly detection capabilities, along with forensic investigation tools and threat intelligence, human analysts hunt, investigate and respond to known and unknown cyber threats in real time, 24x7x365.
