Cyber attacks are one of the biggest threats facing governments and companies across the world and new UK legislation wants organisations to pay for bad security.
The Network and Information Systems (NIS) Directive will be implemented from May 2018 and a new government consultation has been launched to discuss how best to enforce the legislations.
One policy that has been suggested by the Department for Digital, Culture, Media and Sport, is that firms that fail to employ effective cyber security measures could be fined as much as £17m or four percent of global turnover if hit by an attack.
This is similar to fines that will be leveraged at companies that fail to protect customer data, under the new GDPR regulations, that were announced yesterday.
Which companies could be affected by the fines?
The organisations that would be hit with such fines are those that make up Britain’s essential networks and infrastructure, so those that if hit by a cyber attack would lead to a “loss of service” rather than a loss of data.
This includes UK operators in electricity, transport, water, energy, health and digital sectors.
The UK’s digital minister, Matt Hancock, said:
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing rise of cyber attack and more resilient against other threats such as power failures and environmental hazards.
“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”
Why is there an impetus to fine companies for cyber attacks now?
The consolation comes after the UK and the world has suffered some of the worst cyber attacks in recent history.
The WannaCry ransomware attack in May infiltrated the UK’s National Health Service (NHS) and over 300,000 computers worldwide.
Then in June, the Petya/Not Petya ransomware attack took down parts of the Ukrainian government as well as global companies, including the global shipping company Maersk.
The idea behind the fines is that if companies or organisations aren’t implementing stringent cyber security measures and are hit by a hack or ransomware attack similar to the ones we’ve seen this year, then they will be fined for carelessness.
“Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures and engaged with competent authorities but still suffered an attacks,” says the consultation.”
However, the government is proposing a number of security measures alongside the implementation of the NIS Directive to ensure that all companies have the appropriate measures in place.
For instance, operators will be required to develop strategies and policies to understand and manage their risk; develop measures for security monitoring and to detect attacks; and raise awareness with staff training so incidents are reported as soon as they happen.
The UK’s National Cyber Security Strategy
The NIS Directive is part of the government’s five-year £1.9bn National Cyber Security Strategy, which including the opening of the National Cyber Security Centre (NCSC) last year, part of GCHQ.
The NCSC aims to protect the UK on the cyber front lines and has developed training schemes to help public and private organisations protect themselves from online threats.
The NCSC’s chief executive, Ciaran Martin, said:
“We welcome this consultation and agree that many organisations need to do more to increase their cyber security. The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone.”
Even without government fines, cyber attacks are costing UK companies. According to research by IT consultancy CGI and Oxford Economics, attacks have cost companies around £42bn since 2013, in terms of loss of reputation and the fall in share prices once a hack is revealed.
In order to rectify this, spending on technology and staff to prevent hacks occurring by companies is expected to be around $106.1bn worldwide in 2017, according to IDC.
Rob Wilkinson, corporate security specialist at internet security firm Smoothwall, said:
“Cyber security is not something any company of any stripe can take lightly nowadays – you only need to look at the various dating organisations, holiday websites, telecoms companies and email services that have been attacked recently to know that anyone can be a target.
“It’s not just data exploitation that’s the issue here – companies need to ensure they are protected as fully as possible from DDoS attacks, site outages and the risk of malware.
“Only by shoring up their web defences that span encryption, firewalls, web filtering and ongoing threat monitoring – and offering training to staff to teach them the dangers that cyber attacks pose – can a company truly say that they have a properly layered cyber defence.”
In the UK, several security startups have launched that harness the power of artificial intelligence to track down and prevent these kind of attacks.