The government is consulting on introducing new laws to strengthen the UK’s resistance against possible cyber-attacks.
As cyber-attacks have increased in recent years, new cybersecurity laws are necessary in order to drive up security standards in outsourced IT services used by the majority of businesses in the UK.
On 19 January 2022, a number of proposals were published to enhance cybersecurity efforts, including making improvements to the processes used by organisations when reporting cybersecurity incidents and restructuring legislation to ensure it is more flexible and can respond to the speed of technological change.
Introducing new cybersecurity laws
The UK Cyber Security Council, which is responsible for managing the cyber security profession, also requires powers to raise the bar and develop a set of agreed qualifications and certifications . This means that those working in the cybersecurity field can demonstrate that they are appropriately prepared to protect businesses online.
These new plans come in the light of a series of high-profile cyber incidents, like the cyber-attack on SolarWinds and on Microsoft Exchange Servers, which exposed weaknesses in the third-party products and services employed by businesses can be capitalised on by cybercriminals and hostile states, impacting hundreds of thousands of organisations simultaneously.
As well as this, the proposed plans follow a growth in the amount of ransomware threats to organisations, such as those in critical national infrastructure like the Colonial Pipeline incident in the US.
Safeguarding against cyber-attacks
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said: “Cyber-attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
In order to safeguard the UK and assist in preventing these attacks, through these new cybersecurity laws, the government is aiming to take a tougher approach to getting at-risk businesses to enhance their cyber resilience as part of its new £2.6bn National Cyber Strategy.
Updating the NIS regulations
Network and Information Systems (NIS) Regulations came into play in 2018 to strengthen the cybersecurity of companies that offer crucial services like water, energy, transport, healthcare and digital infrastructure.
The NIS regulations necessitate these service providers to carry out risk assessments and put in place reasonable and proportional security measures to safeguard their network. On top of this, they must report substantial incidents and have plans in place to guarantee they promptly recover from them.
While the policies are relevant to some digital services, including online marketplaces and search engines, there has been a growth in the utilisation and reliance on digital services for delivering on corporate demands like information storage, data processing and running software.
NCSC Technical Director Dr Ian Levy commented: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience.
“These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”
Simon Hepburn, CEO, UK Cyber Security Council, concluded: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications.
“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”