In the first blog of this series, we introduced the changes that are coming with the new Network and Information Security directive, or NIS 2. The new directive is expected to be written into law by the European Union member states by September 2024, giving organizations less than 2 years to get ready and compliant.
In Article 21 of the EU regulation text approved last December, the EU lays out the foundations of what it sees as the new gold standard for cybersecurity: a blueprint of measures to manage cybersecurity risk. These measures are meant to enhance existing security practices and unify the approach to safeguard users, systems and networks. In this blog, we will look at how the measures in the directive should guide Information Security teams on how to move forward.
NIS 2 establishes that the entities it covers need to take appropriate measures to protect their systems, and implement policies on:
- Risk analysis
- Incident handling
- Business continuity and crisis management
- Testing and auditing
- Multi-factor authentication
- Supply chain security
- Human resources and training
Such policies must improve the overall security posture of a company when preventing, managing, controlling and remediating threats.
Prevention is better than cure
When it comes to cybersecurity, prevention is two-pronged: equal importance must be given to the technology and to the users that rely on it. As the work environment has greatly changed, the threat landscape has grown with just as much speed. Attackers have evolved their approach to develop clever ways to obtain valuable organizational data and are targeting users more and more aggressively. Lack of information and education around cybersecurity may leave technology users exposed, so NIS 2 has specified user training as one of its mandates, as well as basic cybersecurity hygiene. Practices such as multi-factor authentication, applying updates and patches regularly, enforcing acceptable use policies, content filtering and controlling user permissions fall under this category.
On the other side of the prevention equation, there must be technology set up to constantly monitor threats and stop them before they can grow. Companies must employ a security solution capable of protection from known ransomware, trojans and unwanted programs, producing real-time alerts of attacks or suspicious activity. When procuring a security solution, it is also essential to know what it can offer in threat intelligence and how the critical telemetry data gathered from endpoints can be leveraged by companies to identify unknown threats as well as mitigate risk from known threats. A key question to consider is: can it keep on top of new threats and how does it remediate them, today and in the future?
Keep calm and carry on
Responding to incidents is a critical function of a successful security program. Acting in a timely manner is key in shutting the issue down and getting endpoints back behind the shield. NIS 2 addresses this and requires organizations to have robust plans to respond to incidents. IT teams must have continuous visibility of what’s happening on a device. A comprehensive remediation plan may include steps to isolate devices and users from the network, lock and quarantine equipment, remove unwanted files, recover data and restore the device to its rightful state while upholding compliance, in accordance with NIS 2 directives by “increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities.”
All these steps and contingencies aim to ensure business continuity, as required by NIS 2. Due to the nature of the organizations covered by the directive, disruptions to their work may result in societal and economic impacts for large groups of people. To minimize damages, security solutions with multiple layers of protection can mitigate risk while managing the entire fleet of devices, with minimal interference from one over the other.
At the onset of a significant incident, companies need to act fast in reporting to the competent authorities. For NIS 2, the EU has tightened the requirements regarding reporting incidents. While previously there was no need to report incidents affecting a small number of users, it will become an obligation of businesses to report any event or circumstance that could adversely impact systems if these could cause material and non-material losses.
Casting the safety net wide
A defense-in-depth strategy, capable of addressing both external cyber threats and usage behavior risks, is best to provide thorough coverage of security needs. To achieve this level of protection in the past, companies had to use products from multiple vendors. It’s just as well that today there are more holistic solutions available, as NIS 2 increases the responsibility of companies regarding each part of its supply chain. Organizations will be required to verify and consider the vulnerabilities of suppliers as part of their own security strategy. This requirement effectively expands the reach of NIS 2 and should help strengthen the block’s defenses, as it will undoubtedly have a ripple effect far beyond Europe.
Increased liability and further responsibilities for companies also feature in other parts of the text approved by the EU. In the next and last blog of the series, we will look at what NIS 2 means to the c-suite and management executives and how it will affect high-level decision-making in the cybersecurity space for many years to come.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.