The EU member states must implement NIS-2 into national law by October 2024. – Image: ©Konsta/stock.adobe.com
Few of the requirements of NIS-2 are fundamentally new. The innovations include two main things: From mid-October 2024, companies will have to report relevant security incidents. If you are unable to do this or if you let the reporting deadline pass, you could face fines. Unaffected by this, many individual measures that companies are already implementing will be brought together. Nevertheless, there are key aspects for companies that NIS-2 emphasizes and that companies should pay particular attention to.
1. System-Invent
Affected companies must fully inventory their systems and manage assets. This means they can manage cyber risks more reliably. But do companies know their corporate values? And are they protected against misuse or theft? A comprehensive inventory is therefore the first step.
2. System-Monitoring
Companies must be able to recognize attacks and define a procedure for responding to an attack. Sooner or later, companies will fall victim to a cyber attack. You therefore need systems for attack detection (SzA). This allows you to recognize an impending attack early and respond appropriately. Further measures such as pentesting, security audits, log monitoring and compliance monitoring are also required.
3. Damage detection
Companies must identify, assess, prioritize and resolve vulnerabilities. That’s why vulnerability management needs to be anchored in the core processes of companies, just like patch management. A typical problem: A company with a complex IT system landscape relies on local Excel lists for vulnerability management. Because the number of vulnerabilities makes it difficult to keep track, hackers break into the company’s IT. This must be avoided.
Advertisement
Cutting, dosing, packaging
What challenges do food and packaging machines present for drive and automation solutions and how can they be overcome? Fabian Fischer, Application Sales Team Leader at KEB Automation, provides answers. ‣ read more
4. Raise awareness
Companies need central guidelines and must make employees and management aware of cyber threats. In addition to identity and access management, incident management is also mandatory. Unfavorable scenarios would be if employees use insecure passwords and email accounts in the cloud are not really secured. At the same time, they may be allowed to access business software without authenticating themselves with a second factor. A cyber attacker then penetrates the company’s IT through hacked email accounts and continues to spread. Raising awareness is essential, but guidelines make this binding for everyone involved: employees must know how to handle sensitive data. Rules are needed for access to this data. And it must be possible to check whether they are incorrect.
5. Transparency
Organizations must monitor and assess their security risks using Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM) tools. The problem: Companies often do not know which systems their employees use. These unknown or forgotten tools are not included in the scope and are therefore neither scanned for vulnerabilities nor patched. In addition, unwanted dependencies arise because staff uses unauthorized systems to manage important processes.
6. Emergency plans
Companies must be able to react immediately in the event of an attack with predefined response measures. You are obliged to report security-related incidents within a certain time window – including interim and final reports. These reporting channels must be prepared, known and implemented. Sensitive assets need to be specifically secured. In addition, companies must take robust precautions for emergencies and certain scenarios: emergency planning, emergency management and plans for restoring business operations are mandatory. For example, it can be ruled out that highly sensitive data exists on employees’ mobile devices, so that unauthorized third parties can easily access the data in the event of loss or theft and the company becomes a victim of hacker attacks or blackmail.
Advertisement
Master the transformation
Companies are under considerable pressure to transform in order to ensure their competitiveness. But experienced experts are needed to design these digital and organizational processes. By Martin Hinz, CEO, Convista ‣ read more
7. Communication channels
Behavioral instructions for staff must be prepared and communicated. Changes must be reported at any time. Interactive (online) training courses serve the purpose of training the workforce and regularly refreshing their knowledge. There needs to be coordinated communication and emergency plans that are accessible to everyone. In addition, necessary changes must be carefully prepared, evaluated, backed up with risk-minimizing measures and documented. And of course everyone must behave accordingly in an emergency. If a security service provider has developed reliable emergency plans for a company, but the company does not discuss these strategies with the staff, panic or careless actions can quickly occur in the event of a cyber attack, which may worsen the problem.
8. Supply-Chain-Risiken
It is important to query supply chain risks holistically and manage them effectively. To do this, companies should rely on industry-specific, proven best practices. The following applies to commercial buildings as well as to company systems: Suppliers, partners and other external parties who have access or access applications must be integrated into risk management. In the IT area, on the one hand, only secure IT systems must be provided, and on the other hand, it must be ensured that external parties themselves do not become a security risk. That’s why zero trust and multi-factor authentication are essential.
Conclusion
Against the background of these eight fields of action, companies must
- assess with legal certainty the extent to which they are affected by the NIS 2 requirements,
- get an overview of which measures have already been implemented,
- consistently prioritize the implementation of the measures,
- determine the financial and personnel expenses,
- ensure the feasibility of the measures using internal and external resources,
- Define roles and responsibilities including communication involving internal and external resources and
- Document measures and regulations taken in detail.
To ensure adequate protection, it is necessary to discuss what risks there are, which areas are particularly at risk and how these can be protected in the best possible way. This is how companies implement NIS-2 reliably.