The Department for Culture Media and Sports (DCMS) has launched a consultation that will propose fines as high as £17 million for essential service providers that fail to adequately protect themselves against cyber attacks.
The fines will be seen as a "last resort" and only apply if the organisation is deemed to have not taken appropriate security measures. Organisations that have "assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack" will not face the fines.
The proposals will in the main apply to essential services, likely to include major top level domain name registries, internet exchange point operators and DNS providers, as well as national infrastructure such as NHS trusts, transport, aviation, electricity, gas, and water suppliers.
Read next: 2016's biggest data breaches
Precisely what the adequate security measures entail will be hashed out as part of the consultation. The consultation is open to responses here and will close on 30 September 2017. Security guidance is available on the National Cyber Security Centre website.
Because this is part of the Network and Information Systems (NIS) directive the consultation covers loss of service, as opposed to the loss of data, which will fall under the remit of the GDPR. Both the NIS directive and GDPR come into effect in May 2018.
The public consultation document notes that digital operators covered by the NIS directive broadly covers search engines, online marketplaces and cloud providers.
Cloud service providers included under the NIS definition include Infrastructure-as-a-Service (IaaS) providers, Platform-as-a-Service (PaaS) providers and Software-as-a-Service (SaaS) providers. But providers that employ less than 50 employees and turn over under £10 million will be automatically excluded.
Any cloud provider or digital operator worth their salt should be implementing solid security policies by now –awareness of the importance of cyber security at the C-Suite level still has a long way to go but is steadily growing.
The fines will likely be received as a warning that the government is taking security seriously, and also act as a way to further foster information sharing across industries and between industry and government.
How to avoid the DCMS fines
Fujitsu's head of continuity and resilience for the UK and Ireland, Sarah Armstrong-Smith, said the fines should serve as a wake up call to businesses that are still not taking basic security precautions, such as changing default passwords. The fines will “hopefully wake organisations up to the seriousness of the consequences from a financial standpoint, never mind a reputational one”, she said.
The statement signals an understanding from the government that security compromises are not entirely avoidable, but that risk assessments and other mitigation procedures can limit the extent of the damage.
“In security we talk about when, not if, a security breach will occur but that does not mean organisations shouldn't be taking the necessary precautions to limit the potential impact of a breach,” Armstrong-Smith said.
The proposals coincide with yesterday's announcement of the Data Protection Bill, to bring government data policy in line with the GDPR.
“The fast-approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems,” Armstrong-Smith added. “Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.”
Azeem Aleem, director for Advanced Cyber Defence EMEA at RSA, highlighted that protecting critical infrastructure is a matter of national security, but noted that there will be considerable complexities organisations will have to consider.
“Firstly, it's only in recent years that old manual systems have been digitised and connected,” Aleem said. “For years prior the whole focus has been on physical security, which means these companies are often years behind those in banking and retail. So they have a long way to go if they are to comply with the directive.
“My advice would be to face the challenges head on, and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context, in order to prioritise events.”