Second blog in a three-part series (Assess – Implement – Manage) on achieving NIS2 compliance
Are your cyber security measures NIS2 ready?
To close the gap between where you are and where you need to be for NIS2 compliance, organisations in scope of the regulations (see last blog) must address a range of technical, operational, and organisational challenges.
What’s needed first is to understand exactly what’s involved in achieving compliance; how regulatory requirements in the latest European Union directive pertain to your organisation. Second, you will need to ensure your business has the skills and resources to be ready for NIS2 in the most cost-efficient way.
Addressing the first point will vary in complexity, depending on your organisation’s infrastructure. If there is a lot of legacy equipment or inadequate plans for business continuity, compliance becomes a bigger technical challenge, and will demand more of the resources mentioned in the second point. Not a one-off project, compliance has to be maintained to avoid the risk of financial penalties, which requires investment in robust monitoring and reporting processes.
Essentially, the directive is a response to increasingly sophisticated cyberthreats. Most companies will have adapted by now to existing data protection and privacy regulations, like GDPR and the original NIS directive, but NIS2 goes further, putting pressure on more organisations to be able demonstrate strengthened security and operational resilience.
Assess your risk
The good news is that if you haven’t got the resources to do it for yourself, or you need the fresh perspective of a third-party, BT will workshop the specific areas around cybersecurity that the new EU directive is focussed on. You will need to have a level of cyber resilience that is sufficient for your business, including a timely incident response and recovery plan, with measures consistent with standards being implemented across member states.
The idea of these consultancy workshops is not to propose security tools or vendors, but to assess the risk of legacy systems, hardware and software. We will explore your incident reporting and crisis management processes.
Essentially, you are waging war against new and mutating malware, advanced persistent threats, and cloud security vulnerabilities. What the EU wants to ensure is that businesses are armed with the best possible weapons to fight their individual battles, and then have the reporting capabilities to share their experiences with the national CSIRT (Computer Security Incident Response Team).
We almost always recommend an integrated approach to cyberthreat management, because securing separate systems and networks is ineffective in an era of hybrid working and cloud services. For increasingly complex ICT environments to be compliant with more demanding regulations, proactive security measures are also necessary. You must be able to identify, block, and in the worst-case scenario, remediate around a breach to make sure it’s contained and never happens again.
Know your vulnerabilities
As part of the engagement, we will carry out a cybersecurity risk assessment, using attack vector analysis to identify existing security gaps and where security controls need to be better aligned. We will evaluate your most valuable assets from a cybercriminal’s perspective, and work through various scenarios to arrive at an appropriate risk classification. If your assets are vulnerable to SQL injection, for example, the risk level would be classified as high.
Every organisation that has tried to improve it security posture will know that cyber defences can be a money pit, a never-ending spiral of expenditure in the face of increasingly sophisticated threats. This is why BT advises on implementing solutions that are proportionate to your risk exposure, the gaps and vulnerabilities that could cost you penalties when NIS2 comes into Irish law on October 18.
We look at your business from the perspective of a cybercriminal, identifying the assets and potential vulnerabilities that will attract their unwanted attention. If you’re part of a supply chain, a DDoS attack knocking out your network might be their goal. Or they could look to hack an SD-WAN site to gain access to customer data. In the first case it’s about hardening network security, while the second might call for a re-evaluation of your data encryption techniques. Both of these areas are mentioned in NIS2.
BT will help you discover whether you need to double down on network attack surfaces to avoid downtime or protect against ransomware malware that might lead to a costly data breach. Crucially, we will help you achieve NIS2 compliance without wasting time and effort bolstering parts of the organisation that are less vulnerable than others.
How do we do this? By bringing all our experience to bear on a fast-changing regulatory environment. It’s about knowing where the directives and relevant threats intersect around your business, so you can invest in the right defences. Our consultants have vast experience in tackling threats that have emerged in the last five years, globally and locally. Security controls are embedded in our global networks, and we have our own threat intelligence channels to keep track of emerging trends. All of this provides a strong foundation for advising on NIS2 compliance.