The UK Government has today announced some new measures to boost British businesses’ cyber security after recent high profile attacks.
- More firms providing essential digital services should follow strict cyber security duties with large fines for non-compliance
- Other legislative proposals include improved incident reporting and driving up standards in the cyber security profession
New laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses, the government says. Other proposals being published today include making improvements in the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change. The UK Cyber Security Council, which regulates the cyber security profession, also needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
<p>After witnessing high profile attacks such as the Solarwinds and Microsoft Exchange Servers attacks which used vulnerabilities in third party products used by businesses, it is clear that this is an area which requires constant review and increased security protection. Essential services are desperately in need of better protection so these new laws will help direct businesses into a more secure offering with the help and direction required. Laws often may seem like they do not go far enough but digital crime is fast paced and the goal posts constantly move making such plans difficult to project or even become out of date by the time they land. However, this is another step in the right direction into providing better cyber-incident reporting which helps protect other businesses from future attacks.</p>
<p>Most modern organisations are, in reality, distributed operations where online storefronts, payment processors, inventory management and even staff management occur using third party services for even the smallest of businesses. Since management of these services is often outside the areas of expertise for a business, it’s not uncommon to find business using Managed Service Providers (MSPs) as outsourced providers of digital services. Extending NIS regulations to include MSPs will assist smaller businesses in attaining a higher level of cyber resilience, where the recent Log4Shell vulnerability illustrated that cyber resilience is a function of how well software supply chains are understood. Unfortunately, few organisations review the cyber security risks within their immediate software supply chain. By requiring larger companies to report all cyber-attacks they experience, the proposed NIS regulations are effectively encouraging risk assessments within software supply chains as software risk is business risk.</p>
<p>From the Government’s Integrated Review through to the National Cyber Strategy, we welcome the focus on improving cyber security and resilience in the United Kingdom. We have seen a marked increase through 2021 in ransomware and supply chain attacks in the UK, and remain concerned over the level of preparedness of UK businesses. Driving greater awareness, the uptake of fundamental standards, improving resilience within essential and digital services, driving greater accountability for cybersecurity in business, and driving clarity and transparency in the cyber security profession, will all go some way to raising awareness, standards, accountability and improving the UK’s cybersecurity posture. As the UK’s leading Managed Security Services provider focused on exceptional security of service, we are also supportive of the drive for transparency of cyber security measures for critical providers of digital technology services.</p>