Compliance with the proposed Network and Information Security (NIS) Directive, which EU member states must adopt by May 2018, may prove difficult for organisations operating in critical infrastructure industries, a new report from Corero Network Security has highlighted.
The police and the NHS are among the key organisations failing to meet the most basic cyber security standards.
Freedom of Information requests were sent to 338 essential service providers, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations, in March this year, according to Infosecurity magazine.
Responses show that more than a third of the UK’s national critical infrastructure organisations are not as resilient as they should be in the face of increasingly sophisticated cyber threats.
39% of organisations admitted to not having completed the ‘10 Steps’ programme – the basic cyber security standards issued by the UK government. Only 58% of NHS trusts had completed the scheme.
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communication and technology (ICT), including businesses operating in critical industries.
Penalties for non-compliance
Critical infrastructure organisations could be liable for fines of up to 4% of annual global turnover from May next year if they cannot demonstrate that appropriate risk mitigation measures are in place.
What organisations can do now
To comply with the NIS Directive, organisations in critical infrastructure industries should implement cyber resilience programmes that incorporate the following:
- Robust cyber security defences.
- Adequate cyber risk preventative measures.
- Appropriate tools and systems to deal with and report incidents and data breaches.
The importance of risk management and cyber resilience
One of the key principles of the NIS Directive is for organisations to take appropriate steps to identify, assess and understand security risks to their network and information systems that support the delivery of essential services. This includes an overall organisational approach to risk management.
The National Cyber Security Centre (NSCS) has recommended a set of principles for NIS Directive compliance, indicating that critical infrastructure organisations should adopt a systematic process to manage identified risks and that they should have confidence in the efficacy of the applicable mitigations.
Find out how to implement a risk management framework with effective risk management training
IT Governance’s ISO 27005 Certified ISMS Risk Management course is designed to provide attendees with the knowledge and skills to fully implement an effective cyber security risk management programme.
The three-day course teaches professionals how to apply practical risk management methodologies to mitigate cyber security risks.