Five steps to cyber compliance
With two new compliance regimes coming into force in May, utilities need to create a stronger culture of cyber security in their organisations. Jon Fielding suggests five key steps that can help.
Two major new compliance regimes sweeping in from Brussels next May are set to cement cyber security as a priority for UK utilities providers. Yet when it comes to the EU General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS), merely ticking the right boxes will not be enough to keep regulators happy.
To stay as resilient as possible to ever-evolving cyber threats, utilities bosses need to embed cyber security into everything they do, by creating the right organisational culture.
Threats on the rise
When it comes to the utilities sector, cyber risk doesn’t just mean customer data and internet protocol (IP) theft but also attacks aimed at disrupting key systems and services.
The global WannaCry and NotPetya ransomware attacks of May and June teach us all we need to know about the speed and severity with which such attacks can race around the globe, causing widespread outages and financial losses. North Korean spies have recently been observed probing US electricity companies, but the truth is that both state-sponsored and financially motivated criminal hackers have the tools and the will to launch such attacks.
One vendor alone blocked 32 billion cyber threats in the first half of 2017, while the government recently claimed that almost half (46 per cent) of all British firms had suffered at least one attack or breach in the past year or so. It is figures such as these that have forced European legislators to take action.
The GDPR covers customers’ privacy rights and mandates strict rules on the protection of sensitive data; specifically, that it must be encrypted and secured with “state-of-the-art” technology. Most importantly, it will enforce 72-hour breach notifications and levy fines of up to 4 per cent of global annual turnover or €20 million (£17.8 million), whichever is higher, for non-compliance. The NIS Directive applies only to providers of “essential services” such as utility companies. Although the details are still being worked out, the directive will aim to enforce minimum standards of cyber security in four key areas. It will levy the same maximum fines for erring organisations.
A five-point plan
Unfortunately, evidence suggests many firms are still not ready for the May 2018 deadline for both pieces of legislation to take effect. An Apricorn study earlier this year found that 24 per cent of IT decision makers are not even aware of the GDPR. To achieve lasting change, organisations need to create a culture of good cyber security. To get there, the following five key steps are suggested:
• A comprehensive security review – this will enable you to better understand your current security posture and identify areas that need updating to fall in line with the two new key EU laws. For the GDPR, it is crucial to conduct a data audit to better understand what customer data you hold, where it flows inside the organisation and what security controls you apply to it. From there you can more easily identify and fill compliance gaps.
• End-user education – education and awareness programmes may need to be updated, because no matter how strong your policies and technology, it only takes one misplaced click to let the bad guys in. Phishing attacks are designed to download malware or harvest user log-ins for covert info-stealing attacks and ransomware campaigns. It is perhaps the biggest threat directly facing users and must be addressed alongside information on how to manage mobile and storage devices securely. Programmes need to apply to all staff, temporary and permanent, and must be regularly updated and tested. Think bite-sized chunks of information and real-world tests to really put users in the hot seat.
• Watertight policies – spend plenty of time developing comprehensive security policies. It is especially important to regulate the use of mobile devices and unsanctioned cloud services, which can expose the organisation to unnecessary risk. Once you’ve educated employees as to the risks of using such tools, ensure policies allow only IT-approved devices to be used to connect to the corporate network. Other policies that apply here could cover things such as the length and complexity of passwords, and auto-lock/self-destruct for lost or stolen devices. Nearly half (48 per cent) of organisations polled by Apricorn earlier this year claimed employees are their biggest security risk, and one in ten firms with more than 3,000 staff said they don’t have policies to cover remote working and bringing your own device. This must change.
• Simple security technology – next, enforce those policies by applying advanced security technologies that work. The focus here should not just be on the effectiveness of tools but also their ease of use. If employees find them too difficult or time-consuming to use, they may well resort to non-sanctioned tools that circumvent IT departmental control. If data is regularly being transferred outside the organisation, or between systems, you’ll need mobile storage devices featuring strong encryption. Ensure policies prohibit non-sanctioned devices from working. Look for devices that allow IT to automatically pre-configure and offer mass provision in compliance with policy.
• Regular testing – once you’ve put everything in place, make sure systems are regularly tested – by outside experts if necessary – and suitably adjusted. Cyber threats are constantly evolving, so cyber security approaches must also be fluid enough to provide maximum protection, now and in the future.
Creating a culture of cyber security takes time, but the prospect of huge fines will certainly help to elevate the issue in utility providers’ boardrooms. By focusing on people, processes and effective, user-friendly security technology, organisations stand a great chance of avoiding damaging breaches and staying compliant.
- 3i Infrastructure sells stake in Anglian Water The sale to a joint venture of council pension funds is expected to generate £395 million
- Scottish Government increases energy budget But Holyrood also freezes warm homes funding at the same time
- Energy bosses to be grilled over price cap Senior figures from Eon, Centric and SSE to appear before parliamentary committee