The governments of the UK and the USA have provided clear warnings to business this week that security standards in the war against cyber-crime need to be improved as a matter of urgency.
The UK’s Department for Culture, Media and Sport said that new laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses.
It added that more firms providing essential digital services should follow strict cyber security duties with large fines for non-compliance
The department also outlined other legislative proposals including improved incident reporting and driving up standards in the cyber security profession
Other proposals published this week include making improvements in the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.
The UK Cyber Security Council, which regulates the cyber security profession, also needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
The plans follow recent high-profile cyber incidents such as the cyber-attack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products and services used by businesses can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organisations at the same time.
They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the US.
“Cyber-attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” said Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez.
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
The UK warning comes in the same week that the US Cybersecurity and Infrastructure Security Agency (CISA) urged US organisations to strengthen their cybersecurity defences against data-wiping attacks recently seen targeting Ukrainian government agencies and businesses.
CISA is now urging business leaders and US organisations to take a number of steps to prevent similar destructive attacks on their networks, including validating that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication; and ensuring that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour.
“This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise,” warned the new CISA Insights bulletin.
“All organizations, regardless of sector or size, should immediately implement the steps outlined below.”