The Government is planning a major crackdown on how UK companies handle their own cyber security measures with proposed new laws which could trigger huge fines for businesses which fail to keep their houses in order, including those which supply specialised online and digital services.
The move has been revealed with the launch of a new consultation being run through the Department for Digital, Culture, Media & Sport (DCMS) following recent high profile cyber attacks.
Ministers argue that new laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses, while improvements re needed in the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.
The UK Cyber Security Council, which regulates the cyber security profession, also needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online, DCMS says.
The plans follow recent high-profile cyber incidents such as the cyber attack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products and services used by businesses can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organisations at the same time.
They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the US.
The minister of state for media, data, and digital infrastructure Julia Lopez said: “Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
To make the UK more secure and help prevent these types of attacks the Government is aiming, through new legislation, to take a stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6bn National Cyber Strategy.
Network and Information Systems (NIS) Regulations came into force in 2018 to improve the cyber security of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure. Organisations which fail to put in place effective cyber security measures can already be fined as much as £17m.
The Government now wants to update the NIS Regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services. MSPs include security services, workplace services and IT outsourcing.
Ministers argue these firms are crucial to boosting the growth of the country’s £150.6bn digital sector and have privileged access to their clients’ networks and systems.
The NIS regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network. They have to report significant incidents and have plans to ensure they quickly recover from them.
While the regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.
Research by DCMS shows only 12% of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (5%) address the vulnerabilities in their wider supply chain.
The consultation on amending the NIS regulations includes proposals to expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations.
The new rules will also require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which impact their services.
There is also a proposal to bring into scope more organisations in the future which provide critical support to essential services.
Most critical digital service providers in the economy will also have to demonstrate proactively they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers.
NCSC technical director Dr Ian Levy said: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience.
“These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”
Finally, DCMS wants to make it easier for businesses to know which skills to look for and whether a job candidate has those skills and the necessary qualifications or experience in cyber security.
In March last year, the Government established and funded the UK Cyber Security Council, a new independent body to lead the cyber workforce and put it on a par with established professions such as engineering.
Under the proposals the Council will have the ability to define and recognise cyber job titles and link them to existing qualifications and certifications. People would have to meet competency standards set by the Council before they could use a specific job title across the range of specialisms in cyber security.
It is hoped that this would make it easier for employers to identify the specific cyber skills they need in their organisations and create clearer information on career pathways for young people as well as existing practitioners, without providing unnecessary barriers to entry and progression.
The proposals include the creation of a Register of Practitioners, similar to that which exists in the medical and legal professions, setting out the practitioners who are recognised as ethical, suitably-qualified or senior.
The consultation will run for three months.
Related stories
Shot in the foot? Gun owners addresses leaked in hack
Spy chief warns of ‘alarming’ increase in ransomware
Blackbaud breach sparks legal threat to UK universities
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Clients demand answers as cloud giant admits breach
Gold diggers: cyber criminals driven by the filthy lucra
Hack attack fears push UK cyber security to over £8bn