Many of the UK's critical national infrastructure (CNI) providers (such as the NHS, police and other emergency services) have not completed government-recommended cyber security preparations.
Among the 163 providers who responded to a Freedom of Information request by security firm Corero - 39 per cent - said that they had not completed the government's 10 Steps to Cyber Security programme, making them liable to fines under the proposed Network and Information Systems (NIS) legislation.
The NIS, which will come into effect next March, is unrelated to the GDPR - but it has equivalent sanctions. Organisations who fail to comply will be liable for fines of up to £17 million, of four per cent of annual global turnover.
Of particular concern was the finding that many infrastructure organisations are unprepared to respond to DDoS attacks, highlighted within the government consultation on NIS as a serious threat to CNI operators, with recommendations that such threats should be considered when operators are protecting their services from disruption.
The majority of DDoS incidents are not like the huge Dyn attack which affected websites like Twitter, Netflix and Reddit; 90 per cent of attacks stopped by Corero in Q1 this year lasted for less than 30 minutes, and only two per cent were larger than 10 Gbps.
Small DDoS attacks like these often go unnoticed by cyber security staff due to their size, says Corero. However, they can be used to infiltrate and map networks. They can also provide cover for more serious security incidents (a smokescreen), like the installation of malware, or data theft.
Corero's FoI request revealed that more than half (51 per cent) of UK CNI organisations could be vulnerable to DDoS attacks, because they do not detect or mitigate short-term incidents. Although only five per cent said that they had experienced DDoS attacks in the past year, the actual number could be much higher.
Forty-two per cent of European firms, surveyed by Neustar in May said that DDoS attacks are accompanied by malware infections; an increase of 10 percentage points compared to the same survey last year. Neustar found that 27 per cent of attacks were accompanied by either ransomware or extortion attempts: almost double the previous year's 15 per cent. Worldwide, that figure stood at 23 per cent (a 53 per cent increase).
"By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attack," said Corero director Sean Newman.
"To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it's essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise," he said.
Newman added, "Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society.
"These findings suggest many such organisations are not as cyber resilient as they should be in the face of growing and sophisticated cyber threats."
Much of today's AI is narrowly focused on specific tasks - a far cry from the general AI envisioned by the early pioneers
US space agency believes the crater could have preserved ancient organic molecules from the water that flowed there billions of years ago
Valve quietly closes down hardware initiatives launched following Windows 8
Scientists create a virtual reality simulation of a black hole sitting at the centre of the Milky Way
Simulations like this can help people understand complicated systems in the universe in a better way