More than two thirds of UK infrastructure organisations (70 per cent) have suffered from service outages on their IT networks over the last two years, according to data obtained under Freedom of Information laws.
The security firm Corero released the research ahead of the implementation of the EU’s Network and Information Systems Directive on 9 May. The new regulation grants regulators the power to fine critical national infrastructure operators up to £17m for service outages caused by cyber attacks and other IT failures.
Corero sent FoI requests to 312 infrastructure operators, including, but not limited to energy suppliers, water authorities and NHS trusts. It received responses from 221 organisations, of which 155 had suffered a service outage. A third were believed to have been caused by cyber attacks.
The research also revealed that more than a tenth (11 per cent) of organisations do not always follow the government’s advice of applying security patches within a fortnight of their release. However, nearly all respondents (98 per cent) said they were guided by the government’s “10 steps to cyber security” programme, initially published in 2012.
Andrew Lloyd, President at Corero Network Security, said the NIS Regulations “offer a golden opportunity to make UK infrastructure more resilient against cyber-attacks”. But he added that “more rigorous guidance is urgently needed”.
“This data proves that blindly following outdated guidance is insufficient to repel today’s cyber-attacks,” Lloyd warned. “While further guidance is still expected from the National Cyber Security Centre, the current advice is heavily weighted on reactive attack reporting rather than advising organisations on how to proactively defend themselves.”
“As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area,” he added.
Last month, the government unveiled a £150m spending package aimed at bolstering the NHS’s cyber defences, in a bid to protect the health service from another WannaCry-style attack.
The funding will be spent on implementing 22 recommendations drawn up in light of WannaCry, but, nearly 12 months on from the attack, the government is yet to confirm how much each will cost and when they will be put into practice.
Meg Hillier, chair of the Public Accounts Committee, described the government’s slow progress in response to WannaCry as “alarming”. She added: “Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”