Cyber-protection is undeniably evolving with the introduction of the new NIS directive. But unless cyber protection happens on an ongoing basis, the essential services the directive was laid down to secure will not be protected in the medium or long term. In short, as criminals try and try again to breach the systems so must business work and work again to protect against the attacks – and that won’t happen if implementing the directive is treated as a tick box exercise.
The NIS directive – the first piece of European regulation on cyber-security of its kind for critical infrastructure – aims to raise levels of the overall security and resilience of essential network information systems. Whilst many companies will have had some plans in place previously, the directive marks the first time that cyber-security has been enforced by regulation. This is all the more important in an era where the magnitude, frequency and sophistication of cyber-attacks is rising.
Cyber-attacks or cyber-physical attacks can be damaging on multiple levels. From the risk of damage to individuals’ welfare through to the financial losses at both company and economic level, a breach of systems – either cyber or cyber-physical – could be catastrophic.
For cyber-criminals, new technologies have made attacks more rather than less appealing. This is because system interconnectivity between old and new technology is now better than ever. As companies integrate modern solutions such as IoT devices into their older networks, so has the opportunity for malicious attackers grown. The older, more susceptible systems are providing an easier point of entry to entire networks, which once gained can lead to large-scale damage and disruption across the new as well as the old. In short, it has to become an internal priority, without delay.
Not only can a cyber-breach disrupt operations and even halt business affecting company revenue and service users alike, but in some cases could result in serious societal disruption or physical damage creating safety concerns. Stealing intellectual property is also a threat for businesses.
There are four main areas covered by the directive: managing security risk, (through governance, asset & risk management and supply chain), protecting against cyber attacks (through service protection, identity & access control, data & system security, resilience procedures and staff awareness), detecting cyber security events (using monitoring and event discovery) and minimisation of cyber incident impact (using response & recovery planning and monitoring lessons learned after an incident). In meeting the new obligations one of the first tasks for an organisation will be auditing the risks faced and understanding internal ownership. External solutions and frameworks can help here, with experts producing reports for implementation at all business levels.
The rationale behind the NIS Directive is to prompt critical infrastructure organisations to improve their cyber-attack resilience and response planning. But, if we strip this down to the rationale only, and fail to improve resilience and response then we are left with vulnerable networks of devices which control the most essential services to society – for example water, electricity, oil & gas, transportation. An attack on these systems, and thus on society, would be increasingly more effective without continuous improvement in safety and security, which is why its crucial that cyber-security not just lands on the agenda but stays there. Creating a permanent internal team who can self-assess, improve compliance and create a risk register is a good starting point. The team can then draw on expert external help and software which will make these tasks easier as needed.
In addition, with multiple types of cyber-risk requiring attention, cyber-security will need to be an integral part of every layer of an organisation, not just at board level or for a specific project. Policies for protection, monitoring and correct response need to be put in place and understood by every employee. Response plans need to be agreed including knowing who would be involved in the event of an incident both internally and externally. Essentially, all parties need to be trained regularly, tested (in the form of training exercises) regularly and ready to respond at any given moment. By making it part of everyone’s agenda, on a consistent basis, the NIS directive will become the catalyst for a new level of cyber-security and permanent change.
Daniel Lewis is CEO and Cofounder of Awen Collective.