News broke this morning that the UK government have announced proposals to impose severe financial penalties on companies with poor cybersecurity plans in place, with fines reaching up to £17 million. IT security experts commented below.
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Essentially what the directive sets out to do is to drive security. In my experience a large proportion of organisations are not very good at responding to incidents and on average it’s 205 days before a breached entity is able to detect a breach, and they often do not detect even it themselves. The NIS directive sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure so its shocking that not more organisations are concerned about or talking about it over or in addition to GDPR.
Some further points on the directive:
- Member states preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.
- It also requires cooperation among all the member states, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
- A culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the member states as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new directive.
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire:
These fines will act as a stark reminder that cyber security should be taken seriously. However, by implementing a defence system that focuses on the fundamentals; the people, the process and the technology, enterprises can already take the necessary steps to greatly reduce the risk of suffering a cyber attack and being fined, which could potentially put a company out of business.
By educating the workforce, companies can reduce the risk of successful cyber-attacks which use methods like phishing and URL drive-by, which can also help users identify unusual system activity that may result from malicious action. Incident Response is just one example of where a well-defined and regularly practised process can make a huge difference to the outcome of an incident, possibly preventing that incident from becoming a breach. Technology, such as encryption and dual factor authentication, forms a large part of the Foundational Controls necessary to support a defence-in-depth security solution. Organisations also need to make sure that they have robust backup solutions and processes in place. Not running regular backup / restore tests could also leave them open to a single point of failure should there be any errors in the daily tasks. Only discovering these errors during a live failover could be classed as a major risk. On that note, all backup procedures should also factor in taking the backups offline during non-backup runs to avoid malware sneaking its way onto the backup sets to be reinstalled when a failover procedure is implemented. To stay one step ahead, organisations need to continuously implement risk assessments of the business, systems and data to uncover any unknown vulnerabilities.
Bill Evans at One Identity:
“It seems that this action is really a reaction to several changes befalling the UK recently. First, as the UK departs the EU, it is taking proactive steps to protect information in the online world. This means that the UK must conjure up legislation which closely mimics the EU’s GDPR, which is slated to take effect next year. At the same time, the UK was brutally hit with the WannaCry virus earlier this year negatively impacting several operators, notably the NHS.
This particularly piece of legislation appears to be a reaction to both of those events. First, the fines being contemplated by this piece of legislation are material, much like those being imposed by GDPR. In addition, the fines are not absolute. Consideration will be given for organizations that have taken steps to mitigate cyberrisk, even if a security breach befalls the organization. Secondly, whereas GDPR and similar legislation being proposed in the UK focus on citizen data, this new piece of legislation focuses on “continuation of service.”
In general, legislation of this type sounds great at the surface, but the “devil is in the details.” What does it mean to take steps to prevent a cyber-induced stoppage in service? Does it include specific technologies like multi-factor authentication and privileged management but not access governance? Is access governance part of the base capabilities an organization should enact? It should be noted that the UK government is holding workshops with operators so they can provide feedback on the proposal. Ideally this type of communication will remove the devil as the details are defined.”
Azeem Aleem, Director – Advanced Cyber Defence Practice EMEA at RSA Security:
“Our critical infrastructure is just that, critical. Protecting it is a matter of national security. Yet cybersecurity is often more complex within these environments. Firstly, it is only in recent years that old manual systems have been ‘digitised’ and connected. For years prior the whole focus has been on physical security, which means these companies are often years behind those in banking and retail, per se. So they have a long way to go if they are to comply with the directive.
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.
“Critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. They are unable to correlate security events to specific business outcomes – a problem we call the ‘Gap of Grief’. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible as patching systems without proper testing could actually cause more damage.”
Ori Bach, VP Security Strategy at TrapX:
|“Industrial control systems (ICS) are the prime target for cyber attackers seeking to compromise the manufacturing base and public utilities. The legacy of old embedded Microsoft® operating systems provide attackers a well-protected safe harbour from which to launch their attack and establish “backdoors” to compromise the enterprise. Attackers have proven that they can successfully work through a multi-layer cyber defence, strict user access policies, links filtered through corporate network firewalls, and even air-gapped perimeter defences.|
In the final analysis, strategies that attempt to defend the perimeter, whether through physical means or policy, are insufficient to provide the comprehensive defence that critical infrastructure demands. Attackers will get through. It is imperative therefore that manufacturers find new and innovative ways to detect ICS attackers early, mitigate the effects of their attack, and then defeat them.
Security teams are well aware of the threats, the additional regulatory scrutiny will make sure they are getting the tools they need to mitigate it”
Paul Farrington, Manager, EMEA Solution Architects at Veracode:
“Over the past year, we’ve seen a significant shift concerning cybersecurity regulation and putting the responsibility for cyberattacks on organisations where inadequate cybersecurity processes were in place. Whether GDPR or the New York State Department of Financial Services Cybersecurity Regulation, the onus is now being placed on firms to maintain a minimum standard of cybersecurity and to face severe consequences if they suffer a cyberattack as a result of not meeting it.
This regulation extends the reach of GDPR, which is primarily aimed at protecting data rather than services. The planned UK Data Protection Bill enhances the rights of the users by forcing tech firms to delete data about children and adults when requested to do so. The Information Commissioner’s Office (ICO) will be given significant upgrades in powers, to fine firms that fail to meet regulations. The ICO will be able to levy fines of up to £17m, or 4 per cent of a company’s global turnover. The existing Data Protection Act limits fines to £500,000.
Cyber security will now inevitably rise up the agenda in many board rooms, as Brexit will not result in a watering-down of GDPR, actually quite the reverse. In a landscape of increasing cyber breaches, with the UK Government claiming that nearly half of UK firms have been hit by a cyber-attack in the last year – this proposed legislation is very welcome. The government is providing a clear signal to firms operating within the UK, that fines relating to negligence in protecting personal data, will outstrip the cost of doing the right thing in the first place.”
Dr. Malcolm Murphy, Technology Director at Western Europe at Infoblox:
As the devastation caused by WannaCry and NotPetya has shown, cyberattacks are evolving to impact reap maximum destruction by spreading as widely and fast as possible. The attack vectors being employed are not necessarily new or more sophisticated, for instance targeting vulnerable Windows XP operating systems.
That’s why it’s important that the government is building on the European GDPR regulations for data protection to introduce greater liability for firms that do not adequately protect against cyberattacks. This, it hopes, will provide the incentive that some firms need to overhaul their cybersecurity strategies and ensure they are completely protected against this new breed of hackers.
However, while a fine will certainly provide an incentive, typical defence systems will not be as effective for our national infrastructure. The reality is that the lifecycle of our infrastructure systems are such that they are not going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches.
As part of their defences, firms will need to ensure that they take steps to control and secure their network core, ensuring the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level. Given the importance of our national infrastructure, it’s critical that we never compromise our core.
David Emm, Principal Security Research at Kaspersky Lab:
“These proposals, which form the UK’s implementation of the EU Network and Information Systems Directive, can be seen as a complement to the GDPR and the new Data Protection Bill, but with the focus on availability rather than data privacy. Companies providing essential services would face severe fines for failing to secure their systems of up to £17 million, or 4% of their global turnover, if they fail to take measures to prevent cyber-attacks that could result in major disruptions.
The government is hopeful that these financial penalties will achieve parallel security requirements and sharpen the focus on ‘critical infrastructure’ organisations to ensure that they are properly equipped to defend against the increased risk of cyber-attacks.
The best defence against targeted attacks is a multi-layered approach that combines traditional anti-malware technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed can be stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.”
Justin Coker, Vice President EMEA at Skybox Security:
“The consultation is welcome on NIS because, to comply, many organisations will need to review their own systems to keep pace with its requirements. The government is saying severe fines will be levied unless an organisation can prove it assessed the risks adequately. But, too often there is no visibility of where the threats and vulnerabilities are. The attack surface is now more complex than ever, so organisations need to move away from traditional thinking and develop a clear picture of the long-term security goals, and plan the security program in a structured and logical way.
“Protecting and securing critical digital national infrastructure presents a real challenge because end-to-end access analysis must be done across hybrid IT and Operational Technology networks. To do this, organisations must obtain accurate visibility of the assets, security controls, policies and any potential vulnerabilities – the attack surface. They need to know when their security has been compromised and redress attack vectors before they can be exploited. Furthermore, security teams need a tool that which gives them a context-aware representation of the attack surface so they can ensure teams focus and prioritise the risks that are truly critical to the organization.”
Matt Walmsley, EMEA Director at Vectra:
“The NHS, utilities and transport networks are a critical part of UK’s infrastructure, making them highly priced targets for cyber criminals. Similar to GDPR, these new proposals will help ensure organisations enforce robust security protection and data management systems.
“In Q1 2017, the healthcare sector has received the highest level of attack behaviours (164 detections per 1,000 hosts), compared to 42 incidents in the energy sector, according to our analysis. As seen in recent cases like the Kiev power grid hack, a single cyber breach can take down a whole organisation. Tighter controls on our national infrastructure providers are absolutely essential.
“It’s not the capabilities of cyber attacker we seek to control, rather the risk created by them. To stay ahead of the game, organisations constantly need to be monitoring inside and outside their enterprise to spot the early indicators of comprise. This will enable them to react and mitigate attacks before they become full blown breaches or service outages. That has to be done at scale and at speed to be effective, and artificial intelligence is emerging as a pragmatic solution in this regard.
“Sadly, not every critical service, particularly those of a distributed nature isequipped to detect and thwart such attacks – whether they’re initiated by cyber criminals or foreign invaders – as evidenced by their repeated failures to defend against run-of-the-mill cyber attacks launched by criminal adversaries.”