Over a third of UK critical infrastructure (CNI) firms haven’t yet met baseline security standards provided by the government, exposing them to serious cyber-threats and potentially huge fines under new EU laws, according to Corero Network Security.
The vendor sent Freedom of Information (FOI) requests to over 300 CNI firms in March, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organizations.
Of the 163 that responded, 39% admitted to not having completed the government’s “10 Steps to Cybersecurity” program, which recommends implementation of basic controls such as user education, malware protection, access controls and incident management.
Among NHS organizations the figure was even higher: 42% having not completed the program.
“Cyber-attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society,” said director of product management, Sean Newman.
“These findings suggest that many such organizations are not as cyber-resilient as they should be, in the face of growing and sophisticated cyber-threats.”
The revelations could mean potentially large fines for such firms if they are breached and found to have failed to implement basic security, under the new Network and Information Security (NIS) Directive.
Like the GDPR, NIS will give regulators the power to levy fines of up to £17m or 4% of global annual turnover for serious infractions.
What’s more, the study revealed that over half (51%) of CNI firms in the UK are exposing themselves to unnecessary risk by failing to detect or mitigate short-duration DDoS attacks.
These so-called 'stealth' attacks are increasingly used by cyber-criminals to target, map and infiltrate networks, the firm claimed.
Some 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10 Gbps in volume.