Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

NotBeingPetya: UK critical infrastructure firms face huge fines for lax security

Makes you WannaCr... we mean WannaPatch

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place.

The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under the EU Network and Information Systems (NIS) Directive, which comes into effect next May. Critical infrastructure firms will also be required to show they have a strategy to cover power failures and environmental disasters.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR). UK proposals would set the maximum level of fine for the most severe outages by critical infrastructure orgs as for the most strict fines imposed under the EU's General Data Protection Regulation.

Organisations that provide water, energy, transport and health services - whose vulnerabilities were exposed by the recent WannaCry(pt) and NotPetya ransomware attacks - are in the government’s line of sight. “Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack,” a government statement explains.

DCMS launched a consultation on its plans on Tuesday.

James Chappell, CTO and co-founder of threat intel firm Digital Shadows, said that UK government proposals go further than what’ll be required to achieve NIS Directive compliance.

“When the UK made its decision to leave the EU one of the concerns within the cyber security industry was that it would choose not to enact the regulatory commitments the country really needs to toughen up its cyber defences,” Chappell explained.

“In fact the opposite has been the case. The UK interpretation of the NIS Directive has put forward equivalent fines to those mandated by the General Data Protection Regulation. Today’s announcement pertaining to critical national infrastructure goes further than is required by the EU under the Network and Information Systems (NIS) Directive.”

Other vendors argue the tougher rules should be seen as a spur for organisations to improve their security policies rather than solely punitive.

“In security we talk about when not if a security breach will occur, but that does not mean organisations should not be taking all the necessary precautions to limit the potential impact of a breach," said Sarah Armstrong-Smith, ‎head continuity & resilience at Fujitsu UK & Ireland. “In fact, the fast approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems. Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.” ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like