How to Prepare for NIS2

Malicious actors have always targeted IT and operational technology (OT) networks. However, these systems have become more interconnected, and the attacks are increasingly sophisticated and frequent. This is driving a rise in cyber legislation around the world, with regulations such as the Security of Critical Infrastructure Act (SOCI) in Australia, the Digital Operational Resilience Act (DORA) for EU financial institutions and the UK Telecoms Security Act (TSA) pushing to secure vital systems better.

The NIS2 Directive is the latest of these legal codes; while it is an EU directive, companies need to comply with the standards it lays out by the deadline of October 17, 2024, to do business with EU member countries. Supply chain and third-party risk management also broaden the scope of the organizations impacted and the minimum penalties that can be imposed.

Preparing for the October 2024 deadline requires organizations to determine where they are now to pinpoint which areas need improving and implement the necessary strategies to achieve this. 

Assessing an organizational cyber defense posture is a big task, covering a variety of functions. NIS2 gives guidance on 10 core areas; we’ve outlined the considerations to make within each of these:

1. Risk analysis and information system security policies. Organizations must have robust policies around all aspects of information security and be able to demonstrate this to regulators. Policies link to the procedures below and must be tested and regularly refreshed. While they cover a wide variety of issues, at their heart is understanding the risk posed to organizational data and the ability to protect it.
2. Incident handling. Enterprises must be realistic about whether they can respond effectively to a breach. Handling an incident includes the capability to recover quickly and having the processes to inform the regulators as required.
3. Business continuity and crisis management. Reviewing whether business continuity plans are in place should the worst occur is closely related to assessing incident handling. For example, if an attacker encrypts a critical database used by the organization’s ERP system, can it be backed up quickly and recovery undertaken without impacting production, the logistics supply chain, or the upstream and downstream services?
4. Supply chain security. Every element of the supply chain needs to be assessed for the security threat it presents, so due diligence must be undertaken on any enterprise (regardless of its size) that provides the organization with critical hardware, software or services. Third-party checks require understanding the relationships between each supplier, and the organization needs policies to ensure these third parties are meeting its security requirements.
5. Network and information systems acquisition. Due diligence is also required of the suppliers of any new information system or network application procured by the organization to provide assurance that every element meets acceptable security standards. This also applies to infrastructure acquired via mergers and acquisitions activity, and regular testing is required.
6. Cybersecurity risk management effectiveness policies. Policies that define the technical security requirements for each organization need to be in place. But with a high proportion of attacks stemming from social engineering (business email compromise, distributing malware via phishing, etc.), equally important are policies laying out how cybersecurity awareness is raised and communicated to end users.
7. Cyber hygiene and cybersecurity training. Following on from the above, the human element is a major risk factor for any organization; managing it requires an enterprise-wide commitment to regular cybersecurity training and testing for all employees (tailored for their role and knowledge level) to foster the culture that cybersecurity is everyone’s responsibility. Good cyber hygiene also calls for a DevSecOps approach for the technology element; secure development principles should be applied to each application built, whether in-house or by a third party, to ensure it continues to be secure throughout its lifecycle.
8. Cryptography and encryption policies. Organizations need standard procedures to ensure encryption is adopted to store, transmit and process all sensitive data and information. What should be encrypted, and how will this be determined by the nature of the organization, its business, and the data it holds.
9. Human resources security. HR plays a bigger role in securing an organization than many people realize. Enterprises need clarity on each of their users and the activities they must perform to undertake their roles. This requires effective asset management and identity and access management policies to be in place, along with a joiner, mover leaver process, to limit the risk of the misuse of assets, whether deliberate or unintended. 
10. Multi-factor authentication (MFA). MFA is focused on validating every step of an interaction when anyone enters an organization’s systems and accesses its data – a username and password are no longer enough. This zero trust approach needs to be applied across the entire environment. It requires verifying the identity of the person and the security of the devices being used for access and the networking environment they are coming from, with conditional access policies put in place as relevant.

Once someone is authenticated, intelligently limiting their access to data is also a core element.

An Organizational Approach

It is understandable that a cybersecurity defense assessment potentially presents itself as an onerous and daunting task. However, it’s important to highlight that compliance should be regarded as a maturity curve; the key is gap analysis – understanding what is in place now and what the end point needs to be – which determines an organization’s path to a more secure environment.

It’s also worth noting that legislation shouldn’t be treated as compliance’ tickbox exercise’; rather, it’s about understanding where the risks sit in the organization, remembering that this evolves over time, and aiming to exceed the minimum standard required by regulation.

Finally, cybersecurity and preventing hacks are often considered a ‘techie’ problem. But the reality is that much of it is connected to culture and human behavior, making a far broader approach that involves the whole organization essential.