UK Cyber Security Bill introduced to Parliament “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target”. Liz Kendall, Science, Innovation and Technology Secretary New legislation has been introduced to Parliament which aims to strengthen the UK’s defences against cyber-attacks. The Cyber Security and Resilience (Network and Information Systems) Bill will reform and expand the scope of the existing Network and Information Systems (NIS) Regulations 2018. This Bill is specifically aimed at targeting organisations which will have the most impact on improving the nation’s cyber resilience. It follows repeated warnings about the significant cyber-threat facing all organisations, along with new research published by the Government which estimates cyber-attacks cost the UK economy nearly £15 billion a year. The Government says this new legislation is designed to bolster UK protections across essential public services such as healthcare, transport and energy against the threat of cyber criminals and state-backed actors. Expanded scope A range of companies which provide services critical to the UK’s national infrastructure will be regulated for the first time. It’s recognised that while the 2018 NIS Regulations cover services like the NHS, transport system and energy network, cyber criminals have been increasingly exploiting vulnerabilities in critical parts of supply chains. For example, medium and large companies providing data centres, IT management, IT helpdesk support, AI development, payment services, email services and so on, will have new clearly defined duties. This is likely to include, but not be limited to, enhancing baseline protections, reporting significant cyber incidents promptly and having robust plans in place to deal with the consequences. Many hospitals, councils, retailers and others rely heavily on external companies to support and deliver their services. A case in point is the company providing software services to the NHS which was fined by the ICO earlier this year following a cyber attack which disrupted critical services. ICO fines software company “Large load controllers” will also be brought into the scope of cyber regulations, for example, organisations which manage electrical load for smart appliances. New regulatory powers The Bill is expected to give new powers to regulators to designate critical suppliers to the UK’s essential services. Examples given in the Government’s announcement include companies “providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria”. Twelve regulators, including the ICO, are responsible for implementing the NIS Regulations, and the Bill aims to build a more consistent and effective regime, with a stronger mechanism for Government to set priority outcomes for regulators and a more robust ‘toolkit’ for sharing information, recovering costs and enforcement. Tougher penalties The maximum financial penalty will be amended to enable potentially higher fines for serious violations of the law. Turnover-based penalties, similar to UK GDPR, could be introduced. The hope is bigger penalties will push companies into complying rather than ignoring requirements. This new Bill follows the Government’s Cyber Governance Code of Practice which was published earlier this year and sets out the steps organisations must implement to manage digital risks and safeguard their day-to-day. Implementation The Government says it plans a ‘sequenced approached to implementation’ with some of the Bill’s reforms taking effect as soon as possible, while also giving affected businesses and regulators time to plan and prepare. Some aspects of the Bill’s proposals will require secondary legislation before taking affect. For more detail see the Government’s Summary of the Bill.

10 tips to prevent email errors It’s confession time. I recently copied the wrong person on an email. Same first name, different surname. Thankfully, it was easily resolved. But for someone in my line of work? Shameful. It’s like a chef putting ketchup on a pasta dish. Nonetheless, I decided to try my best to learn from the experience. Which got me thinking about two issues in particular: a) Email errors are not just one of the major causes of personal data breaches, but also downright awkward even where there’s no personal data risk. They can lead to sharing commercially sensitive information, or opinions. They can breach client trust. b) What are the best ways of reducing instances of human error? I know I’m not alone. Other data protection folk have admitted making the occasional mistake too. A good friend of mine once accidentally sent an email to a client – not a data breach but she did lose the client. I’ll also never forget receiving an email and finding myself reading a fellow colleague’s rather disparaging views about my team. Of course, there are the frequent data breaches – often small, sometimes big, caused by matters like emailing the wrong recipient, or using the CC field for multiple recipients. Yet, for many, it’s ‘just one of those things.’ Oops! Then the embarrassment fades… until next time. So is it really enough to keep reminding people to double check before sending? Won’t there always be times when we’re overworked, dashing to go on holiday, or distracted by personal issues? Is it good enough to rely on recall features? Probably not, when in practice they’re often completely ineffective. People will continue to make mistakes. To err is human. What else can we do? 10 email tips Here are a few suggestions for reducing the risk. 1. Disable or restrict auto-fill Yes auto-fill is a handy way to quickly go through our address book and predict who we want to email. Nonetheless, it sometimes chooses the wrong person… and we don’t notice. This is what got me. I’ve disabled this feature, and shouldn’t have had it enabled in the first place. I am now very content to spend a couple of seconds finding the correct email address. 2. Avoid email altogether  Encourage (or insist) that staff who need to share attachments, personal data or any other sensitive information use links to protected SharePoint folders/files rather than using email. 3. Attachments Use software to prevent or restrict any email containing an attachment. 4. Detect personal data If 3. is a a step too far, look at using software which can automatically detect personal data in attachments or email content and prevents it being sent – or prompts people to check they really want to send. 5. External recipients Implement user prompts for external email recipients – ‘are you sure you want to send this externally?’ 6. Multiple recipients Use controls to alert users if they’re emailing multiple recipients using the CC field – prompting them to use BCC. Alternatively for teams who routinely send emails using BCC, use a bulk mail solution. 7. Delay on send How often do you spot an error just after you’ve sent an email? Setting up a delay on send for your staff, gives people a chance to correct their mistakes. 8. ‘Reply to All’ Set an alert if people are about to reply to all, prompting them to check whether this is appropriate. 9. Revoke access after sending Some more advanced email security solutions give you the ability to recall or revoke access to an email and its attachments, even after it hits the recipient’s inbox. 10. Email review Where teams are responsible for routinely sending sensitive information by email, and there’s no alternative, have a review process so someone else checks before sending. It’s worth checking what controls are available on your email system or looking at  additional software solutions. Some of the prompts mentioned above are available using Outlook’s MailTips. Of course training, continually raising awareness and clear rules all play their part. Making sure your people know how you expect them to behave is crucial. It also needs to be clear what action people should take when they’ve made a mistake. Are staff permitted to try and rectify this themselves, or does it always need to be immediately reported? The steps you expect your staff to take need to be easily understood and reinforced in training and culture. This also means supervisors should lead by example. I’m a fan of quick reference guides supporting more detailed policies and procedures. In this case, a ‘golden rules for emails’ on one page, in plain English. with the rules and clear steps for what to do when things go wrong. Laminate it, turn it into posters – do whatever works to get the message home. Ultimately, mistakes are inevitable. What isn’t inevitable, though, is the impact mistakes have once the ‘send’ button’s been hit. Every little step taken to mitigate email errors lessens the impact when one inevitably slips through the net. Most of us, after all, recognise the occasional mistake will occur. The problem is if they happen too often, it can undermine confidence in your people, your organisation and your brand.

Key takeaways from Capita’s £14 million ICO fine “Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.” John Edwards, UK Information Commissioner The ICO has hit Capita (Capita plc and Capita Pensions Solutions Ltd) with a combined £14 million fine following a cyber-attack in 2023. Capita avoided a much bigger fine by admitting liability, promising not to appeal and taking mitigating actions. 6.6 million people were affected by the data breach and 325 organisations who used Capita Pensions for their pension schemes were also impacted. What can other organisations big and small, learn from this case? What went wrong? In summary, ■ The attack began when an employee unintentionally downloaded a malicious file giving the hackers access to company systems. ■ This triggered a security alert after just 10 minutes, but Capita took a further 58 hours to quarantine the compromised device. ■ Criminals were given enough time to deploy malicious software onto the Capita network and were able to move laterally across Capita’s system, exfiltrating data including special category data, financial and criminal records. ■ Nine days after the attack, ransomware was deployed onto Capita systems. All user passwords were reset, preventing staff from accessing their systems and network. Let’s not forget it’s always easy to see the mistakes in hindsight. Key ICO findings The ICO investigation found Capita failed to implement appropriate technical and organisational measures, as required under UK GDPR, to safeguard and protect the data they held. This included: ■ Failure to prevent privilege escalation and unauthorised lateral movement – effective privilege access management or Active Directory tiering had not been implemented. ■ Failure to remedy known vulnerabilities – the above vulnerabilities had been flagged up on at least three previous occasions, but had not been unaddressed. ■ Failure to respond appropriately to security alerts – the Security Operations Centre was found to be understaffed and in the six months before the incident was falling well below internal target response times for security alerts. ■ Inadequate penetration testing and risk assessment –systems processing millions of records were not always subject to routine penetration tests. Where penetration tests had taken place, the findings were siloed within business units and not addressed universally. Key mitigating actions taken Originally the ICO indicated a more substantial fine of £45 million. However, Capita was able to reduce this by taken mitigating actions including: a) Significant investment to improve its information security architecture b) Support for those affected by the breach, including a dedicated call centre and credit monitoring services c) Active co-operation with the ICO and the National Cyber Security Centre (NCSC). 5 key takeaways 1) Implement privilege access management or Active Directory tiering This case underscores the importance of implementing robust access controls and applying the ‘Principle of Least Privilege’ across all systems holding personal or otherwise confidential / sensitive data. Employees (and other workers) should only have the minimum access rights needed to perform their role. This will help to prevent hackers who gain access from being able to move laterally around your systems. In simple terms, Privileged Access Management (PAM) is a set of security strategies which control and monitor access across your IT environment. It’s aim is to prevent unauthorised access or misuse of high-level accounts, apps or services. Active Directory tiering, as the name suggests, creates administrative tiers based on the sensitivity of different assets. 2) Fix known vulnerabilities, and pronto! This case highlights how known vulnerabilities must be prioritised. Don’t put them in the ‘too difficult tray’. Make sure you have adequate budget and resources to remedy them. 3) Implement routine penetration tests Penetration tests at Capita had flagged high-risk issues before the attack took place. If these had been addressed? Well, I might not be writing this article. 4) Create a robust information security incident plan Despite having an internal target of ‘one-hour’ to respond to high priority alerts, Capita took 58 hours to contain the incident. A robust incident plan isn’t a nice to have, it’s a must have. Response time sand service levels must be met. This will go a long way to help making sure any response to a significant incident is as effective and efficient as possible. Where possible practice your plan, review it and tinker with it. Be sure to make it clear which roles are responsible for what and when. Organisations are also being advised to have paper copies of their critical incident documentation in case electronic systems can’t be accessed. Combatting the cyber threat 5) Keep raising awareness You simply can’t do too much to alert your people to the risks of increasingly sophisticated malicious attacks. Don’t just rely on annual training, keep pressing the message home via internal communications, town halls, posters – whatever works best. This case serves as a massive reminder there are proactive steps we can take to reduce security risks. We’ve seen how devastating attacks can be for organisations such as Capita, M&S, JLR and the Co-op. In some cases, a significant cyber-attack will completely bring a company to their knees. The ICO has published resources to help including guidance on protecting systems from ransomware attacks. The National Cyber Security Centre (NCSC) has recently launched a new Cyber Action Toolkit specifically aimed as small businesses.