Cybersecurity concerns have been plaguing organizations across the world for years now. Some of the most devastating hacks in recent history have cost companies millions of dollars. Not to mention the headaches for customers that have information and identities stolen thanks to a company’s subpar cybersecurity standards.
As a response to the increasing dangers of cybersecurity, the EU has created the General Data Protection Regulation (GDPR) to go into effect in May of 2018. According to the EU’s Commission:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
The UK is taking this a step further, issuing regulations that will fine critical organizations that fail to meet certain cybersecurity standards. Organizations in industries like energy, transport, water and health will be subject to fines of up to $24 million if they fail to demonstrate that their cybersecurity systems can withstand cyberattacks. According to TechCrunch:
Major requirements for organizations will include having the right people and organization in place to handle a cyber attack; having the right software in to protect against attacks; having the right capabilities in place to detect if an attack has taken place anyway; and having the right systems in place to minimize the impact of an attack if a system is breached (despite the other three being in place).
The fines are only a last resort, and organization will be notified of requirements needed to improve their systems.
The news is welcome to any customers that have been a part of cyberattacks in the past. While the threat of cyberattacks could potentially cost companies millions of dollars, many companies are reactive as opposed to proactive about cybersecurity fail safes and best practices. There’s a reason so many companies were affected by WannaCry and NotPetya last year – many organizations are unequipped to battle such threats.
This way the UK government is forcing the most critical organizations to be proactive instead of reactive. Infrastructure like water and energy is a much more dangerous game than even personal information. If you lose your identity the process of recovering it is long and painstaking – but not as long or painstaking as dehydration or hypothermia from a critical infrastructure being locked down and citizens being unable to turn on the faucet or the heat.
It will be interesting to see how other EU countries respond to the UK’s added measures against companies, and if the practice makes its way further east or west to Asian and American countries as well. In any case, it’s about time someone held companies responsible for cybersecurity before the worst case scenario occurs.