The deadline for full compliance with the European data protection law is right around the corner, but businesses still lack awareness and must overcome many security oversights. Surprisingly, as few as 38 percent of companies in the UK have actually heard of GDPR, according to a government survey. If businesses are not prepared by May 25, when the law takes full effect, they could face fines worth up to €20 million.
But the General Data Protection Regulation (GDPR) is not the only regulation companies doing business in the European Union must comply with. By May 9, all will have to adhere to the EU directive on the security of network and information systems (NIS) that enforces cybersecurity guidelines each EU member has to interpret and tailor according to national law.
Even though the island country is moving forward with Brexit, UK-based companies still have to be compliant with both GDPR and NIS if they want to keep doing business with residents of EU member states. If British ‘operators of essential services,’ such as those in transport, water, energy and health, don’t enforce a strategy to properly safeguard network and information systems and digital services, they could be fined $23.9 million by the UK government, CNBC writes.
NIS brings into issue 14 key requirements to protect critical infrastructures so the likes of the WannaCry ransomware and Mirai, hardware failures and leaked confidential data will be immediately reported to regulators, while increasingly virulent cyberattacks would not get past a robust infrastructure.
“We want our essential services and infrastructure to be primed and ready to tackle cyberattacks and be resilient against major disruption to services, said Margot James, Minister for Digital and the Creative Industries. “I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”
Organizations will have to ensure they have the proper staff and strategy to fend off cyberattacks. But this comes as a real challenge as the cybersecurity industry struggles to overcome a major skill gap. Other key requirements for businesses to be NIS compliant include installing proper security software that detects and blocks attacks, and, in the case of data breaches, ensuring the impact is minimal.
Sector-specific regulators will not actively seek to fine companies lacking cybersecurity measures, but will instead use fines as “a last resort,” leaving companies unaffected if they still fall victim to cyberattack despite following guidelines were taking appropriate measures. By asking for compliance, regulators want to ensure private and public organizations institute effective breach-reporting systems and response models to minimize repercussions.
“Through 2020, 99 percent of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year,” said Greg Young, Research Vice President at Gartner.
It is not easy for companies to understand the threat landscape they operate in and anticipate the risks to their infrastructures as they become more connected. But, while they are taking their time to wake up to threats, attacks are increasing and growing in complexity at an alarming rate. Estimates foresee that, in the next three years, some $6 trillion will be spent worldwide on security breaches.