So what *is* the answer?
I am no expert on cyber-security at scale but I can see a few principles, which seem to be completely different from the approach of the Government...
1. Fix the bloody personal data problem!!! The biggest risk to people is the problem of personal data theft. There is one, and only one, real answer to that: prevent companies from requiring (or acquiring) any more personal data than the minimum required for their service to operate! At the customer's option, they can ask the company to store more data to provide a more personalised service but that can be withdrawn at any time and must be unrelated to the price charged. I might allow my TV provider to keep information like how far I am through a particular series, or what sorts of films I like to watch, but that should be unrelated to how much they charge me and I must be able to delete some or all of my data at any time I wish.
This single item would dramatically reduce the amount of personal information stored and the attractiveness of many of the cyber attacks.
2. Critical national infrastructure (power, water, communications, transport, etc) funding must be strictly controlled and the companies operating it must have strict responsibilities (especially for security, safety and reliability), which can be enforced against some entity which cares (not limited liability shareholders).
3. Private companies providing services to government (particularly in areas of national importance) must have some sort of strict liability to their customers so the company invests in the necessary cyber-security.
Sure, these are easy to say and hard to do - but this needs to be the debate, not fines which will never get paid.