NIS Directive on Cyber Security: How Your Business Can Stay Compliant
In regards to data breaches, 2017 has been an absolutely devastating year for companies and governments. From global ransomware attacks to increased insider threats, no company seems to be safe. Cyber security today is something that is the responsibility of each organization and institution. Even large organizations such as the National Health Service, FedEx, and the Equifax have been impacted by data breaches and ransomware. Thankfully, the EU has been proactive in their approach to cyber security.
As part of an effort to protect citizens, the EU has been drafting several critical pieces of legislation. One of the important ones that is now gaining attention is the Network and Information Systems (NIS) Directive. The NIS Directive served as one of the first signals from the EU to adopt a tougher approach on cyber security. The goal of the NIS directive was to implement a common standard among member states in regards to network and information security. The legislation is centered around risk mitigation and incident response.
Who Needs to Comply?
The Directive is targeted towards providers of essential services, as defined by each member state, and to digital service providers (DSPs). The original NIS directive was implemented in August 2016, however each member states has until May 2018 to fully integrate the NIS Directive requirements into their national policy. Shortly after each member state has until November 2018 to define what companies fall under the essential services category.
Digital services requirements apply to any services that an organization provides for a profit that is provided over a distance by electronic means. This broad definition applies to many organizations today as the internet became the main medium to conduct business over. Thankfully, the NIS Directive specifies that search engines cloud services, and digital marketplaces. The NIS Directive does not only apply to companies within the EU but outside as well. Very similar to the General Data Protection Regulation (GDPR). If your organization has EU customers and you happen to be outside the EU then your organization will have to hire an EU representative to coordinate on your behalf and help you meet regulatory requirements.
NIS Directive Requirements
Most of the requirements of the NIS Directive are on the public sector; however, there are very specific requirements that the NIS Directive has for the private sector as well. It is important to understand what is required of the public sector because it provides the larger picture of what the EU is attempting to accomplish with this directive and why compliance helps the whole European Union.
For member states the NIS Directive requires each country to create a Computer Security Incident Response Team (CSIRT) who will network with other CSIRTs to form a EU-wide responsive security network. Each one of the CSIRTs are required to have enough access to resources in order to maintain operations. Their jobs include security incident monitoring, issuing early warnings, and providing comprehensive risk analysis. For continental coordination each member state will need to determine who is going to be a National Competent Authority (NCA) and a Single Point of Contact (SPoC).
In addition to the CSIRT each member state will need to form a Cyber security Strategy that applies nationally. The strategy will need to include a governance framework, measures for recovery, stakeholder coordination planning, cyber security education, and risk assessment.
For the organizations who fall under the umbrella of the NIS Directive they will be required to implement security measures that are relevant to their context and mitigate risk. Private organizations will need to define their cyber security risks and then take proportional technical and organizational measures to mitigate that risk. The NIS Directive specifies that DSPs and essential service providers need to take into consideration the security of their information networks and physical facilities, cyber security incident handling, business continuity, incident monitoring, network auditing, and international compliance.
Directive Best Practices
The NIS Directive is not specific on what organizations should do to be in compliance. It just requires that take “appropriate and proportional” measures to ensure that risk is mitigated or eliminated. This is because whatever member state you are doing business in will be the one defining more specific regulation on cyber security. However, it does not help to wait for regulation to come out and meet the bare minimum of that compliance. Instead it would help if organizations would take proactive measures that will ensure your organization is ahead of regulations. While many organizations understand how to prevent external breaches in a number of ways, there is significant underdevelopment of insider threat security measures. Insider threats are one of the most common reasons that organizations fall victim to cyber attacks. Here are some measures you can take that accounts for the requirements above while addressing insider threats:
Insider Incident Response Plans
Incidents have a lifecycle that plays out across companies regardless of what sector they are in. The incident life cycle is comprised of: detection, reporting, containment, remediation, documentation, and prosecution. Usually organizations have a general incident response plan that may have been required for past regulations. What is different about an insider incident response plan is that this plan provides specific protocols and processes for handling breaches that were caused by either malicious or negligent insiders. Following cyber security news will show reveal how long companies take to report insider related data breaches. In some cases there may be a threat that other employees recognized and just did not have a process or protocol to follow to help mitigate it. Having a plan in place demonstrates proactive thinking.
Need to Know Access Control
If you’re not already practicing this important security measure it is important to apply this right away. Need to know is a permissions management approach that allow grants permission to users based on their role. For example a payroll accountant does not need the same permissions profile as an the Chief Marketing Officer. If you have any time of shared software or database where employees have to access for work you likely have permissions that you can manage. Be sure to not use the defaults and specify permissions based on the role involved. Even if you’re a small company this task can be done by anyone who understand the software.
User Behavior Analytics
User behavioral analytics is the machine based activity of tracking, collecting, and analysis of log data. Log data reveals each activity that happens on your network and now thanks to recent technological improvements, such as machine learning, it’s now possible to track individual user behavior. By establishing a baseline (normal) behavior for a user and the wider network you have a comparison case for how someone in a role should be behaving on the network. When there is a deviation from this behavior you can be alerted about it and monitor the situation for a possible insider threat or compromised account. Such granular log analysis is proof of proactive measures taken the mitigate risks inside and out.
The NIS Directive is a large step forward that will likely set the standard for how large states and regions should coordinate around cyber security threats. It is the responsibility of the state to protect it’s citizens and this Directive takes a massive step forward for achieving this. As an organization there are requirements that will have to be met, but if you take proactive measures to remain secure then you will be prepared for all future legislation that is developed globally.