Utility Week

Operations & Assets 16 | 24TH - 30TH NOVEMBER 2017 | UTILITY WEEK Market view T wo major new compliance regimes sweeping in from Brussels next May are set to cement cyber security as a priority for UK utilities providers. Yet when it comes to the EU General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Sys- tems (NIS), merely ticking the right boxes will not be enough to keep regulators happy. To stay as resilient as possible to ever- evolving cyber threats, utilities bosses need to embed cyber security into everything they do, by creating the right organisational culture. Threats on the rise When it comes to the utilities sector, cyber risk doesn't just mean customer data and internet protocol (IP) the but also attacks aimed at disrupting key systems and services. The global WannaCry and NotPetya ran- somware attacks of May and June teach us all we need to know about the speed and sever- ity with which such attacks can race around the globe, causing widespread outages and financial losses. North Korean spies have recently been observed probing US electricity companies, but the truth is that both state- sponsored and financially motivated crimi- nal hackers have the tools and the will to launch such attacks. One vendor alone blocked 32 billion cyber threats in the first half of 2017, while the gov- ernment recently claimed that almost half (46 per cent) of all British firms had suffered at least one attack or breach in the past year or so. It is figures such as these that have forced European legislators to take action. The GDPR covers customers' privacy rights and mandates strict rules on the pro- tection of sensitive data; specifically, that it must be encrypted and secured with "state- of-the-art" technology. Most importantly, it will enforce 72-hour breach notifications and levy fines of up to 4 per cent of global annual turnover or €20 million (£17.8 million), whichever is higher, for non-compliance. The NIS Directive applies only to providers of "essential services" such as utility com- panies. Although the details are still being worked out, the directive will aim to enforce minimum standards of cyber security in four key areas. It will levy the same maximum fines for erring organisations. A five-point plan Unfortunately, evidence suggests many firms are still not ready for the May 2018 deadline for both pieces of legislation to take effect. An Apricorn study earlier this year found that 24 per cent of IT decision makers are not even aware of the GDPR. To achieve lasting change, organisations need to create a cul- ture of good cyber security. To get there, the following five key steps are suggested: • A comprehensive security review – this will enable you to better understand your current security posture and iden- tify areas that need updating to fall in line with the two new key EU laws. For the GDPR, it is crucial to conduct a data audit to better understand what customer data you hold, where it flows inside the organisation and what security controls you apply to it. From there you can more easily identify and fill compliance gaps. • End-user education – education and awareness programmes may need to be updated, because no matter how strong your policies and technology, it only takes one misplaced click to let the bad guys in. Phishing attacks are designed to down- load malware or harvest user log-ins for covert info-stealing attacks and ransom- ware campaigns. It is perhaps the biggest threat directly facing users and must be addressed alongside information on how to manage mobile and storage devices securely. Programmes need to apply to all staff, temporary and permanent, and must be regularly updated and tested. Think bite-sized chunks of information and real-world tests to really put users in the hot seat. • Watertight policies – spend plenty of time developing comprehensive secu- rity policies. It is especially important to regulate the use of mobile devices and unsanctioned cloud services, which can expose the organisation to unnecessary risk. Once you've educated employees as to the risks of using such tools, ensure policies allow only IT-approved devices to be used to connect to the corporate net- work. Other policies that apply here could cover things such as the length and com- plexity of passwords, and auto-lock/self- destruct for lost or stolen devices. Nearly half (48 per cent) of organisations polled by Apricorn earlier this year claimed employees are their biggest security risk, and one in ten firms with more than 3,000 staff said they don't have policies to cover remote working and bringing your own device. This must change. • Simple security technology – next, enforce those policies by applying advanced security technologies that work. The focus here should not just be on the effectiveness of tools but also their ease of use. If employees find them too difficult or time-consuming to use, they may well resort to non-sanctioned tools that circumvent IT departmental control. If data is regularly being transferred out- side the organisation, or between sys- tems, you'll need mobile storage devices featuring strong encryption. Ensure poli- cies prohibit non-sanctioned devices from working. Look for devices that allow IT to automatically pre-configure and offer mass provision in compliance with policy. • Regular testing – once you've put every- thing in place, make sure systems are regularly tested – by outside experts if necessary – and suitably adjusted. Cyber threats are constantly evolving, so cyber security approaches must also be fluid enough to provide maximum protection, now and in the future. Creating a culture of cyber security takes time, but the prospect of huge fines will certainly help to elevate the issue in utility providers' boardrooms. By focusing on people, processes and effective, user-friendly security technology, organisations stand a great chance of avoiding damaging breaches and staying compliant. Jon Fielding, managing director, Apricorn EMEA Five steps to cyber compliance With two new compliance regimes coming into force in May, utilities need to create a stronger culture of cyber security in their organisations. Jon Fielding suggests five key steps that can help.

• Cover