In August 2017, the UK Government announced a new proposal that states that any businesses or service providers without correct and proper cyber security measures, could face huge fines.
This proposal means that British organisations could face up to £17m, or 4% of global turnover in fines, if they fail to put measures in place to prevent cyber-attacks that can lead to massive disruption to services such as transport, health or electricity networks. The government has stressed that these fines will be a last resort and will not be enforced if an organisation facing an attack can prove they assessed the risk adequately.
The plan is part of a consultation launched by the Department of Digital, Culture, Media and Sport (DCMS) which has the aim to launch the Network and Information Systems (NIS) directive from May 2018. Minister for DCMS Matt Hancock, stated that the DCMS wants ‘the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.’
This consultation has come after the NHS become the highest profile victim of a global ransomware attack. The coordinated attack reflected in many computers across the whole of the UK’s health service being infected and was linked to WannaCry malicious software. The issue of public services in Britain being affected by an IT situation, came back into the medias attention
According to research completed by business continuity experts Databarracks, 31% of the organisations they looked into has been affected by cybercrime in the past 12 months. Databarracks’ seventh Data Health Check report surveyed over 400 IT decision makers in the UK about their IT security and continuity practices. The report found that within the last 12 months, 41% of these organisations had not invested in any safeguards against cybercrime, only 34% had invested in any form of cyber awareness training, and only 11% of these organisations had certified to a cyber security framework.