Nine Cyber Attacks On UK’s Transport Sector Missed

BACKGROUND:

It has been reported that nine cyber-attacks affecting the British transport sector were missed by the UK’s mandatory reporting laws and were only disclosed to the government on a voluntary basis, Sky News has learned. A law introduced three years ago was intended to boost Britain’s ability to defend itself from the foreign states and criminal hackers by obliging critical infrastructure organisations to report incidents.

Subscribe
Notify of
guest
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Andy Norton
Andy Norton , European Cyber Risk Officer
InfoSec Expert
September 1, 2021 12:05 pm

<p>The inherent loophole in mandatory breach disclosure is the subjective measure of what constitutes a “substantial breach” upon which you must notify. The added complication is the requirement to notify within 72 hours of the breach being discovered when you may not have an understanding of the extent of the breach in this timeframe or when the full substance of the breach may not be understood. The subjective measure of substantiality may also be an incentive not to divulge the extent of the breach to avoid paying fines that form part of the NIS legislation. NIS2, an update to the current NIS legislation, introduces penalties for non compliance with best practises, and so it will incentivise organisations to adopt defensive in-depth practises or face similar fines, taking the emphasis away from divulging breaches and pushing towards cyber resilience.</p>

Last edited 10 months ago by Andy Norton
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x