- Critical services and infrastructure around the world are under attack
- A new bill has been introduced with greater protections for UK organsations
- Regulators will be given stronger powers to punish serious breaches
The UK Government has introduced its new Cyber Security and Resilience Bill to Parliament as part of its efforts to overhaul British cyberdefences for critical infrastructure and services.
The UK, like many other countries, has been on the receiving end of disruptive attacks to vital health services as well as energy and water providers, and the bill looks to expand the Network and Information Systems regulations (NIS) to cover more of the supply chain, including vendors and digital infrastructure.
This is a key consideration, as the vast majority of the latest high-profile and damaging attacks have stemmed from third-party breaches.
An onus on businesses
Another facet of the legislation is the mandatory incident reporting to provide better data for the government, helping to build a better picture of the cyber landscape and therefore better understand the protections needed.
Regulators will also be given additional powers to ensure suppliers make minimum security requirements and shut down any gaps that could be exploited by cybercriminals. They can also hand out harsher penalties for serious breaches;
"So cutting corners is no longer cheaper than doing the right thing. That’s because companies providing taxpayer services should make sure they have tough protections in place to keep their systems up and running," the Secretary of State for Science, Innovation, and Technology declared.
The new bill requires medium and large firms that provide cybersecurity, IT management, and IT help desk support to both private and public organisations to vigilantly report potentially significant cyber incidents to the government and to customers for better transparency - giving businesses a bigger responsibility in protection and recovery.
But, as with every new piece of legislation, this could be a compliance burden for the organisations affected, as it takes real collective effort to protect public services against threat actors.
“The Cyber Security and Resilience Bill is going to motivate companies to transform how they secure access to critical infrastructure,“ explains Ev Kontsevoy, CEO at Teleport.
“Compliance will mean navigating through accumulated audit toil, making sense of patchworks of VPNs, shared credentials, and SSH keys that never expire.”
