Over a third of emergency services across the UK have failed to complete basic cyber security checks issued by the UK Government.
Freedom of Information data by Corero reveals a lack of cyber resilience from crucial infrastructure organisations such as NHS and fire and rescue services.
The UK Government set up a ‘10 step to cyber-security programme’ to ensure that UK organisations are protected from cyber-attacks as best they can.
With 39% of UK emergency services failing to complete the basic checks, the UK Government considers giving fines of up to £17m to those failing to protect themselves under the new government proposal to introduce the EU’s Network and Information Systems (NIS) directive from May next year.
In total, 338 critical infrastructure organisations across the UK were sent Freedom of Information requests by Corero in March 2017. Included in the recipients were fire and rescue services, police forces, ambulance and NHS Trusts and transport organisations.
Just 163 organisations responded and 63 admitted not completing the government’s 10 steps programme. Additionally, from NHS Trusts along 42% didn’t carry out the steps.
Sean Newman, Director of Product Management at Corero, comments: ‘Cyber-attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.’
The government’s consultation on NIS highlights Modern Distributed Denial of Service as an aspect UK emergency services should consider when protecting their services from cyber-attacks. Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services.
Research found 90% of Modern DDoS attacks could be being ignored by UK emergency services as a result of their short duration, normally less than 30 minutes. However, these types of attacks are most likely to be carried out by hackers to target and infiltrate a network quickly.
Just over half of the UK’s critical infrastructure organisations could potentially be vulnerable to these attacks by not being able to detect them, according to the FOI data.
Sean Newman, continues: ‘In the face of a DDoS attack, time is of the essence. Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations.
“It’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.”
As a result of the FOI results, the fears of cyber-security safety and increasing number of attacks have left the emergency services less inclined to move to the cloud. Only one in four UK emergency services uses the public cloud, of those respondents 27% have been a victim to ransom ware attacks in the past.