Over a third of national critical infrastructure organisations in the UK (39 per cent) have not completed basic cyber security standards issued by the UK government. That is according to data compiled by a Freedom of Information (FoI) request by security firm Corero Network Security.
Corero said there is a lack of “cyber resilience” in infrastructure organisations that have not completed the ’10 Steps to Cyber Security’ programme, despite them being critical to the functioning of UK society.
Corero added that it suggests that some of these organisations could be liable for fines of up to £17 million, or four per cent of global turnover. This is under the government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018.
The FoI requests were sent to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, and energy suppliers, among others.
A total of 163 responses were received, with 63 organisations (39 per cent) admitting to not having completed the ’10 Steps’ programme. Among responses from NHS Trusts, 42 per cent admitted not having completed the programme.
Sean Newman, director of product management at Corero, said: “Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society.
“These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”
The Corero findings also revealed that 51 per cent of critical infrastructure organisations are potentially vulnerable to Distributed Denial of Service (DDoS) attacks. This is because most attacks are less than 30 minutes in duration, and less than 10Gbps in volume, meaning that they often go unnoticed.