The recent NHS cyber-attack, that infected over 300,000 computers worldwide, caused a huge spike in Google searches of the term ‘cyber security’ as seen below. Described as the “biggest ransomware attack in history”, the ‘WannaCry’ software debilitated 48 NHS trusts for 24 hours and caused further disruption for at least a week.
Cyber security is fast becoming a high profile issue both in the public and business spheres, with three-quarters of UK businesses saying that cyber security is a high priority for their senior management, according to the 2017 Ipsos Mori Cyber Security Breaches Survey.
Despite its evident gravity and growing notoriety, only one in ten businesses have a cyber security incident management plan in place. These are companies holding significant amounts of consumer data. Their rhetoric of spending money on cyber security to “protect consumer data”, is empty. With the introduction of the NIS Directive in May 2018 on the horizon, businesses will have to turn their words into actions and put processes and plans in place to mitigate cyber threats or face fines of up to 4% of global turnover. The new legislation, that can be retrospectively acted upon as far back as May 2016, affects any business “that provides a service which is essential for the maintenance of critical societal/economic activities” and supplements the current GDPR data regulation in place that concerns companies holding personal data.
A common misconception is that technology is the solution to cyber threats. On the contrary, “Each new device connected to the internet presents a new target for attackers that needs to be secured. And each new social media post creates new risks for phishing attacks or social engineering.” says John Slamecka, EMEA region President for AT & T. In fact, people and processes are the most crucial parts of any cyber security due diligence plan.
So what should businesses be doing in light of the impending legislation?
- Implementing advanced behavioural-based detection systems that are now the modern standard for prevention of advanced attacks;
- Preparing an incident response readiness programme that will comply with breach reporting requirements in a timely manner (24-72 hours after breach minimum);
- Utilising an intelligence-based security strategy that can be integrated with new NIS threat intelligence sharing programmes;
- Adopting an internal security and response strategy and coordinating this with the board of directors, chief legal officer, and other senior executives;
- Reviewing all internal security processes and preparing self-audit capabilities required by national authorities;
It is important to recognise that mere “compliance” is not adequate to protect against modern advanced attacks. Real security is more than compliance—it is a comprehensive security programme that includes non-signature-based detection and advanced threat defences.
Without these systems in place, if the NIS Directive uncovers an unreported breach, you are liable. In order to cover all bases, you need more than one specialist. You will need to consider consultation not only from tech specialists and cyber specialists, but from legal and communications specialists to manage any negative PR as a consequence of a breach.