Home / Explore our latest insights / Why NIS and HSE compliance should go hand in hand.

Published: 8th January 2019 | In: Insights

Health and safety has always been of paramount concern in the workplace – especially in the industrial sector – but the way it is monitored, regulated and complied with is changing. The increasing ubiquity of the digital transformation means that more and more of our business transactions, correspondences and processes are taking place online and via automation, which is advantageous for a whole host of efficiency, budgetary and quality benefits.

The flipside of this increased connectivity is that networks and data systems are now more vulnerable than ever to external attack or internal error. In industries which affect a large segment of the general public, such as water companies, energy distributors, transportation providers and businesses involved in the food industry, a security breach or system failure can be catastrophic. Recognising these new and evolving threats, the government has introduced legislation over the past couple of years aimed at minimising their risk.

Knowing your NIS from your HSE

While the General Data Protection Regulation (GDPR) may have hogged most of the mainstream media limelight, it is focused solely on protecting sensitive information and preventing unauthorised access to a company’s assets. These are, of course, important considerations for any business looking to safeguard both its reputation and its functionality, but GDPR stops short of regulating against system failure or process disruption. In your average business, such an outcome would have serious consequences for the company itself, its customers and its partners, but for any enterprise involved in the industries outlined above, it could have far greater repercussions for the public at large.

With that in mind, the government has introduced two new pieces of legislation aimed at safeguarding those very industries. The Health and Safety Executive (HSE) implemented its guidelines for Industrial Automation and Control Systems (IACS) in March of 2017, while in May of this year, the UK brought in the EU’s NIS Directive, aimed at standardising its cyber security framework across the whole of the bloc. But how exactly do these bills differ, and what do businesses need to do in order to comply? Here’s a quick rundown:

  • HSE operational guidance on IACS – as the name suggests, HSE regulations are more about promoting health and safety than safeguarding critical infrastructure networks. As a result, the IACS guidance document provides a framework for those working with electricity and energy generation and distribution, as well as any business involved in handling explosive or hazardous chemicals and microbiological substances. Its aim is to ensure that automation and online activity in such industries do not lead to onsite disasters by reducing cyber security risks to as low as reasonably practicable (ALARP).
  • NIS Directive – while the NIS Directive also aims to promote safety, it is primarily concerned with ensuring that a data breach or compromised system does not result in the failure of critical infrastructure which could affect the general populace. It is being implemented across all 28 member states of the EU (including the UK, as it has been introduced before Brexit has taken place) and calls on individual governments to create their own bespoke legislation to meet their unique circumstances. In Britain, this has taken the form of 14 basic principles, categorised into four clear objectives, with which businesses must comply.

Although both pieces of legislation target different specific aspects of cyber security in sensitive industries, they share much common ground between them. However, in both instances, the government have provided more of a blueprint of principles to which businesses must adhere, rather than a paint-by-numbers approach to achieving compliance. This ambiguity in the wording of both documents allows for flexibility in the policies and protocols implemented by individual businesses, letting them interpret the guidelines in the manner that best befits their circumstances. On the other hand, this can complicate matters when it comes to the practicality of creating a robust cyber security infrastructure.

Leave it up to the professionals

The best course of action for companies looking to comply with both pieces of legislation is to tackle them hand in hand. Given that there is plenty of overlap between NIS and HSE, it makes sense to coordinate your efforts on the pair, drawing GDPR into the fold at the same time. With a comprehensive cyber security plan in place, you can effectively optimise your company’s defences and shore up its failsafes, protecting data, network functionality and safety standards in one fell swoop. The only problem is that many companies – even multinational, large-scale ones – have not had to deal with these kinds of hazards before, and as such, are at something of a loss about knowing where to begin.

In this scenario, the ideal solution is to draft in someone who knows this business inside and out. As dedicated cyber security specialists who were born in the Cloud, Quorum Cyber are perfectly placed to handle compliance with all three of these troublesome government mandates at the same time. Our Big Red Button – Net service has been specifically designed to help tighten up your online defences at a competitive price, helping your company meet its legal obligations with regards to HSE, NIS and GDPR all at once.

To learn more about how we can help you, or to take the first step in bolstering your cyber security today, get in contact with us now and we’ll be happy to help. What are you waiting for? The health and safety of your business depends upon it.