Many of the UK's critical national infrastructure (CNI) providers (such as the NHS, police and other emergency services) have not completed government-recommended cyber security preparations.
Among the 163 providers who responded to a Freedom of Information request by security firm Corero - 39 per cent - said that they had not completed the government's 10 Steps to Cyber Security programme, making them liable to fines under the proposed Network and Information Systems (NIS) legislation.
The NIS, which will come into effect next March, is unrelated to the GDPR - but it has equivalent sanctions. Organisations who fail to comply will be liable for fines of up to £17 million, of four per cent of annual global turnover.
Of particular concern was the finding that many infrastructure organisations are unprepared to respond to DDoS attacks, highlighted within the government consultation on NIS as a serious threat to CNI operators, with recommendations that such threats should be considered when operators are protecting their services from disruption.
The majority of DDoS incidents are not like the huge Dyn attack which affected websites like Twitter, Netflix and Reddit; 90 per cent of attacks stopped by Corero in Q1 this year lasted for less than 30 minutes, and only two per cent were larger than 10 Gbps.
Small DDoS attacks like these often go unnoticed by cyber security staff due to their size, says Corero. However, they can be used to infiltrate and map networks. They can also provide cover for more serious security incidents (a smokescreen), like the installation of malware, or data theft.
Corero's FoI request revealed that more than half (51 per cent) of UK CNI organisations could be vulnerable to DDoS attacks, because they do not detect or mitigate short-term incidents. Although only five per cent said that they had experienced DDoS attacks in the past year, the actual number could be much higher.
Forty-two per cent of European firms, surveyed by Neustar in May said that DDoS attacks are accompanied by malware infections; an increase of 10 percentage points compared to the same survey last year. Neustar found that 27 per cent of attacks were accompanied by either ransomware or extortion attempts: almost double the previous year's 15 per cent. Worldwide, that figure stood at 23 per cent (a 53 per cent increase).
"By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attack," said Corero director Sean Newman.
"To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it's essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise," he said.
Newman added, "Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society.
"These findings suggest many such organisations are not as cyber resilient as they should be in the face of growing and sophisticated cyber threats."
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?