Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act by Corero Network Security.
The fact that so many infrastructure organisations have not completed the ’10 Steps to Cyber Security’ programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society. It also suggests that some of these organisations could be liable for fines of up to £17m, or four percent of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018.
The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the ’10 Steps’ programme. Among responses from NHS Trusts, 42% admitted not having completed the programme.
“Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society”, said Sean Newman, Director of Product Management at Corero. “These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”
The Freedom of Information data also revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to DDoS attacks, because they do not detect or mitigate short-duration surgical DDoS attacks on their networks. As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017). However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher.
Sean Newman, continues: “To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.”