39% of the organisations that make up the UK’s national critical infrastructure – including police forces, fire services, healthcare organisations and energy suppliers – have not completed the government’s basic cybersecurity standards, leaving them potentially open to attacks.
The revelation, which was the result of a series of Freedom of Information (FOI) requests by cybersecurity provider Corero Network Security to 338 critical infrastructure organisations. Of the 163 that complied with the request, 63 admitted to failing to complete the UK government’s 10 Steps to Cyber Security programme.
Given the potential for damage – and even in some cases, loss of life – that comes with an cyber attack on a police force, hospital or fire service, this raises serious concerns about how prepared the UK’s critical infrastructure is for an attack.
“Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society,” said Sean Newman, director of product management, Corero. “These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”
The UK government’s 10 Steps to Cyber Security programme was developed by GCHQ to provide a simple and clear guide for organisations to follow to ensure they are adequately protecting themselves from cyber attacks.
Originally published in 2012, it is used by two thirds of the FTSE350 – the country’s 350 largest companies – and was re-issued in 2015 alongside an additional document for businesses.
Covering technology and employee management, it includes steps such as user education and awareness, controls for removable media and the establishment of network security.
Many organisations will already follow some of these steps, but others remain under-followed, leaving critical infrastructure exposed.
There have, of course, already been successful attacks on critical infrastructure, with the WannaCry attack crippling NHS systems earlier this year.
However, this does not seem to have resulted in dramatic improvements in security efforts, as 42% of the NHS trusts who responded to the FOI requests had not completed the programme.
As a result, it is likely that we will see more attacks on critical infrastructure providers in the future, potentially putting people and the UK economy at risk.