Public and private sector organisations running critical infrastructure must improve their defences against cyber-attack or face massive fines, the government has warned. Fines of up to £167 Million will be levelled on organisations that fail to meet 14 key principles of cybersecurity set out in the Network and Information Systems (NIS) Directive, and to take reasonable steps to protect vital systems from attack.
The announcement from the Department for Digital, Culture, Media and Sport, along with the National Cyber Security Centre (NCSC) came as the NCSC issued guidance on the required standards of protection, alongside information on who will be required to apply the standards, which will be introduced into law. Alongside government infrastructure, the requirements also extend to private companies in sectors identified as being of strategic importance, including energy and fuel suppliers, railway companies and certain airlines. “Our new guidance will give clear advice on what organisations need to do to implement essential cybersecurity measures,” said Ciaran Martin, CEO of the NCSC. “Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”
Although the changes result from a long-planned EU Directive, they come after a year filled with high-profile cyber-attacks, including the WannaCry ransomware attack on the NHS which crippled several hospitals. At the time many IT Security experts were critical of security and patching protocols at many trusts, with some alleging that the use of outdated hardware and software left the health service vulnerable to the attack. Under the new rules the WannaCry incident would have had to be reported to the regulator, who would have the power to force improvements to security protocols and to levy fines if they find an organisation was negligent. “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” Minister for Digital Margot James commented.
The introduction of the NIS Directive is just one of a string of measures to bring cybersecurity to prominence in 2018. GDPR, which comes into force on May 25th, requires firms that hold data to develop policies of “security by default” and introduces penalties of up to €20 Million for breaches of data security. As a result even huge firms are having to radically overhaul their protocols: “Our preparations for GDPR touch every part of our company,” Julie Brill, a deputy general counsel at Microsoft told The New York Times.
Less well heralded but with perhaps as broad an effect for cybersecurity are changes to the data security standards for handling credit and debit card information being introduce by the Payment Card Industry (PCI). The new standard, known as PCIDSS 3.2, comes into force this Thursday (February 1st), and introduces new standards of security and a requirement to show continual data security compliance, rather than simply at an annual audit. These rules, which affect most organisations that take or hold card payment details, are a step forwards in consumer protection. Geoff Forsythe, CTO of PCI Pal, a company that offers PCI DSS solutions, Explains: “The industry has developed a culture of ‘compliance cramming’, treating PCI as an annual exam to be passed without working towards a culture of continuous compliance. For businesses in this ‘annual pass’ group, PCI DSS 3.2 could be a rude awakening because it requires evidence of continuous compliance instead of a pass/fail.”
With rules tightening and penalties rising, the demand for IT Security experts is likely to continue rising as regulatory changes take effect.