Following the new UK Government announcement that critical national infrastructure firms that fail to protect themselves effectively from cyber-attacks will face fines of up to £17m, Adrian Davis, EMEA Managing Director for (ISC)², the largest membership body of information security professionals in the world commented below.
Adrian Davis, EMEA Managing Director at (ISC)²:
“With the NIS directive on the horizon, organisations deemed ‘essential services‘ will have begun implementing the necessary changes and practices outlined in the UK government’s guidance on the EU legislation. Responsible organisations that have followed this guidance should have more clarity and understanding of their security processes.
For example, communicating a cyber breach has always been an issue for firms; there’s never been a clear enough process to determine what’s happened and whose responsibility it is to manage it. The new legislation includes a cyber incident reporting system which will go a long way to addressing this grey area of communication.
Ultimately this may look like yet another costly exercise and piece of legislation but the value to firms in a business sense is enormous for those that get it right. Protecting against increasing digital threats has the potential to save firms hundreds of thousands of pounds in mitigating cyber attacks and breaches.
Foreign interference from state actors is a growing issue; however, the greatest threat to organisations comes from within. A lack of cyber security skills and awareness amongst employees leaves firms vulnerable to the kinds of attacks used by state actors. Improving cyber security skills at all levels, at grass roots education and within the workplace itself is critical to providing UK businesses with the means to defend itself.
Technology can only go so far in protecting an organisation and should be used to enhance existing security procedures. As well as targeting vulnerable systems, cyber criminals are now duping or tricking individuals into compromising systems through spear-phishing attacks. Focusing on cyber security skills and practices across the organisation so that employees can recognise everyday cyber threats whether it’s a phishing emails, a vulnerable way of sending documents or attacks engineered over social media will enhance a firm’s security almost instantly.
Many critical infrastructure firms are embracing industry 4.0 and introducing internet connected devices into their operations. Sadly, security is rarely a priority for the manufacturers of these devices and as a result a whole new vector of attack has opened for cyber criminals to take advantage of. Before implementing IoT devices, such as electronic sensors and monitoring equipment, firms should look at how it effects their security. Many industrial control systems run on outdated SCADA systems which can be vulnerable to attack. Organisations should adopt security approaches that are proactive and predictive rather than reactive. Ultimately, securing critical national infrastructure means ensuring they have secure people, processes and technologies, as any weak link renders the whole chain vulnerable.”