The UK government is getting tough on cyber security, with new legislation and updates to existing regulations. This is to protect critical services and digital infrastructure from the growing threat of cyber attacks.
Product Security and Telecommunications Infrastructure (PSTI) Act
One of the key pieces of legislation is the Product Security and Telecommunications Infrastructure (PSTI) Act. This requires manufacturers of internet connected devices to:
- Unique Default Passwords: Devices must have unique default passwords or prompt users to set their own during setup. This is to stop the use of easily guessable default passwords which are often published online and exploited by hackers.
- Reporting and Accountability: Manufacturers must provide clear guidance on how to report security vulnerabilities and must fix reported issues promptly. This is to create a transparent and responsive security ecosystem.
- Fines for Non-Compliance: Companies that don’t comply with the PSTI Act will face fines of up to £10 million or 4% of their global turnover, whichever is higher. This is a big penalty to make manufacturers put security first.
Network and Information Systems (NIS) Regulations
In addition to the PSTI Act, the UK government is updating the Network and Information Systems (NIS) Regulations which were introduced in 2018. These changes cover:
- Managed Service Providers (MSPs): MSPs which often have access to multiple clients’ IT networks are now included in the NIS regulations. This is important as MSPs are a target for cybercriminals.
- Improved Incident Reporting: Essential and digital service providers must improve their cyber incident reporting. This includes notifying the regulators of incidents that disrupt services or pose a significant risk even if they don’t cause immediate disruption.
- Future Proofing: The updated regulations allow the government to amend the NIS regulations as new sectors become critical to the UK economy. This means the legislation will remain effective in protecting critical services.
AI Security
With the increasing importance of artificial intelligence (AI) in many sectors, the UK government has also published new guidance to improve the cyber security of AI systems. Key recommendations are:
- Technical Measures: Security changes in AI software, hardware, data and network access. This includes changes in AI model training and pre-processing techniques to reduce vulnerabilities.
- Organizational Practices: Robust security hygiene practices including governance frameworks, stakeholder engagement and documentation of AI project requirements.
- Red Teaming and Risk Analysis: Regular red teaming and risk analysis to identify and mitigate potential security threats.
Wider Strategic Efforts
These changes are part of the UK’s National Cyber Strategy backed by a £2.6 billion investment. The strategy aims to:
- Protect Critical Services: Protect healthcare, water, energy, and transport from cyber threats.
- Secure the Digital Economy: Strengthen the resilience of the UK’s digital economy which contributes to the country’s GDP and employment.
- Support Cyber Security Sector Growth: Encourage investment and growth in the cyber security sector through programs like the Cyber Exchange, UK Cyber Cluster Collaboration (UKC3), and Cyber Runway.
Summary
The UK is strengthening its cyber security framework through new legislation and updated regulations. By fixing internet-connected devices vulnerabilities, improving incident reporting and focusing on AI security, the UK is creating a safer digital space for its citizens and businesses. This is crucial for the resilience and security of the nation’s critical infrastructure and digital economy in the face of ever-changing cyber threats.
How we can help:
CRES Technology complies with all major certification requirements of PCI, GDPR & HIPAA, and we can also help you become compliant.
Various regulatory bodies such as the US Government and EU as well as industries like the Payment Card Industry require businesses and agencies to protect individuals’ personal and financial data. This is where CRES comes in.
At CRES Technology we protect our customers and ourselves by being compliant with HIPAA, PCI, and GDPR. We are compliant and we have the expertise, experience, and resources to help you be compliant.
About Waqar Hussain
CRES Technology – Director of IT Services
A technology leader with outstanding knowledge, technical expertise, and a proven track record of leading complex infrastructure projects and managing help desk teams.
Need more details? Contact Us
We are here to assist. Contact us by phone, email or via our social media channels.