How is the UK’s cyber ecosystem adapting to cope with increasing threats? writes Ricardo Ferreira, EMEA Field CISO, at the cyber firm Fortinet.
We are seeing the cybersecurity threat landscape change in front of our eyes, from malware and ransomware to phishing attacks and artificial intelligence (AI). Increasingly we are seeing threat actors use advanced tools to target their victims and make attacks more sophisticated. Businesses are also not immune to these threats, with research highlighting that 87 per cent of organisations experienced either one or more cybersecurity breaches in 2023.
Since attacks have become so common amongst businesses, being attacked is now a matter of if and not when. From NIS2 to the UK’s Cybersecurity and Resilience Bill, countries are increasingly tightening their cybersecurity defences as a result. As other countries make strides to strengthen their cybersecurity protection, it’s worth considering how the UK compares to its European counterparts and the rest of the world. This will allow us to identify ways in which the UK can adapt its cybersecurity ecosystem to keep up with changing threat tactics, both now and in the future.
What are some of the regulations, globally?
Several countries have introduced regulations designed to protect against threats. For example, the European Union’s NIS2 Directive requires organisations in critical sectors – such as energy and transport – to implement stronger cybersecurity measures including, risk management and incident response. It also requires organisations to report incidents within 24 hours, involve senior management in accountability, and ensure any cybersecurity risks are mitigated across the supply chain.
Further afield, the US’s National Cybersecurity Strategy also establishes minimum cybersecurity requirements for organisations in critical sectors and shifts responsibility onto them by encouraging security by design and promoting data privacy in products and services. In Asia, Singapore has introduced an Operational Technology Masterplan aiming to improve the security of the technology underpinning the country’s economy. This includes traffic light controllers, fuel station pumps and energy grid control systems. The legislation also aims to boost cybersecurity talent through programmes, threat intelligence sharing and the establishment of a Cybersecurity Centre of Excellence. So, what about the UK?
How does the UK compare?
The government has taken significant steps to strengthen the UK’s cybersecurity defences in recent years. This includes the upcoming Cybersecurity and Resilience Bill which will expand existing protections for critical infrastructure and digital services, alongside introducing mandatory incident reporting for organisations.
The UK has also introduced cybersecurity legislation targeting specific industries, particularly those facing a large number of attacks – such as healthcare, energy and education – due to the value and volume of the data they are responsible for. This includes the Telecommunications Security Act 2022, which requires telecommunications providers to implement more stringent cybersecurity measures and requirements on incident reporting.
Yet, while these regulations are a step in the right direction, it’s important we continually assess and understand gaps in the UK’s cybersecurity defences, and address them accordingly. So how can we build on the progress that’s already being made?
Minimising gaps in defence
One way the UK can strengthen its line of defence is by making legislation, including the Cybersecurity and Resilience Bill, more descriptive about how it is going to combat current and future threats. As an example, the NIS2 Directive clearly outlines what needs to be done to address attacks and improve protection, as well as establishing a risk profile of the supply chain. It is also supported by a Network and Information Systems Corporation Group to ensure compliance among member states – which the UK could potentially establish for the Cybersecurity and Resilience Bill too.
It’s important to note that many EU member states are yet to officially incorporate NIS2 into national legislation, with harmonisation proving difficult due to varying economic, logistical and geographical profiles between countries. However, this also provides an opportunity for the UK to ‘cherry pick’ the best parts of the regulation and incorporate them into both the Cybersecurity and Resilience Bill and future legislation.
It’s also vital the UK addresses the growing cybersecurity threat of AI. While the benefits of the technology in cybersecurity are known, we must also acknowledge AI can be used by threat actors looking to evolve their attack methods – whether that’s through sophisticated phishing attacks or gathering data – and ensure organisations are adequately protected.
The previous UK government adopted a ‘pro-innovation’ over regulatory approach towards AI technology, in comparison to the EU’s AI Act which enforced requirements for usage and development. While the Labour government has promised to introduce binding regulation for certain companies, we must also ensure organisations are adequately protected against threats. To do this, leaders must be encouraged to build a culture of cybersecurity through better employee education. Basic cybersecurity measures, such as multi-factor authentication, zero-trust network access and regular software and application patching, must also be put in place.
The UK has made significant progress in introducing regulations designed to protect businesses and the wider economy from the increasing cybersecurity threats we are seeing. Yet as other countries mandate legislation designed to protect their own economies, it’s important the UK continually reviews and adapts its cyber ecosystem to help identify gaps in defence. Putting these steps in place enables us to keep up with the changing cybersecurity landscape, while being able to stay ahead of the threat actors looking to infiltrate our systems.
