The UK Government’s Department of Digital, Culture, Media and Sport (DCMS) has announced that firms could face fines of up to £17m or 4% of global turnover if they fail to protect themselves from cyberattacks.
The introduction of such financial penalties will be carried out by the data protection regulator, Information Commissioner’s Office (ICO), following the introduction of a new Data Protection Bill.
The new UK Data Protection bill encompasses and goes beyond the requirement of the European Union’s General Data Protection Regulations (GDPR), replacing the current Data Protection Act 1998 from 25 May 2018.
The BBC reports that Digital Minister Matt Hancock said any fines would be a last resort.
The article goes on to quote Mr. Hancock as saying, “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack.”
While the concept of levying a hefty fine on companies that do not take the correct precautions sounds like a plan to focus their attentions, the result could be that companies fail to disclose the reason for service outages.
ESET recently published research on Industroyer, malware apparently designed to attack industrial control systems used by energy providers. This kind of research educates and informs the world about the potential threat not only represented by this strain of malware but also has the benefit of highlighting the methods and techniques used by cybercriminals or terrorists.
“CREATING MALWARE OF THIS COMPLEXITY SHOWS A LEVEL OF SOPHISTICATION AND DEEP UNDERSTANDING OF INDUSTRIAL CONTROL SYSTEMS.”
Creating malware of this complexity shows a level of sophistication and deep understanding of industrial control systems. There is a great deal of speculation on the resources available to the creators, but what is certain is that they are well resourced and extremely specialized.
Imposing fines on companies for failing to be protected could prompt companies to spend more on security; this, of course, would be positive. But it is possible that companies will then try to hide any incident to avoid a fine. The consequences of which mean the security industry fails to learn the techniques used, resulting in an inability to create the protection needed against future attacks. .
Who will judge whether companies have failed to protect themselves? Members of the UK Parliament came under attack recently, with up to 90 of their user accounts affected. Would this mean the UK Government would fine itself for failing to protect itself?
There is no 100% guarantee that something is secure. When retrospectively investigating on a cyberattack, there is a strong probability that more could have been done to prevent the attack. The knowledge of how an attack happened is great in hindsight; trying to protect proactively against every possible scenario or against methods unknown is much tougher.