Why wait until things become critical? Get on board now with the new cyber security legislation.
Imagine the doomsday scenario, which as it happens seems to be a popular pastime of most of those gainfully employed in the cyber security industry, where Amazon Prime unexpectedly shuts down for 48 hours, or maybe 72 hours, or maybe even a week.
What would happen?
Similarly, what if the supply chain to your local supermarket was taken offline and fresh bread didn’t arrive in time for your morning bacon sandwich?
Or if, like has happened in other parts of the world, the National Grid lost part of its capacity leading to power outages across the country. What about the mobile phone service, if that died for a while what state would we find ourselves in?
Chances are it would be a critical national incident, with mild panic breaking out. Now perhaps it is open for debate if Amazon is critical to the smooth running of the nation, but it’s a huge supplier not only of goods, but of IT services, through its AWS (Amazon Web Services) platform to thousands of businesses. All of which could go out of business if Amazon went dark for a while.
The risk of these scenarios taking place are relatively low and if the Government has its way, that risk will become even lower as they announced last week, through the Department Of Culture, Media and Sport (DCMS) who strangely have cyber security in their portfolio, a consultation period on the implementation of the EU directive on the security of Networks and Information Systems.
This is more commonly known as the NIS directive, whose main aim is to ensure that, and I quote, “businesses within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.”
During this consultation period, which concludes on 30th September, it will be determined who is and isn’t an OES. Are you one? Those that are, will have to then take measures to protect their networks from going offline during any form of cyber related incident. Those that fail will be in line for hefty fines.
Since 2013 the EU had been discussing proposals for the improvement of resilience in the event of a cyber attack. These proposals become a directive in August 2016 with the EU giving Member States 21 months to embed it into National Laws, and before you ask Brexit will have no effect on this as the UK Government has committed to transposing the NIS and its complementary GDPR legislation into UK law. Meaning that NIS is going to come into force in May 2018, exactly the same time as GDPR.
I would confidently predict that that vast majority of us do not work for businesses that are providing such critical services, therefore this consultation and forthcoming law can be gleefully dismissed. But before you do that, just pause for a second and look at it from a slightly different angle.
We know that many technology trends start in the upper echelons of government departments. A quick Google search on former secretive defence projects, from both sides of the Atlantic, show how many eventually become entrenched in everyday use – including the internet. I believe that this new legislation will, once proven in the field of critical businesses, will find its way down into more business sectors. This isn’t just a finger in the air prediction, more that it makes sense if the Government wants to stick to its sensible plans to make the UK one of the safest and secure countries in which to do business.
So rather than waiting for it to be forced upon you, like many are feeling that GDPR is, why not get on board now? You may not be critical in the terms the Government is laying out, but I bet to your customers you are critical. It would be a very positive, not to mention competitive advantageous stance, to look at this new legislation during its consultative period and then adopt it, before you are forced too.
For many who thought that cyber security was just a fad, a flash in the pan, something that would die a natural death, they have been proven wrong. Cyber security in all its forms, be that protection of data, of networks or of infrastructure is here to stay and will continue to have legislation, regulation and all manner of governance processes placed around it. The NIS is just another small step in this process.
If you have been lagging behind on cyber security, network security, data protection and compliance, waiting to see how it all pans out, then wait no longer. Get on board, get secure and start using it to your advantage. I just urge you to do it before things become critical.