The government has been thinking of ways to improve businesses’ cybersecurity after several high profile attacks. The measures the government is considering would mean more companies that provide crucial digital services would need to follow strict cybersecurity rules. There would be significant fines for those who don’t comply. The government is also considering other legislative measures, including improving incident reporting and strengthening the standards in the cybersecurity industry.
The government recognises that almost all organisations and businesses across the UK use, or are dependent on, IT services and software. With this recognition, the government is thinking about introducing a different approach to the way businesses report cyber-attacks. The intention is to improve the flexibility of legislation so that it can change quickly, keeping up with the pace of technological advancements.
The UK Cyber Security Council also needs the authority to create qualifications and certifications for those who work in the cybersecurity sector to prove they are adequately trained to protect businesses.
The proposed plans come just after several cyber-attacks, such as those on SolarWinds and Microsoft Exchange Server. These cyber-attacks leveraged vulnerabilities in third-party products and services, allowing cybercriminals and hostile states to exploit them. The UK has also seen a rising number of ransomware threats, including some directed at critical national infrastructure.
The government hopes to create new legislation that will create a more assertive approach that moves from persuading to instructing at-risk businesses to improve their cybersecurity. The legislation will be an integral part of the government’s £2.6 billion National Cyber Strategy
Network and Information Systems (NIS) Regulations
NIS regulations came into play in 2018 intending to improve the cybersecurity of businesses providing critical services, e.g. water, transport, health care etc. Companies that do not choose to comply with NIS regulations can be fined up to £17 million.
The government plans to update the NIS regulations and add Managed Service Providers to the list of companies that provide critical online and digital services. Managed Service Providers are essential to strengthening the growth of the nation’s £150.6 billion digital industry, which have unparalleled access to their client’s systems and networks.
Essential service providers must abide by NIS Regulations that require them to complete risk assessments and put in place appropriate security measures that provide network protection. Any significant incidents must be reported, and plans must be implemented to ensure the essential service provider can quickly recover from them.
Investing in the cybersecurity industry
Due to the increasing number of people interested in cyber careers, it is vital for businesses to realise which skills are needed and whether a candidate has the necessary skills, qualifications, and experience.
The government founded the UK Cyber Security Council to lead the cyber workforce and put it on the same pedestal as well-known industries like engineering.
The new proposals would provide the UKCSC with the authority to define and recognise cyber job roles and link them to existing qualifications and certifications. For this to happen, people will need to meet a set of standards before they can utilise a specific job title across the range of specialisms in cybersecurity. The measures will make it significantly easier for employers to identify and attain the essential skills they need for their business.