Ivanti Blog: Posts by

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part Two: Implementation Takes Time

Mon, 28 Aug 2023 17:43:02 Z

In a previous blog post, I discussed the two main areas to audit before the European Union’s updated Network and Information Security Directive (NIS2) becomes ratified law in October 2024. Specifically, these audits would:

Identify your gaps with the NIS2 directive’s requirements now.

Review your current supply chain security flaws.

Now that we’ve discovered these security flaws, we must fix them — before time runs out in October 2024.

So, in this post, I’ll walk you through how to resolve your weakest security issues before the NIS2 Directive deadline hits by addressing these three key areas:

Inform management about your cybersecurity gaps
Correctly implementing new organisation and technical security measures
Find time to train all of your employees

1. Inform management about your gaps – and get budget to remediate them

The NIS2 Directive imposes significant obligations on organisations that fall under its scope, which may entail substantial costs and resources. The Directive also introduces hefty fines and sanctions for non-compliance, up to a maximum of €10 million or 2% of an organisation's global annual revenue (Article 34).

On top of this, the new directive can extend liability from entities to their individual representatives in certain situations. Moreover, when certain conditions are met, persons in management positions could be temporarily suspended (Article 32-5b).

Therefore, following the NIS2 Directive is a legal necessity and a strategic priority.

To be in compliance, you must:

Inform your management about its implications and benefits and convince them to allocate sufficient budget and resources for implementing compliance.
Present a clear business case that outlines the risks of non-compliance, the opportunities of compliance and the return on investment.
Demonstrate how compliance will enhance your organisation's reputation, trustworthiness, competitiveness and resilience.

Informing management and getting a budget is a challenging task, requiring a persuasive and evidence-based argument that showcases the value of cybersecurity for your organisation.

The sooner you start this process, the more time you’ll have to secure buy-in and support from management.

Possible business case benefits for NIS2 compliance

Some possible benefits that you can highlight in your business case are:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits and so on.
Increasing revenue by attracting or retaining customers who value security, privacy, quality, et cetera.
Improving efficiency by streamlining processes, enhancing performance, reducing errors, etc.
Innovating by adopting new technologies, developing new products or services, creating new markets and more.
Following other cybersecurity regulations or standards beyond NIS2 – such as GDPR, ISO 27001, PCI DSS and others – since global frameworks often have a high overlap with the compliance requirements of NIS2.

Potential information sources for justifying your NIS2 compliance business case

Some sources you can use to support your business case are:

Statistics or facts showing the prevalence, impact or cost of cyberattacks in your sector or region.
Case studies or examples illustrating how other organisations have benefited from complying with the NIS2 Directive or similar regulations. For example, the Enisa NIS Investments 2022 report shows that for 62% of the organisations implementing the older NIS directive, such implementations helped them detect security incidents; for 21%, implementations helped during security incident recovery.
Testimonials or feedback from customers, partners, regulators or experts who endorse or recommend complying with the NIS2 Directive or similar regulations.
Benchmarks or indicators revealing your current or projected cybersecurity performance or progress in relation to the NIS2 Directive or your competitors.
Ivanti’s 2023 Cyberstrategy Tool Kit for Internal Buy-In is also a great resource that explains time-to-functionality and cost, how a solution helps defend against certain types of cyberattacks, and how to react to and overcome common objections.

General business benefits of NIS2 Directive compliance

Some of the benefits of complying with the NIS2 Directive include:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits, et cetera. According to a report by IBM, the average cost of a data breach in 2022 was US$4.82 million for critical infrastructure organisations and the average time to identify and contain a breach was 277 days. If you are taking measures to comply with the NIS2 Directive, the average time spent identifying and containing a breach will be much shorter, and costs of the attack will be lower.
Increasing revenue by attracting or retaining customers who value security, privacy, quality and similar factors. According to a survey by PwC, 87% of consumers say they will take their business elsewhere if they don't trust a company's data practices, and 71% of consumers say they would stop using a company's products or services if they found out it was sharing their data without their permission, which could happen with a data leak.
Improving efficiency by streamlining processes, enhancing performance, reducing errors and so on. Accenture has found that companies that adopt advanced security technologies can reduce the cost of cybercrime by up to 48%.
Complying with other regulations or standards that require cybersecurity, such as GDPR, ISO 27001, PCI DSS or others. Cisco points out that 97% of organisations that follow GDPR see benefits such as gaining competitive advantage, achieving operational efficiency and reducing sales delays. Similar results are probably achievable by following NIS2.

When it comes to budgeting, the proposal for a directive by the European Commission (Anex 7 - 1.4.3) mentions that for companies falling under the scope of the NIS2 framework, it’s estimated they would need an increase of a maximum 22% of their current ICT security spending for the first years following the introduction of the NIS2 framework.

However, the proposal also mentions that this average increase of ICT security spending would lead to a proportionate benefit from such investments, notably due to a considerable reduction in cost of cybersecurity incidents.

2. Correctly implement new organisational and technical security measures

After researching the gaps and obtaining a budget, it’s time to close those gaps. The NIS2 Directive requires companies to implement appropriate organisational and technical measures to manage their cybersecurity risks and ensure a high level of security across their networks and information systems.

These measures include:

Adopting policies and procedures for risk management, incident response, business continuity, data protection, et cetera.
Establishing roles and responsibilities for cybersecurity governance, oversight, coordination and other areas.
Providing training and awareness programs for staff, management, customers, etc.
Implementing basic cyber hygiene such as encryption, authentication (MFA), firewalls, antivirus software, patching, zero trust access and so on.
Conducting regular testing, monitoring, auditing and other measures.

Implementing those organisational and technical measures isn't a one-off or static task. It requires establishing a continuous and dynamic process that adapts to changing threats, technologies, regulations and business needs.

So, the same advice applies for this process as for the other points we’ve already covered: the sooner you start, the more time you'll have to implement the necessary measures and ensure their effectiveness and efficiency.

I would advise starting implementation at least in January 2024, so you’re ready before the summer holidays.

Next steps for NIS2 Directive implementations

Some possible steps that you can take to implement organisational and technical measures are:

Developing and implementing a risk-based management process that defines your objectives, scope, roles, responsibilities, resources, timelines and metrics for managing your cybersecurity risks.
Implementing a security policy that establishes your principles, guidelines, standards and procedures for ensuring the security of your network and information systems.
Conducting risk assessments to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks; and prioritising your actions based on your risk appetite and tolerance.
Implementing security controls that protect your network and information systems from unauthorised access, use, disclosure, modification or destruction. These controls can be classified into three categories: preventive (e.g., encryption); detective, detective (e.g., monitoring), and corrective (e.g., backup).
Implementing an incident response plan that defines your processes, roles, responsibilities, resources, tools and communication channels for responding to cyberincidents effectively and efficiently.
Implementing a business continuity plan that defines your processes, roles, responsibilities, resources, tools and communication channels for maintaining or restoring your critical business processes during a cyber-related disruption or disaster.
Implementing a review and improvement plan that defines your processes, roles, responsibilities, resources, tools and communication channels for regularly evaluating, reporting and enhancing your cybersecurity measures.
Implementing the technical controls for asset management and basic cyber hygiene.

The Directive’s reference to ‘basic cyberhygiene’ is a bit vague in Article 21, so we’ll dive into this in another blog post. For now, think about basic security measures such as:

MFA.
Patching your OS and applications as quickly as possible.
Securing network connections on public networks.
Encryption of all drives (especially removable ones.)
Privilege management and education of all employees.
Subscribing to channels that give you information about the latest patches and priorities, like Ivanti’s Patch Tuesday webinars.

3. Fix the weakest link: find time to train every employee

The NIS2 Directive recognises that human factors are crucial for cybersecurity and that employees are often the weakest link — as well as the first line of defense – in preventing or detecting cyberattacks.

The Directive requires organisations to provide adequate training and awareness programs for their employees, users of digital services and other stakeholders on cybersecurity issues.

Training all your employees is not a sporadic or optional task. It requires a regular and comprehensive program that covers topics such as:

Basic cybersecurity concepts and terminology.
Common cyberthreats and attack vectors.
Best practices and tips for cyberhygiene.
Cybersecurity policies and procedures, made relevant and simplified for end users.
Every user’s role and responsibilities for organisational cybersecurity.
How to report and respond to incidents.

It is important to note that this training should be received by everyone within the company, not only by IT employees. Even management should undergo this training.

A survey conducted for Ivanti shows that a lot of employees are not even aware of mandatory cybersecurity training. Just 27% of them feel “very prepared” to recognise and report threats like malware and phishing at work. 6% of them feel “very prepared” to recognize and report threats like malware and phishing at work.

In Enisa’s NIS Investments 2022 report, Enisa mentions that 40% of the surveyed OES (Operators of Essential Services) have no security awareness program for non-IT staff.

It is important to monitor who has not been trained yet and act on it. Training all your employees is not only beneficial for compliance but also for productivity, quality, innovation and customer satisfaction.

The best NIS2 advice we can give

The NIS2 Directive is landmark legislation that aims to enhance the cybersecurity of critical sectors in the EU. It imposes significant obligations on organisations that fall under its scope, along with hefty fines and sanctions for non-compliance.

Following the NIS2 Directive is a complex task. It demands a proactive and comprehensive approach involving multiple steps, stakeholders and resources.

The sooner you start preparing for it, the better prepared you will be when it becomes effective in October 2024.

The best advice we can offer? Do not wait till then: start preparing for the NIS2 Directive now!

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part One: Audits Take Time

Mon, 28 Aug 2023 17:14:55 Z

You probably heard about the European Union’s updated Network and Information Security Directive (NIS2). This directive will translate into active law in October 2024. You should be ready for it, as there are high fines and sanctions for non-compliance.

But you might be tempted to think that October 2024 is far away, right? Think twice.

After all, how can you know if you have plenty of time to prepare if you don’t know how well you currently comply with the projected regulations?

So, between now and October 2024, you must audit your current cybersecurity status. Specifically:

Identify gaps in meeting the NIS2 directive’s requirements, starting now
Review your current supply chain security flaws

In the second part of this series, I’ll review the three areas you’ll need to address to fix the gaps your audits uncover — including how to:

Inform management about your cybersecurity gaps.
Implement new organizational and technical security measures correctly.
Find time to train all of your employees.

1. Identify gaps in meeting the NIS2 Directive's requirements, starting now

The NIS2 Directive is the EU-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. It modernises the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape.

The directive expands the scope of the cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities, competent authorities and the entire EU.

The NIS2 directive outlines increased measures for resilience against cyberattacks to minimize vulnerabilities and improve cyberdefense.

To comply with the NIS2 Directive, you must:

Assess your cybersecurity posture and identify any gaps or weaknesses that may expose you to cyber risks.
Map your existing policies, procedures and controls to the directive's requirements and see where to improve or update them.
Evaluate your incident response capabilities and reporting mechanisms and ensure they align with the directive's standards.

A big problem with the NIS2 is that it tells you what you should do, but not how you should do it. Luckily, multiple frameworks can help you with the how, including:

In Belgium, the CCB has created a Cyberfundamentals Framework based on multiple frameworks with references to how the different parts of the frameworks relate to the GDPR and NIS2.

After selecting the framework, you must identify gaps in relation to the chosen framework and the directive's requirements. Identifying gaps is not a simple or quick task; it requires a thorough and systematic analysis of your organization's cybersecurity maturity and readiness.

You not only need to check your cybersecurity strategy and policies, but you also need to do a risk analysis to find the most critical assets and the cybersecurity risks they present, then consider security controls to bring down the risk score of those vital assets.

The sooner you start this process, the more time you’ll have to obtain the budget needed to address any issues and implement any necessary changes.

Possible NIS2 environment gaps

Some possible gaps that you may encounter in your environment are:

Lack of a comprehensive cybersecurity strategy or policy that covers all aspects of risk management, incident response, business continuity, data protection, etc.
Lack of a dedicated cybersecurity team or function that oversees, coordinates and monitors all cybersecurity activities and initiatives across the organization.
Lack of adequate security controls or measures for protecting your network and information systems from unauthorized access, use, disclosure, modification or destruction.
Lack of regular testing or auditing of your security controls or measures to ensure their effectiveness and compliance with the directive's requirements.
Lack of proper training or awareness programs for your staff, management, other employees or other stakeholders on cybersecurity issues and best practices.
Lack of clear communication or reporting channels for notifying relevant authorities or parties of any incidents or breaches that affect your services.

Potential security solutions for your environment to comply with NIS2

To identify and fix these security gaps, you can:

Run gap analysis frameworks or models that help you compare your current state with your desired state and identify areas for improvement.
Implement cybersecurity maturity models or standards that help you measure your level of cybersecurity performance and progress.
Conduct a risk assessment to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks.
Request external audits or assessments that help you validate your compliance status and identify any weaknesses or deficiencies.

2. Review current supply chain security flaws with enough time to coordinate action with suppliers

The NIS2 Directive also introduces new provisions on supply chain security (chapter 0, point 54, 56), recognizing that cyber threats can originate from third-party providers or subcontractors.

The directive requires organizations to ensure that their suppliers follow appropriate security standards and practices (article 21-2d) and regularly monitor their performance and compliance (article 21–3).

This isn't without reason. Supply chain attacks are on the rise:

In BlackBerry research with over 1500 IT decision-makers in 2022, four-fifths of respondents said they had been notified of an attack or vulnerability in their supply chain within the year. Seventy-seven percent said they uncovered hidden participants in their software supply chain that they weren't previously aware of.

Accenture research also reveals 40% of security breaches are indirect, occurring through the supply chain.

Therefore, securing your supply chain is essential for ensuring business continuity, resilience, reputation and trust.

But in Ivanti’s Press Reset: A 2023 Cybersecurity Status Report, we found that only 42% of the over 1,300 executive leaders and security professionals surveyed said they're prepared to safeguard against supply chain threats, even though 46% call it a high-level threat.

Supply chain threats not only come via attacks on solution providers like Okta, Kaseya or SolarWinds, but also through partners either directly connected to your IT infrastructure or who can log into it.

And don’t forget about attacks on your resource suppliers that may cripple them so they're unable to deliver certain resources you need for your own operations. You have to be prepared and have backup vendors available who can supply those resources if your primary supplier is out of action due to a cyberattack or other cause.

Supply chain security is a complex and challenging issue involving multiple actors, dependencies and interconnections — and cannot be achieved overnight.

You need to:

Establish clear and transparent communication channels with your suppliers and define your expectations and obligations regarding cybersecurity.
Conduct regular audits and assessments of your suppliers' security practices and verify that they meet the directive's requirements.
Establish contingency plans and backup solutions in case of a disruption or compromise of your supply chain.

Furthermore, you must start engaging with your suppliers as soon as possible and work together with them to ensure your supply chain is secure and resilient.

Supply chain security challenges for NIS2

Some possible challenges that you may face in securing your supply chain are:

Lack of visibility or transparency into your suppliers' security practices, policies, or incidents.
Lack of trust or cooperation among your suppliers or between you and your suppliers.
Lack of consistency or alignment in security standards, requirements, or expectations across your supply chain.
Lack of resources or capabilities to monitor, audit or verify your suppliers' security performance or compliance.
Lack of contingency plans or backup solutions to mitigate or recover from any disruptions or compromises of your supply chain.
Lack of information as to what you expect from your supplier’s security practices.

Supply chain security solutions for NIS2

To overcome these supply chain security challenges, you can:

Establish clear contracts or agreements with your suppliers that specify their security obligations, responsibilities and liabilities.
Develop common security criteria, guidelines or frameworks that apply to all suppliers in your supply chain and align with the directive's requirements.
Implement security controls, measures or tools that enable you to track, monitor or verify your suppliers' security activities, incidents or compliance status.
Create joint security teams, committees or forums that facilitate information sharing, collaboration and coordination among your suppliers or between you and your suppliers.
Build trust and mutual understanding with your suppliers through regular communication, feedback and recognition.

When your NIS2 Directive audits are complete, now what?

Now that you’ve determined where you currently stand in relation to the NIS2 Directive, it’s time to implement critical changes to ensure compliance by October 2024. I’m certain that addressing the gaps that your audits identified will require all the time you have — and then some! – before the regulations are officially implemented in your country.

But how can you systematically address these gaps in a timely fashion? We discuss the three areas of security changes you’ll need for NIS2 in our next blog post, as we examine how to:

Inform management about your cybersecurity gaps.
Correctly implement new organization and technical security measures.
Find time to train all of your employees.