Two-fifths of critical infrastructure organisations in the UK have not completed a cyber security standards programme mandated by the government.
Many critical infrastructure organisations are not mitigating short-term DDoS attacks, thereby inviting malware intrusions and data theft.
Data obtained by security research firm Corero through a Freedom of Information request has revealed that as many as 39% of critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, and transport organisations have not completed the government-mandated '10 Steps to Cyber Security’ programme.
If these organisations do not complete the programme by May next year and suffer cyber-attacks that result in loss of data, they will be liable to pay fines of up to £17m, or four percent of their global turnover. This penalty will be mandated by the government's proposal to implement the EU’s Network and Information Systems (NIS) directive by next year.
Of the 163 organisations that responded to Corero's Freedom of Information request, 63 organisations admitted that they had not completed the cyber security programme. Among NHS trusts, 42% admitted not having completed the programme.
This is despite the fact that the 10-step cyber security programme was published back in 2012. According to Corero, this indicates 'a lack of cyber resilience within organisations which are critical to the functioning of UK society'.
A government consultation on the EU’s Network and Information Systems has also identified Distributed Denial of Service (DDoS) attacks as serious security and availability challenges for operators of essential services. Yet, a little over half of all critical infrastructure organisations are unable to detect or mitigate short-duration DDoS attacks which form up to 90% of all DDoS attacks.
According to Corero, short-term or low-volume DDoS attacks are frequently being used by hackers to target, map and infiltrate networks as they are harder to detect because of their shorter duration and low bandwidth. Hence, the inability of critical infrastructure organisations to detect or mitigate them presents a serious threat to their operations as well as data management.
“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks," said Sean Newman, Director of Product Management at Corero.
To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise," he added.
The government's consultation on the EU’s Security of Network Information Systems (NIS) was launched earlier this month by the Department for Digital, Culture, Media, and Sport. While launching the programme, the government said it would incentivise operators who take adequate measures to deter cyber attacks and assess security risks effectively. Penalties against such operators would be a last resort.
With the help of the new directive, the government aims to ensure that essential services like electricity, water supply, and health services that have a direct impact on people's lives are secured against cyber attacks seeking to disrupt their operations.
Along with offering cyber security guidelines and guidelines on best practices, the government believes that imposing huge fines on erring organisations would deter them from treating cyber security lightly in the future.