The UK recently proposed a hefty fine (as high as £17 million, or up to 4 percent of annual turnover) for Critical National Infrastructure (CNI) companies that fail to develop strategies and policies, and implement security measures to manage their cybersecurity risks.
This mandate comes on the heels of the EU’s impending General Data Protection Regulations (GDPR), which sets guidelines for how sensitive data should be protected. While GDPR focuses more on data loss prevention, this proposed legislation shifts the focus to comprehensive cybersecurity resilience and preparedness.
As CNIs move towards increasingly connected large networks that allow for monitoring and remote automated control via computer networks, the potential for cyberattacks rises. The legislation will help strengthen the security standards of industries that operate critical infrastructure that people depend upon - electricity, transport, water, energy, health, and digital infrastructure companies will be forced to take necessary measures to meet the challenges presented by today's cyber threats.
Eldon Sprickerhoff, founder and chief security strategist at cyber security company eSentire added, “Although cybersecurity regulations will require significant effort for the companies that are affected, this new legislation by the UK government demonstrates that they understand the severity of cyber threats in today’s digital world and the destruction they can cause, if undeterred.
"Even if you’re not a CNI, cyber threats should concern you. With cybercriminals constantly adjusting their tactics, it is imperative that companies never stop defending themselves by constantly improving and expanding their cybersecurity practices. Managed detection and response and incident response planning are common ways companies can stay ahead of their attackers.”
Additionally, eSentire recommends the following measures be taken to help boost companies cybersecurity:
* Encryption – store sensitive data that is only readable with a digital key.
* Integrity checks – regularly check for any changes to system files.
* Network monitoring – use tools to help you detect for suspicious behaviour.
* Penetration testing – conduct controlled cyberattacks on systems to test their defenses and identify vulnerabilities.
* Education – train your employees in cybersecurity awareness and tightly manage access to any confidential information.