More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security.
The FoIs were sent in March 2017 to 338 organisations including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses1 were received, with 63 organisations (39 per cent) admitting to not having completed the “10 Steps” programme. Among responses from NHS Trusts, only 58 per cent had completed the scheme.
In the event of a breach, critical infrastructure organisations could be liable for fines of up to £17m, or 4 per cent of global turnover, under the government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018.
The findings suggest that many key organisations are not as resilient as they should be in the face of growing and sophisticated cyber threats. Corero’s questions revealed that by not detecting and investigating brief DDoS attacks, organisations could be “leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks”.
When asked “Have you suffered Distributed Denial of Service (DDoS) cyber attacks on your network in the last year?”, just eight organisations (5 per cent) responded “yes”.