Industry-leading cyber experts from Atkins, a member of the SNC-Lavalin Group, has launched a warning that companies run a risk of being fined up to £17 million if unable to show they have adopted sufficient cyber security measures to protect information systems.

The prospect of potential heavy fines follows the introduction of new legislation enacted on 10 May 2018. The legislation, known as the NIS Directive, applies to critical national infrastructure, including transportation services, healthcare service providers, communications systems, airports, water and energy companies .

The companies that run the infrastructure, known as Operators of Essential Services, are required to secure their information systems, in addition to any technology they use to perform essential services.

In a new white paper on cyber security, Atkins suggests organisations should take immediate action by focussing on five key areas:

• Compliance: Achieving compliant status should be a priority as the maximum penalty in the UK is £17 million.
• Responsibility: Rules and responsibilities have been clearly defined in the legislation. Overall, it is the operators that must ensure their own security measure are appropriate and proportionate.
• Understanding: A cyber assessment framework has been developed to assist organisations in performing their own assessments. However, due to its simplicity, it is imperative that operators understand how to demonstrate improvements have been made.
• Training: As the industry is experiencing a skills shortage, technical training and senior leadership awareness programmes will be vital to complying with the Directive.
• Supply Chain: Suppliers are not directly obligated to comply with regulations but should they be asked to comply contractually?

Richard Piggin, Principal Operational Technology Cyber Security Consultant at SNC-Lavalin’s Atkins business commented:

“Cyber security is of paramount importance across a range of industries that are the lifeblood of the UK. Our extensive experience of rolling out cyber security and resilience services across multiple industries such as transport, infrastructure and defence has made a significant difference in the ability of our clients to defend not only their own systems, but those of their customers and the public at large, from more frequent and more sophisticated cyber attacks.”

Amplified by the cyber skills shortage in the UK, Atkins also suggests that organisations may need to rely on external resources and expertise to ensure their networking infrastructure, systems, processes, policies and staff awareness comply with the requirements of the NIS Regulations and the relevant guidance.

They may also be required to ensure that their supply chain has sufficient cyber resilience in place to demonstrate sufficient preventative action has been taken.