For long before the GDPR was implemented on the 25th May this year, it has been on everyone in the industry’s minds. However, another regulation – the equally important NIS Directive – seemingly came into play with relatively little noise. Under this new regulation, companies defined as critical service providers could be fined up to £17m or 2–4% of their annual global turnover if they fail to implement robust cybersecurity measures. Not only does this impact sectors such as healthcare and energy but it also encompasses passenger and freight transport industries, as well as digital services. These essential businesses need to make sure that the NIS Directive hasn’t blown over their heads and must take the appropriate steps to ensure that they are compliant.
The potential fine that this regulation could impose isn’t the only reason that affected businesses need to take this regulation seriously. As the National Cyber Security Centre (NCSC) has previously warned, cybercriminals are more frequently targeting the UK’s critical national infrastructure and imminent attacks are highly likely. The WannaCry ransomware attack that disabled the NHS last year is an example of the type of damage cybercriminals can cause; medical staff were forced to work with pen and paper, and some affected surgeries even had to turn away patients. But the potential damage that cybercriminals could wreak in the future is even more frightening. In Healthcare, for example, there is the risk of patients’ drug dosages being changed remotely by hackers, or sensitive data could be accessed through old devices, such as medical scanners. Despite this, just before the regulation was initiated in May, it was revealed that 70% of the UK’s Critical National Infrastructure organisations may not have been compliant with the Directive and therefore could be liable for fines. If full penalties were imposed on these companies this would result in the UK economy being hit with fines costing over £2.5 billion.
In order to remain compliant, operators of essential services must ensure that they abide by a number of key stipulations. The Directive states that qualifying organisations are responsible for their own compliance and should promote and develop a culture of risk management, involving risk assessment and the implementation of security measures appropriate to risks. As well as this, businesses must take appropriate technical and organisational measures to secure their network and data in order to minimise the impact of a security incident. Finally, while the NIS Directive doesn’t specify a timeframe for reporting incidents as the GDPR does (the GDPR requires full reporting in 72 hours) it does state that organisations should report incidents “without undue delay”.
Arguably, the reporting process may cause the most issue to businesses. In today’s IT and Security landscape, departments are incredibly siloed, meaning that reporting quickly and comprehensively without both duplication of efforts and things being missed is nigh on impossible. A drive towards unifying IT and Security, which uses more automated technology so that mundane tasks are covered, human error is mitigated, and the burden of detection and investigation is removed from already swamped resources, can help organisations deal with this part of the regulation.
The NIS Directive needs to be treated with the same levels of importance as the GDPR. This means that compliance needs to become part of the business wide strategy, and integral to an organisation’s daily operations. For this to occur critical service organisations need to build a culture of cybersecurity from the ground up, and this includes getting buy-in from the C-suite and breaking down silos within technical departments and the business as a whole. A security conscious business should see all departments from IT to Security to HR to the C-suite working seamlessly together to implement this culture of risk management across the whole business. This way essential services, and all businesses, can not only remain complaint with the NIS Directive but protect their assets from the threats that cybercriminals pose in this digital day and age.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.