Firms face up to £17m fines if they fail to protect against hackers

British businesses could be fined up to £17m or an amount equal to 4% of their total turnover for failing to ensure they are sufficiently protected against cyber attacks, the government has warned.

The new measures are aimed at ensuring firms in sectors such as health, transport, energy and water are equipped to prevent hacking attempts.

Earlier this year, a worldwide cyber attack hit NHS hospitals and GP practices across England and Scotland.

The UK's health service was thrust into chaos after a strain of ransomware dubbed "WannaCry" spread through its systems, locking down computers and demanding cryptocurrency. This was part of a global breakout that eventually spread to more than 150 countries.

The ransomware was super-powered by a number of computer exploits developed by the US National Security Agency (NSA), leaked online in April by a mysterious hacking group known as The Shadow Brokers. Later, analysts claimed the malware's code indicated links to North Korea.

The outbreak spread quickly by targeting unpatched Windows systems.

According to a government survey, 46% of British firms reported at least one cyber security attack or breach over the last 12 months. The percentage, however, rises to approximately 66% between medium and large size businesses, the report added.

Under the new regulations, firms will also be required to ensure they have contingency plans in place to deal with power failures and environmental disasters, the Department for Digital, Culture, Media and Sport said on Tuesday (8 August).

However, the DCMS added the fines would not be applied to firms which suffered an attack even after putting safeguards in place, while Digital Minister Matt Hancock added the fines would only be used as a last resort.

"We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack," he said.

Hancock added DCMS will launch a consultation on the new plans, which will be aimed at determining how to implement the Network and Information Systems directive which will become mandatory across the European Union in May next year.