Businesses Face £17m Fine for Poor Cybersecurity Plans Under New Directive

The UK government has announced proposals to impose severe financial penalties on companies with poor cybersecurity plans in place. Businesses that provide essential services like energy and transport could be fined as much as £17m.

Oliver Pinson-Roxburgh, EMEA director at Alert Logic, said: "Essentially, what the directive sets out to do is to drive security. In my experience a large proportion of organisations are not very good at responding to incidents and on average it's 205 days before a breached entity is able to detect a breach, and they often do not detect even it themselves.

"The NIS directive sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure so its shocking that not more organisations are concerned about or talking about it over or in addition to GDPR.

Some further points on the directive:

* Member states preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.

* It also requires cooperation among all the member states, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

* A culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the member states as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

Also, key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new directive.

Dean Ferrando, Systems Engineering manager (EMEA) at Tripwire  said: "These fines will act as a stark reminder that cyber security should be taken seriously. However, by implementing a defence system that focuses on the fundamentals; the people, the process and the technology, enterprises can already take the necessary steps to greatly reduce the risk of suffering a cyber attack and being fined, which could potentially put a company out of business.

"By educating the workforce, companies can reduce the risk of successful cyber-attacks which use methods like phishing and URL drive-by, which can also help users identify unusual system activity that may result from malicious action.

"Incident Response is just one example of where a well-defined and regularly practised process can make a huge difference to the outcome of an incident, possibly preventing that incident from becoming a breach. Technology, such as encryption and dual factor authentication, forms a large part of the Foundational Controls necessary to support a defence-in-depth security solution.

"Organisations also need to make sure that they have robust backup solutions and processes in place. Not running regular backup / restore tests could also leave them open to a single point of failure should there be any errors in the daily tasks.

"Only discovering these errors during a live failover could be classed as a major risk. On that note, all backup procedures should also factor in taking the backups offline during non-backup runs to avoid malware sneaking its way onto the backup sets to be reinstalled when a failover procedure is implemented.

"To stay one step ahead, organisations need to continuously implement risk assessments of the business, systems and data to uncover any unknown vulnerabilities."