UK critical services need to up cyber defences to avoid fines

UK critical infrastructure providers could be liable for fines of millions of pounds if they do not improve their cyber defences and resilience of their IT infrastructure, a study reveals. More than two-thirds of UK critical infrastructure organizations (70%) have suffered from service outages on their IT networks in the past two years, freedom of information (FoI) requests have revealed. If their cyber defence capability is not improved soon, these organizations could face fines under the new UK rules which come into force soon, according a study by Corero Network Security. After 9 May 2018, when the European Union’s (EU’s) Network and Information Systems (NIS) Directive is implemented into UK law, such outages would have to be reported to regulators, which have the power to impose financial penalties of up to £17m where infrastructure operators have failed to protect themselves against loss of service. Had the service outages reported in the past two years occurred after the new legislation is introduced, and all the affected organisations were deemed to have failed to protect themselves, the total fines for all affected organisations would have been in excess of £2.5bn. The FoI requests were sent by Corero, in January and February 2018, to 312 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, transport organisations and water authorities. In total, 221 responses were received, with 155 admitting to having suffered a service outage on their networks in the past two years. In addition, more than a third (35%) of the service outages reported in the study were believed to have been caused by a cyber attack.