For those of you that have time to read the press, you will have seen the UK is under attack from Russian cyber activists.
In reality, the National Cyber Security Centre (NCSC) has been warning about this risk for some weeks and their April 5th advisory raised concerns that adversaries are looking to compromise UK engineering and industrial control companies electronically (www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisation...) .
As I write, the internet infrastructure is fending off a potentially debilitating assault from Russian cyber forces. The current details of the attack can be seen at www.us-cert.gov/ncas/alerts/TA18-106A. Whilst this story has high profile, UK industry needs to get used to headlines being grabbed by Cyber concerns, as whatever we have had to date, will not compare to the next few months as reality from new obligations to report attacks and data loss become law.
We will see an increase in the publicity around Cyber events as GDPR and NIS go on to the statute books across Europe. Whilst GPDR concerns itself with the protection of personal data, NIS concerns the technology management and integrity of services supporting our national infrastructure i.e. Utility companies, Telecoms, Transport , Aviation, NHS and Digital infrastructure are all implicated, as will be those in their supply chain.
From May 2018, information security breaches involving personal data, or technology service failures impacting those that provide the national infrastructure, will have to be notified to the authorities. No doubt many (if not most), breeches will be reported publicly as well, with all the attention that comes with that. For many, GDPR will have caught the attention of risk managers and stake holders, however this is not the same for many likely to be impacted by NIS.
For Company Directors and Risk Managers who are part of a supply chain, new dimensions impacting the way risk managed will surface (particularly if you work with those obligated under NIS). In a world where you take technology services from third parties, or where others link to your business through technology; obligation will evolve to ensure you understand the risks between you and your customers (or suppliers), and how you leverage controls or influence over your partners to operate in a way technology risk can be managed.
Cyber risk management is going to be a big issue going forward as the opportunities available from use of technology are taken, but just now industry has a lot to learn and skills to gain, to ensure this risk is manged effectivity. So don’t be surprised that come June 2018, you see new an increase in the number of data breaches and technology service failures hitting the headlines, or that those of you connected in supply chains will face closer scrutiny from those that may be dependent on how well you manage your technology, as your tech failures in this world could impact your customers reputation………………Reality is kicking in!