More than a third of the UK’s critical infrastructure providers have failed to complete the government’s basic cyber security programme, according to Freedom of Information requests.
Corero Network Security sent FoIs to 338 essential service providers, such as fire and rescue services, police forces, NHS trusts and energy and transport firms, earlier this year.
Of the 163 respondents, 63 (39 per cent) admitted that they had not completed the government’s 10 Steps to Cyber Security programme. Just 42 per cent of NHS trusts said they had.
Critical infrastructure providers will be liable to fines of up to 4 per cent of annual global turnover from May next year under the European Union’s Network and Information Systems directive.
Sean Newman, director of product management at Corero, said cyber attacks on national infrastructure could inflict significant, real-life disruption to critical services.
“These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats,” he added.
The government has said that NIS directive fines will be a last resort and won’t be used to punish operators that fall victim to strikes despite meeting the government’s security requirements.
A new investigation by the i newspaper revealed last month that public bodies have been breached 400 times over the last three years.
The real number may be higher still. More than half of NHS trusts and one in ten councils refused to answer questions put to them by the i’s team of reporters.