The Autumn cyberattack on Transport for London (TfL) showed once again just how impactful and disruptive threats can be to essential services. The latest figures show that the attack, that exposed personal data on thousands of people, has cost TfL more than £30 million to date after it was forced to suspend multiple services.
It’s just one in a string of attacks targeting critical infrastructure, from hospitals to government departments. In June, the ransomware attack on the NHS resulted in the postponement of 10,000 outpatient appointments and nearly 2,000 elective procedures across King’s College Hospital and Guy’s and St Thomas’ Hospital.
The UK’s NCSC head stated that there has been an increase in cyberattacks and critical infrastructure industries have been in the crosshairs of these cyber criminals because the assets they protect include human beings, financial systems and services that businesses and consumers rely on. Because these assets are worth protecting, ransomware gangs attack and when disruptions are severe enough, it increases the likelihood that companies will pay.
As part of the King’s speech in July, it was announced that the government would be introducing a new Cyber Security and Resilience Bill designed to address the growing threats to essential services, with the new bill set to “expand the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.”
It’s a step in the right direction, but regulation alone isn’t the answer.
Organisations, particularly those in the public sector, are already battling under-resourced security teams and mounting budget pressures. Without clear guidance on how to align with new rules, these measures risk becoming a real burden of complexity, rather than a clear path to improved resilience.
We’ve seen that the government can provide effective guidance. It has done well in raising cybersecurity awareness among individuals, with campaigns teaching us not to click suspicious links or share sensitive information. For organisations, however, it’s a different story. When it comes to guiding businesses, especially those managing critical infrastructure, the advice is sparse, fragmented and not sufficient enough to address the scale of the threats.
Perhaps the assumption is that organisations are more aware of the threats, and therefore, have enough resources available to counter them during a breach attempt. However, the demands on businesses are significantly greater and becoming ever more complex than they were one year, two years or five years ago
If you liked this content…
The gap in guidance is particularly concerning within the context of the latest budget announcement. Cybersecurity was not mentioned once in the 77-minute address to MPs, and only received a handful of limited references within the wider document.
This makes me question whether cybersecurity budgeting is a priority today?
Without more funding, enterprises will be challenged with modernising ageing IT systems, optimising spending and stretching existing resources further than ever before – a task that’s already proving difficult, with threat actors regularly timing their attacks to exploit periods of reduced staffing.
Research shows that 72 percent of ransomware incidents happen on weekends or holidays, when security teams can be reduced by as much as 50 percent. The attackers that hit TfL did so on a Sunday. Similarly, payroll provider Zellis was victimised over a weekend, impacting thousands of employees at British Airways, Boots and the BBC.
Many organisations face the daunting task of maintaining around-the-clock defences with limited resources.
The government and private sector organisations can help by providing actionable, centralised advice on cybersecurity fundamentals like asset identification, risk management, and vulnerability assessments. This guidance will help organisations improve their operational resiliency and limit risk.
Organisations would also benefit from receiving cybersecurity related advice from a centralised government body. Today, cybersecurity responsibilities are dispersed across many government departments, from the NCSC to the DCMS, Cabinet Office, ICO and NCA. Consolidating policy and guidance under a single authority would enhance clarity, reduce confusion over conflicting or fragmented advice and improve government accountability.
Cybersecurity attacks against critical national infrastructure operators will not wax or wane in the months ahead and it will remain steady and constant, increasing the need to modernise outdated IT systems with smart security investments that will ensure our safety and disrupt the efforts of criminal threat groups.
