In March of last year, the UK’s National Audit Office (NAO) reported extensive failings in the Government’s plans to protect the nation’s critical infrastructure from cyber-attacks. The NAO’s report recognised that delivering the Government’s current cyber defence strategy was a ‘complex challenge’, and that the Government faced a real challenge in concentrating its efforts ‘to make the biggest impact or address the greatest need’. This is not surprising, with geopolitical instability currently intensifying cyber risk across the globe.
It is now a reality that the UK relies completely on the availability, security, and reliability of technology; more specifically, on the networks and information systems (NIS) that underpin our essential services. As our reliance on technology grows, the failure of these systems can have a bigger impact – and increasingly sophisticated cyber security threat actors are seeing more opportunities than ever to compromise vital digital systems. Whilst there are various global security frameworks providing standards and guidance which organisations should implement to protect IT systems, these are not always ingrained in actual laws. In fact, such guidance may often only be considered voluntary.
- Empty list
The EU realised that member states need to be more forward thinking and that there was an obvious requirement for legislation that is responsive to the changing nature of the threat landscape. The NIS Directive (2016) was introduced as a clear message to member states to take cyber security seriously. In contrast to the recent GDPR legislation, the directive drives good cyber security to improve the resilience of our essential services. It is up to each member state to form its own laws that will dictate how these requirements will be achieved.
Whilst relevant to all industries, the NIS Directive is only applicable to essential services. But as with the directive itself, the term ‘essential services’ is free for member states to interpret in their own way. We all know essential services to be those necessary to public needs; utilities, healthcare, emergency services – the list goes on. But the opportunity provided by the NIS Directive has seen some countries go beyond the base requirements of the legislation and define additional sectors as ‘essential’ to compel other organisations and digital service providers to pay more attention to cyber risk.
In May of last year, the UK regulations addressing the requirements of the directive came into force as the Network and Information Systems Regulations 2018 (NIS Regulations). The new legislation was part of the Government’s £1.9 billion National Cyber Security Strategy ‘to protect the UK in cyber space and make the UK the safest place to live and work online’. In issuing the new legislation, the UK government required compliance from not only essential services (which they define as transport, energy, water, health and digital infrastructure) but also network and information systems that are critical for the provision of digital services (online market places, online search engines, and cloud computing services).
Growing cyber threats
Now more than ever, the threats that organisations providing these digital services are being measured against are commonplace. The world is increasingly shifting to higher levels of connectivity – from offline to online, from local to cloud. By 2022, there will be around 42 billion connected devices worldwide, and with this increased exposure comes increased risk. Technology is becoming more accessible to lower level cyber criminals and the breaching capability for more general financially-motivated hackers is strengthening. In other words, as more and more things are being connected, the level of connectivity becomes directly proportional to the threat vector.
Add to this that many organisations are currently experiencing a significant amount of IT investment debt. Many applications utilised by organisations are carrying legacy risk, such as old applications that can’t be replaced due to operational necessity. In many cases, organisations attempt to patch software and applications that are out-of-date, but this is unsustainable. Bolting on security after the fact is harder and less reliable. There is a huge amount of understanding of the organisation’s digital assets and the lifecycle needed to keep configuration management up-to-date. It isn’t easy, and it can take a lot of effort.
Which begs the question, what can organisations do to avoid or manage security debt and keep up with future requirements of best practice?
- Assess your current maturity and how you match up to NCSC’s Cyber Assessment Framework (CAF). NCSC have invested in the development of this framework to assist regulators and operators of essential services in knowing ‘what good looks like’. Tapping in to this resource will allow you to decide where the gaps are and prioritise investment.
- Conduct due diligence through your supply chain. It is vital your cyber security strategy extends beyond your own organisation, down your supply chain. Take the time to understand the extent of your supply chain and check all supplier organisations are adhering to the rules and regulations.
- Continually invest in applications to ensure you run on modern up-to-date environments. It involves continuous effort, but unless you do this you will perpetuate the risk of being breached and cause significant reputational and operational damage to your business.
- Ensure cyber security is part of everything you do. Organisations looking to take advantage of new emerging technologies need to bake security into everything they do right from the start. If an organisation has an evolved approach to cyber security, this can be a real enabler for them to find further opportunities for them to succeed.
Ensuring your organisation has a proactive approach to security will not only allow you to be bolder in your delivery. It will also allow you to be more confident, more ambitious and most importantly, more innovative.
Richard Holmes, Head of Cyber Security Services at CGI UK
- We've also highlighted the best antivirus