New laws proposed to strengthen UK’s fight against cyber crime
New laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses, the government has said this afternoon.
To make the UK more secure and help prevent these types of attacks the government is aiming, through new legislation, to take a stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6bn National Cyber Strategy.
Network and Information Systems (NIS) Regulations came into force in 2018 to improve the cyber security of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure. Organisations which fail to put in place effective cyber security measures can be fined as much as £17m.
The NIS regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network. They have to report significant incidents and have plans to ensure they quickly recover from them.
While the regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.
Research by the Department for Digital, Culture, Media and Sport has revealed that only 12 per cent of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms address the vulnerabilities in their wider supply chain.
The government has therefore launched a consultation this afternoon to amend the NIS regulations, which include expanding NIS Regulations’ scope, requiring large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, as well as a number of other measures.
The government have also said that that The UK Cyber Security Council, which regulates the cyber security profession, needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
The plans follow recent high-profile cyber incidents such as the cyber attack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products and services used by businesses can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organisations at the same time.
They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the US.
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said:
Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
The plans we are announcing today will help protect essential services and our wider economy from cyber threats
Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.