August marked a significant development for the importance of cyber security, following the Government’s warning that businesses that provide essential services could face fines of up to £17m - or four percent of annual turnover - if they fail to meet security standards.
The move comes after the UK was one of 150 countries hit by a ransomware attack, which crippled over 300,000 computers and brought down the National Health Service (NHS), Telefónica and FedEx. The WannaCry ransomware locked computers and distributed threats to delete data unless a ransom was paid, impacting the NHS through causing the cancellation of operations, ambulance diversions and patient records being made unavailable.
Further, results from the UK government’s 2017 Cyber Security Survey show that the threat of cybercrime is widespread, with over two thirds of large firms and small businesses detecting a breach or attack in the last twelve months.
The upcoming implementation of the Security of Network and Information Systems (NIS) Directive is a demonstration of regulations being ramped up, as a preventative measure against further attacks.
What is the NIS directive?
Due to be implemented in May 2018, the NIS directive aims to increase levels across the EU of the overall security of network and information systems. It forms a part of a £1.9bn national cyber security strategy and ensures:
- Member states implement a national framework (e.g. National Cyber Security Strategy); teams (e.g. Computer Security Incident Response Team); and a national NIS Competent Authority, so that they are equipped to manage a cyber security incident
- The establishment of a Cooperation Group among member states to support and facilitate strategic cooperation and the exchange of information
- Identification of ‘Operators of Essential Services’ (OES) by member states, recognising businesses within vital sectors that rely heavily on information networks. OES must take appropriate security measures to manage risks to their network and information system, notifying serious incidents to the relevant national authority.
In summary, the NIS works to improve cyber security capabilities at a national level, increase cooperation on cyber security among EU member states, and introduce security measures and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) and digital service providers (DSPs).
Is it linked to data protection?
The NIS directive’s regulations echo those of the European Union’s General Data Protection Regulation (GDPR), which can fine businesses up to €20m (£18m) or four percent of their global turnover, if they do not have strong cyber security measures in place.
However, while the GDPR focuses on organisations that lose sensitive data, the NIS directive focuses on the loss of infrastructure services.
Who does it primarily concern?
The NIS directive is primarily aimed at companies and organisations identified as either operators of essential services (OES) – for example, utilities, healthcare, transport, and digital infrastructure sectors - or competent authorities (CAs). Some sectors are exempt from some aspects of the directive; however, the technical guidance will be widely applicable, to be noted by all sectors.
How can SA1 Solutions help?
The proposal essentially serves as a warning to all businesses that neglecting cyber security will not be tolerated. SA1 Solutions specialises in assisting businesses’ manage their data and networks from security threats, and provides an efficient disaster recovery service to respond promptly to security breaches.
Give SA1 Solutions a call on 01792 439087 for advice on cyber security for your business.