Following recent high-profile cyber-attacks, the government is consulting on additional measures to improve cyber-security for British businesses. If passed, the proposals will force more businesses to adhere to stronger cyber-security obligations, with stiff penalties for non-compliance.
Cyber-attacks are becoming more common. Attackers gained access to user emails, passwords, and administrator rights in a recent cyber-attack against Microsoft Exchange Servers. It’s anticipated that 250,000 servers throughout the world were compromised, including 7,000 in the United Kingdom. This assault highlights how cybercriminals can take advantage of flaws in third-party products and services. As a result, hundreds of thousands of businesses could be impacted at the same time.
The government’s policies aim to protect critical services as well as the rest of the economy against cyber-threats.
The Proposed Rules Explained
The Network and Information Systems (NIS) Regulations were enacted in 2018 to improve the cyber-security of businesses that provide critical services like water, transportation, healthcare, and digital infrastructure. Organizations that fail to implement effective cyber-security measures may be penalised up to £17 million under these provisions.
According to study conducted by the Department for Digital, Culture, Media & Sport, just 12% of organisations examine the cyber-security risks posed by their immediate suppliers. Furthermore, only 5% of companies address supply chain vulnerabilities.
The government plans to update the NIS Regulations and widen the list of companies in their scope, proposing to:
- Extend the regulations’ reach to cover Managed Service Providers (companies that manage IT services on behalf of other organisations).
- Update the regulatory framework such that the most vital digital service providers must proactively demonstrate compliance.
- Allow the regulations to be amended more easily in the future and, if necessary, expand the scope of the restrictions.
- Ensure that all expenses incurred by regulators such as Ofcom, Ofgem, and the Information Commissioner’s Office in enforcing NIS regulations be shifted from the taxpayer to the organisations affected by the legislation.
- Require major companies to offer better cyber-incident reporting so that regulators are notified of any cyber-attack, not just those that affect the company’s services.
The cyber-threat of ransomware is on the rise. According to data, these forms of cyber-attacks have surged 1,000% in the last year. This video might assist businesses in comprehending current ransomware trends…
Driving Up Cyber-security Standards
The UK Cyber Security Council was created in March 2021 by the government to guide the cyber-workforce and raise standards in the cyber-security sector.
Cyber-skills are straining to keep up with the UK’s expanding IT sector. According to GOV.UK, a shortage of fundamental technical cyber-skills has been reported by 50% of all UK enterprises. Furthermore, due to a lack of technical skills and experience, 37 percent of all openings listed in the cyber-sector have proven difficult to fill.
The government’s plans would empower the UK Cyber Security Council to raise the bar and develop a set of agreed-upon qualifications and certifications for cyber-security professionals. Employees will be able to demonstrate that they are sufficiently equipped to protect firms online as a result of this.
Cyber-attacks are frequently possible because thieves take advantage of flaws in digital supply chains. The government’s measures aim to boost cyber-resilience throughout the economy.
Media, Data and Digital Infrastructure Ministry of State Julia Lopez said, ‘Every UK organisation must take their cyber-resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra’.