Tightening cybersecurity obligations – the NIS2 directive
Tightening cybersecurity obligations – the NIS2 directive
The Network and Information Security directive (NIS2) introduces new rules to advance a high common level ofcybersecurity across the EU – both for companies and countries. It also strengthens cybersecurity requirements for medium-sized and large entities that operate and provide services in key sectors.
An update of the 2016 NIS directive, aim aims to improve clarity and implementation as well as address fast-paced developments in this area. It covers more sectors and activities than before, streamlines reporting obligations, and addresses supply chain security. After approval by Parliament and EU countries in the Council in November 2022, member states have 21 months to implement it.
Top sectors affected by cybersecurity threats Cybersecurity threats in the European Union are affecting vital sectors. According to Enisa, the top six sectors affected between June 2021 and June 2022 were:
-
Public administration/government (24% of incidents reported)
-
Digital service providers (13%)
-
Services (12%)
-
Finance/banking (9%)
-
Health (7%)
Prime Cybersecurity Threats
Ransomware - Ransomware is considered the most worrying threat at the moment, with cybercriminals using increasingly sophisticated extortion techniques.
Malware - Includes viruses, worms, Trojan horses, and spyware. After the drop in use associated with Covid-19, malware is on the rise again.
Social engineering threats - Exploiting human error or behavior to extract information, which includes techniques such as phishing (via email) and smishing (via text message).
Threats against data - 82% of data breaches involve a human element. Manipulation of people and human errors are among the main patterns.
Threats against availability - Denial of service - Distributed denial-of-service (DDoS) attacks are getting larger and more complex and are moving towards mobile networks and Internet of Things devices.
Threats against availability - Availability of the Internet - This includes the physical take-over and destruction of Internet infrastructure. According to the Ukrainian government, around 15% of the country’s internet infrastructure had been destroyed as of June 2022.
Disinformation/ misinformation - AI is becoming central in creating and spreading disinformation, for example through deepfake technology and bots impersonating people.
Supply chain threats - Attacking, for example, a service provider in order to access customer data. The complexity of supply chains has increased the risk and consequences. of these attacks for many organizations.
The answer to evolving cybercrime? Layered security
Protecting yourself from cybercrime with simple backup and antivirus solutions is simply not enough. Your basic cybersecurity hygiene should include technologies and procedures that will ensure basic resilience and quick recovery in case a disaster occurs:
-
Configuration check-up
The mentioned technologies are just a bare minimum that should protect you from most common incidents and ensure you are able to recover in the worst-case scenario. On top of these services, you should consider stacking other solutions and best practices like end-user education and awareness training that should help your employees recognize the most common threats like Phishing attacks. You should implement PAM (Privilege Access Management) solution to control privilege escalation, and usage of privileges and detect malicious behavior. You should consider implementing best practices like configuration check-ups, continuous discovery, and multi-factor authentication. If your business is data-driven, you should consider implementing MFA for file access and data-exfiltration protection solutions.
How high you will go and what solutions will you implement will depend on your environment and business type. Regardless of the approach, you need to have a cybersecurity baseline that will protect you from worst-case scenarios as well as procedures to define the steps required to take in those situations.
