News broke this morning that the UK government have announced proposals to impose severe financial penalties on companies with poor cybersecurity plans in place, with fines reaching up to £17 million. IT security experts commented below.
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
Some further points on the directive:
- Member states preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.
- It also requires cooperation among all the member states, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
- A culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the member states as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new directive.
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire:
By educating the workforce, companies can reduce the risk of successful cyber-attacks which use methods like phishing and URL drive-by, which can also help users identify unusual system activity that may result from malicious action. Incident Response is just one example of where a well-defined and regularly practised process can make a huge difference to the outcome of an incident, possibly preventing that incident from becoming a breach. Technology, such as encryption and dual factor authentication, forms a large part of the Foundational Controls necessary to support a defence-in-depth security solution. Organisations also need to make sure that they have robust backup solutions and processes in place. Not running regular backup / restore tests could also leave them open to a single point of failure should there be any errors in the daily tasks. Only discovering these errors during a live failover could be classed as a major risk. On that note, all backup procedures should also factor in taking the backups offline during non-backup runs to avoid malware sneaking its way onto the backup sets to be reinstalled when a failover procedure is implemented. To stay one step ahead, organisations need to continuously implement risk assessments of the business, systems and data to uncover any unknown vulnerabilities.
Bill Evans at One Identity:
This particularly piece of legislation appears to be a reaction to both of those events. First, the fines being contemplated by this piece of legislation are material, much like those being imposed by GDPR. In addition, the fines are not absolute. Consideration will be given for organizations that have taken steps to mitigate cyberrisk, even if a security breach befalls the organization. Secondly, whereas GDPR and similar legislation being proposed in the UK focus on citizen data, this new piece of legislation focuses on “continuation of service.”
In general, legislation of this type sounds great at the surface, but the “devil is in the details.” What does it mean to take steps to prevent a cyber-induced stoppage in service? Does it include specific technologies like multi-factor authentication and privileged management but not access governance? Is access governance part of the base capabilities an organization should enact? It should be noted that the UK government is holding workshops with operators so they can provide feedback on the proposal. Ideally this type of communication will remove the devil as the details are defined.”
Azeem Aleem, Director – Advanced Cyber Defence Practice EMEA at RSA Security:
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.
“Critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. They are unable to correlate security events to specific business outcomes – a problem we call the ‘Gap of Grief’. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible as patching systems without proper testing could actually cause more damage.”
Ori Bach, VP Security Strategy at TrapX:
In the final analysis, strategies that attempt to defend the perimeter, whether through physical means or policy, are insufficient to provide the comprehensive defence that critical infrastructure demands. Attackers will get through. It is imperative therefore that manufacturers find new and innovative ways to detect ICS attackers early, mitigate the effects of their attack, and then defeat them.
Security teams are well aware of the threats, the additional regulatory scrutiny will make sure they are getting the tools they need to mitigate it”
Paul Farrington, Manager, EMEA Solution Architects at Veracode:
“Over the past year, we’ve seen a significant shift concerning cybersecurity regulation and putting the responsibility for cyberattacks on organisations where inadequate cybersecurity processes were in place. Whether GDPR or the New York State Department of Financial Services Cybersecurity Regulation, the onus is now being placed on firms to maintain a minimum standard of cybersecurity and to face severe consequences if they suffer a cyberattack as a result of not meeting it.
This regulation extends the reach of GDPR, which is primarily aimed at protecting data rather than services. The planned UK Data Protection Bill enhances the rights of the users by forcing tech firms to delete data about children and adults when requested to do so. The Information Commissioner’s Office (ICO) will be given significant upgrades in powers, to fine firms that fail to meet regulations. The ICO will be able to levy fines of up to £17m, or 4 per cent of a company’s global turnover. The existing Data Protection Act limits fines to £500,000.
Cyber security will now inevitably rise up the agenda in many board rooms, as Brexit will not result in a watering-down of GDPR, actually quite the reverse. In a landscape of increasing cyber breaches, with the UK Government claiming that nearly half of UK firms have been hit by a cyber-attack in the last year – this proposed legislation is very welcome. The government is providing a clear signal to firms operating within the UK, that fines relating to negligence in protecting personal data, will outstrip the cost of doing the right thing in the first place.”
Dr. Malcolm Murphy, Technology Director at Western Europe at Infoblox:
That’s why it’s important that the government is building on the European GDPR regulations for data protection to introduce greater liability for firms that do not adequately protect against cyberattacks. This, it hopes, will provide the incentive that some firms need to overhaul their cybersecurity strategies and ensure they are completely protected against this new breed of hackers.
However, while a fine will certainly provide an incentive, typical defence systems will not be as effective for our national infrastructure. The reality is that the lifecycle of our infrastructure systems are such that they are not going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches.
As part of their defences, firms will need to ensure that they take steps to control and secure their network core, ensuring the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level. Given the importance of our national infrastructure, it’s critical that we never compromise our core.
David Emm, Principal Security Research at Kaspersky Lab:
The government is hopeful that these financial penalties will achieve parallel security requirements and sharpen the focus on ‘critical infrastructure’ organisations to ensure that they are properly equipped to defend against the increased risk of cyber-attacks.
The best defence against targeted attacks is a multi-layered approach that combines traditional anti-malware technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed can be stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.”
Justin Coker, Vice President EMEA at Skybox Security:
“Protecting and securing critical digital national infrastructure presents a real challenge because end-to-end access analysis must be done across hybrid IT and Operational Technology networks. To do this, organisations must obtain accurate visibility of the assets, security controls, policies and any potential vulnerabilities – the attack surface. They need to know when their security has been compromised and redress attack vectors before they can be exploited. Furthermore, security teams need a tool that which gives them a context-aware representation of the attack surface so they can ensure teams focus and prioritise the risks that are truly critical to the organization.”
Matt Walmsley, EMEA Director at Vectra:
“In Q1 2017, the healthcare sector has received the highest level of attack behaviours (164 detections per 1,000 hosts), compared to 42 incidents in the energy sector, according to our analysis. As seen in recent cases like the Kiev power grid hack, a single cyber breach can take down a whole organisation. Tighter controls on our national infrastructure providers are absolutely essential.
“It’s not the capabilities of cyber attacker we seek to control, rather the risk created by them. To stay ahead of the game, organisations constantly need to be monitoring inside and outside their enterprise to spot the early indicators of comprise. This will enable them to react and mitigate attacks before they become full blown breaches or service outages. That has to be done at scale and at speed to be effective, and artificial intelligence is emerging as a pragmatic solution in this regard.
“Sadly, not every critical service, particularly those of a distributed nature isequipped to detect and thwart such attacks – whether they’re initiated by cyber criminals or foreign invaders – as evidenced by their repeated failures to defend against run-of-the-mill cyber attacks launched by criminal adversaries.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.