Companies may face £17m fines for lax cybersecurity

by Mark Tyson on 30 January 2018, 10:11

Tags: UK Government

Quick Link: HEXUS.net/qadqcd

Add to My Vault: x

Companies that operate without effective cybersecurity measures risk fines of up to £17 million. Businesses which operate in ‘essential services’ are targeted by the new directive, so UK operators in electricity, transport, water, energy, transport, health and digital infrastructure need to be particularly vigilant. The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply.

Minister for Digital and the Creative Industries, Margot James, said that the implementation of the EU’s August 2016 Network and Information Systems (NIS) Directive will help minimise the likelihood of cyber-threats disrupting the UK’s essential services and infrastructure. James went on to encourage “all public and private operators in these essential sectors to take action now”.

Fourteen key principles should be used as guidance by companies to ensure they implement essential cyber security measures where necessary. The summary table of these 14 principles is here, and it includes multiple guidance documents under every heading, broadly collected into four main objective categories as follows; managing security risk, defending systems against cyber attack, detecting cyber security events, and minimising the impact of cyber security incidents.

The new directive becomes law from 10th May 2018 and would cover security breaches and ransomware outbreaks like the WannaCry attack that hit the NHS, among others, in May 2017. Importantly, fines will be imposed as a last resort, they will not be levied on organisations that appear to have adequately assessed risks, undertaken best practice security measures, and engaged with regulators.



HEXUS Forums :: 20 Comments

Login with Forum Account

Don't have an account? Register today!
This should have been effected and put in place many years ago, however back then CyberSecurity wasn't as much on the radar as it is now.

I wonder if a company can be clocked by the GDPR and this side by side, in which case it could be financially crippling.
Tabbykatze
This should have been effected and put in place many years ago, however back then CyberSecurity wasn't as much on the radar as it is now.

I wonder if a company can be clocked by the GDPR and this side by side, in which case it could be financially crippling.

It needs to be done though. Far too many companies, large and small, have terrible data protection practices. We need the legislation here, arguably even more, to keep people safe in the digital age.
How much will the government agencies get fined or are they exempt with it being public cash they waste ?
Minimising the impact - don't store in plain text.
Tabbykatze
This should have been effected and put in place many years ago, however back then CyberSecurity wasn't as much on the radar as it is now.

I wonder if a company can be clocked by the GDPR and this side by side, in which case it could be financially crippling.

They can. Should be fun.