UKA correspondentWednesday 30 August 2017

One third of CNI organisations fail to follow cyber guidance

Survey shows that 39% of critical national infrastructure respondents have not completed the 10 Steps to Cyber Security programme

Over a third of national critical infrastructure (NCI) organisations in the UK (39%) have not completed basic cyber security standards issued by the Government, according to data collected under the Freedom of Information Act by cyber defence company Corero Network Security.

Broken lock on computer keyboardIt said that 63 of 163 organisations (39%) that responded to its request acknowledged that they had not completed the 10 Steps to Cyber Security programme, created by the National Cyber Security Centre (NCSC) as basic guidance in the area.

Corero highlighted that NHS trusts are among those with a high proportion (42%) failing to take action. This could create new concerns given that the NHS was hit particularly hard by the WannaCry virus earlier in the year.

It also pointed that some of these organisations – which include NHS trusts, police forces, ambulance services and energy suppliers – could be liable for fines of up to £17 million or 4% of their global turnover, under the Government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018.

Real life disruption

The company’s director of product management Sean Newman said: “Cyber attacks against national infrastructure have the potential to inflict significant, real life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”

The exercise also suggested that many CNI organisations are vulnerable to distributed denial of service (DDoS) attacks.  51% of respondents said they did not detect or mitigate short duration surgical DDoS attacks on their networks, and just 5% admitted to experiencing DDoS attacks on their networks in the past year (to March 2017). 

Corero said that if the attacks lasted less than 30 minutes – as experienced by many of its customers – the real figure could be considerably higher.

The company sent out 338 FoI requests in March; 175 organisations did not respond.

Image from iStock