UK cyber security bill under scrutiny for key omissions

Yesterday

The UK government has unveiled the new Cyber Security and Resilience Bill, which seeks to bolster national infrastructure and mitigate systemic risks across numerous sectors in the economy. The legislation mandates that firms providing essential IT services to public services must enhance their data protection measures and network security protocols. It also requires these firms to conduct a broader range of risk assessments to identify potential threats. However, the bill has attracted criticism for its potential shortcomings.

William Richmond-Coggan, a Partner in Dispute Management at Freeths, has expressed scepticism towards the effectiveness of the bill. He believes that new regulations in the area of cyber-security may not yield "instant" improvements, particularly since the UK's regulatory position has been lagging behind other European counterparts. Richmond-Coggan asserts that significant time and financial investment are necessary for organisations to align their infrastructure with current and future cyber threats. He stresses the importance of continuous investment in both time and budget to maintain a secure cyber posture. To him, cyber security involves everyone within an organisation, as it is only as robust as its weakest link. He cautions that regulatory efforts should not distract from fostering constant vigilance at every level to counter increasingly sophisticated cyber threats.

Adding to the discourse, Gerasim Hovhannisyan, CEO of EasyDMARC, has pointed out a major omission in the bill: the lack of focus on phishing, which he claims is the primary method of cyberattacks. According to Hovhannisyan, over 90% of cyber threats originate from phishing. He critiques the bill for not establishing enforceable technical standards that explicitly address phishing risks. Without such measures, he warns that critical services will remain vulnerable to breaches that could have been prevented. Highlighting the healthcare sector, Hovhannisyan notes that while a substantial number of healthcare providers have implemented the DMARC email authentication protocol, only a minority have adopted its strictest settings. This leaves many organisations exposed to phishing attacks that could have severe repercussions.

Hovhannisyan also emphasises the importance of including Managed Service Providers (MSPs) within the bill's scope, advocating for the mandatory adoption of email authentication standards. Given MSPs' pivotal role in digital infrastructure, he argues that lax cyber hygiene among these providers poses risks of widespread contamination, should they be compromised.

Darron Antill, CEO of Device Authority, adds a different dimension to the discussion by highlighting the significance of securing non-human identities. Antill notes that with an evolving threat landscape, the focus cannot solely remain on human vulnerabilities. He explains that non-human identities, such as IoT devices and machine credentials, now represent a crucial part of critical infrastructure. Often deployed with default credentials and operating outside traditional security perimeters, these devices can become silent vulnerabilities, offering attackers unobstructed access to core systems.

According to Antill, addressing these risks involves implementing standards that ensure visibility and control over all connected devices. He advocates for security strategies that evolve alongside emerging threats and stresses the need for automated management and oversight to protect essential sectors like healthcare and energy.

The Cyber Security and Resilience Bill is positioned as a critical step towards reinforcing the UK's cyber defences. Yet, the feedback from industry experts suggests that additional measures, including stronger focus on phishing and the management of non-human identities, are vital to realising the bill's objectives and fortifying national resilience.

Share on: