Whilst GDPR took all the headlines and security ‘glory over the last year the EU Network and Information Systems (NIS) Directive has sneaked in under the radar…and becomes effective on 9 May 2018 – with penalties for non-compliance in the same eye watering league as its more (in)famous GDPR partner.
The UK Government (HMG) has recently warned the bosses of Britain’s most critical industries to boost cyber security or face hefty fines for leaving themselves vulnerable to attack following the introduction of the Network and Information Systems (NIS) Directive this May.
Energy, transport, water and health firms could be fined up to £17million if they fail to have the most robust safeguards in place against cyber-attack.
New regulators will be able to assess critical industries to make sure plans are as robust as possible to ensure business continuity.
This, says HMG, will ensure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats.
The NIS Directive will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards. Under the new measures recent cyber breaches such as WannaCry and high profile systems failures would be covered by the Directive.
These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties.
Margot James, Minister for Digital and the Creative Industries, said, “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.
The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply. These are based around 14 key principles set out in our consultation and government response, and are aligned with existing cyber security standards.”
NCSC CEO Ciaran Martin confirmed that their ‘new guidance will give clear advice on what organisations need to do to implement essential cyber security measures’.
He added, that, ‘”Fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.”
Following Government’s urging of Britain’s most critical industries to protect their essential services from cyber-attacks, we spoke to Steve Malone, director of security product management at security, archiving and continuity firm Mimecast.
Malone welcomed the NIS Directive as a clear risk-based approach to building cyber resilience around the essential services that keep UK citizens safe and productive.
“WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure.
This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.
It’s only a matter of time before we see another category 1 attack (e.g., WannaCry) and we need to be prepared.
GDPR compliance stole many of the headlines last year but the NIS Directive is most important deadline in May for the future protection of the nation.”
Malone added that everyone working the technology sector knows that no matter what you do to protect yourselves you cannot guarantees you will be 100% successful.
“Organisations will continue to be breached and caution all organisations to not be blinkered or become complacent by the protection you pit in alone. Ask yourself ‘How would we carry on working?’
Recoverability from an attack is critical – especially for email. Most businesses run on email but unfortunately attackers know this. It’s why 91% of cyber-attacks start with a phishing email. You need to ask yourself a series of ‘what if…’ questions. Imagine the scenarios and make sure you have the answers. Don’t leave your homework until the last minute!”