In response to a public consultation earlier this year, the government has confirmed that the Network and Information Systems (NIS) Regulations will be strengthened to protect essential and digital services against increasingly sophisticated and frequent cyber-attacks, both now and in the future.
The UK NIS Regulations came into force in 2018 to improve the cyber security of companies providing critical services. Organisations which fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance.
But high profile attacks such as Operation CloudHopper, which targeted managed service providers and compromised thousands of organisations at the same time, show the UK’s cyber laws need to be strengthened so that they can continue to protect vital services and the supply chains that they rely on.
Managed Service Providers (MSPs) provide IT services such as security monitoring and digital billing and can have privileged access to their customer’s IT networks. This makes them an attractive target for cyber criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients.
Under the new changes, MSPs, which are key to the functioning of essential services that keep the UK economy running, will be brought into scope of the regulations to keep digital supply chains secure.
The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the Information Commissioner’s Office. This includes notifying regulators of a wider range of incidents that disrupt service, or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
The updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
The Information Commissioner will be able to take a more risk-based approach to regulating digital services under the updated cyber laws and will be allowed to take into account how critical providers are to supporting the resilience of the UK’s essential services.
For more information, read: Cyber laws updated to boost UK’s resilience against online attacks – GOV.UK
Here are some actions you can take to protect your business against cyber threats:
- Back up your data – consider a cloud storage solution which uses encryption when transferring and storing your data, and provides multi-factor authentication for access.
- Secure your devices and network – install security software to detect infection, set up a firewall to protect your internal networks, and turn on spam filters.
- Encrypt important information – to reduce the risk of theft, destruction or tampering.
- Ensure you use multi-factor authentication (MFA) – making it harder for attackers to gain access to your device or online accounts.
- Manage passphrases – a collection of different words which are more difficult for machines to crack than passwords.
- Monitor use of computer equipment and systems – change default passwords and restrict use of and access to accounts with administrative privileges.
- Put policies in place to guide your staff – to help them understand their responsibilities and what is acceptable when they use or share data, devices, email and internet.
- Train your staff to be safe online – make sure your staff know about the risks they can face and the role they play in keeping the business safe.
- Protect your customers with a secure online environment – not only is it important to keep them secure, but if you lose or compromise their information it will damage your business reputation, and it could lead to legal consequences.
- Consider cyber liability insurance cover – to help your business with the often costly process of recovering from an attack.
- Keep up with the latest scams and security risks to your business – and know how to safeguard against them.
- Get cyber security advice from a professional.
Talk to us about our cyber protection and cyber awareness services. We can help to manage your systems, protecting them from the many cyber threats faced by today’s organisations. We can also help to educate your team, making them an integral part of your defence to protect you, your business, your customers and your employees.