As seen on IT Pro Portal...
The clock is ticking down to the General Data Protection Regulation (GDPR), and most businesses are scrambling to ensure that they are prepared for its implementation on the 25th May. Organisations are being peppered with advice from all directions on how to prepare for the upcoming regulation and avoid the fine of €20 million, or 4 per cent of their annual turnover. Each team within an organisation needs to ensure that they are taking the right steps to prepare. For example, many Security and IT teams are working overtime to ensure that defences are heightened to protect against a potential data breach; CFOs are drawing up financial plans to ensure the business would be able to survive the maximum fine; and legal teams are hard at work guaranteeing compliance with the demanding requirements.
However, compared to the GDPR there seems to be little to no noise and attention to its quiet cousin: The Networks and Information Systems (NIS) Directive. This is surprising, as the NIS Directive comes into play two weeks before the GDPR, on the 9th May, and organisations found to be non-compliant will face a similar fine of between €10 million and €20 million, or 2-4 per cent of their annual global turnover. So, this is certainly not something that businesses should ignore. For some organisations, the GDPR and NIS Directive may will necessarily be implemented in tandem, adding complexity to planning and deployment. In other words, those affected by the NIS Directive may also be required to comply with the GDPR, facing the potential for two sets of monumental fines if they are found to be non-compliant with both regulations.
Unlike the GDPR, the NIS Directive does not apply to everyone that handles EU residents’ data, but instead targets organisations that are classed as “essential services”. These services are defined by the Centre for the Protection of National Infrastructure (CPNI) as “…(facilities, systems, sites, property, information, people, networks and processes), the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.” This includes a wide range of industries such as Emergency Services, Energy, Finance, Food, Government, Healthcare Providers, Satellite Communications Transport and Water as well as Digital Infrastructure: this also includes Online Marketplaces, Online Search Engines, and Cloud Computing Services.
While the GDPR focuses on data privacy, the NIS Directive aims to raise the overall levels of cybersecurity readiness for these essential services across the EU by establishing common standards for preparedness, cooperation, response and cybersecurity awareness.
Key points of the NIS Directive are as follows:
Overall the regulation endeavours to improve Union and international cooperation in information and network security. As the cybersecurity threat landscape continues to grow in likelihood and impact, improvement only be achieved if individual organisations within member states fulfil the regulation’s requirements.
It’s not hard to understand the ‘why” for the NIS Directive, considering the growing cybersecurity threat landscape. 2017’s newspaper headlines were dominated by cyberattacks that struck large corporations and threatened critical national infrastructure. Think about the impact that the WannaCry attack in May 2017 had on the UK’s National Health Service (NHS). 80 out of the 236 NHS trusts across England suffered disruption, as well as another 603 NHS organisations, including 595 GP practices. Staff resorted to paper and pen, and some also made use of their personal mobile phones, exposing organisations to additional cyber risk. Moreover, many other organisations that are “essential services” under the NIS Directive, such as international shipper FedEx and Spanish telecommunications company Telefonica, were also affected by the attack.
The repercussions of falling victim to a cyberattack are only likely to worsen as these attacks diversify and attackers improve their tradecraft. A significant attack might impact organisations at all levels, internally and via the extended supply chains they support and depend upon.
Importantly, the NIS Directive explicitly sets forth requirements for education, awareness and training programs that relate to network and information security. Security awareness is required both on a member-state level and an organisational level, as one of the objectives of the NIS Directive is to develop an EU-wide culture of risk management. This needs to be promoted “downwards” from the EU, but organisations also must play a part, from the ground up, by educating employees on how to spot and respond to cyber threats.
Every company is unique, but there are several common best practices that all organisations should consider when implementing security awareness training:
Those organisations that are classified as ‘essential services’ shouldn’t be surprised by the NIS Directive. They should be ready, and this requires putting the directive under the microscope, alongside the GDPR, for careful analysis about organisational impact and new discussions about risk., Every business is essential to someone -- and so all businesses should take note of the NIS Directive and its requirements and see the standard as the bar everyone should meet. In order to properly defend against cyber-attacks, we need a virtual army of able employees who can recognise and report attacks to stop them in their tracks.