The General Data Protection Regulation has had plenty of airtime as the European Union looks to improve businesses’ approach to data privacy and strengthen the privacy rights of individuals.
However another set of regulations has come in under the radar. The Network and Information Systems Directive was the EU’s response to the growing number of cyber-attacks on critical infrastructure and online services.
It aims to boost the overall level of cyber security in the EU by making authorities responsible for dealing with the security of services provided by multinational companies based in their nation states.
Today the government identified the ‘operators of essential services’ that will be required to comply with the security and incident reporting requirements set out in the directive.
“Cyber-attacks are on the rise: a recent report by the National Cyber Security Centre highlighted that the UK has been hit by more than 1,000 serious cyber-attacks over the past two years,” Dave Locke, chief technology advisor at World Wide Technology, told BusinessCloud.
“The increasing threat of cyber-attacks have also led to greater spending on security, with 69 per cent of UK organisations reporting an overall increase in investments in IT security.
“However, the growing sophistication of cyber-attacks requires a more robust approach to cyber security. It’s becoming apparent that simply increasing spend on cyber security products is insufficient to combat the rising complexities of cyber-breaches.”
The first step in complying with the NIS Directive is to identify the gaps within security infrastructures, according to Locke, while many of the issues firms faced in becoming compliant with GDPR also pose problems here.
“This is a significant undertaking for companies as the underlying systems are highly complex, and whilst modernising them is not impossible, it is extremely difficult,” he said. “These existing legacy systems are often decades old with occasional new features added over time, forming a complex patchwork of applications.
“As a result, companies typically have thousands of applications that are intertwined and interdependent. Consequently, as recent cyber incidents have shown, they can no longer rely on creating firewalls around systems without understanding what specifically they are working with.
“Because of the way these systems have been put together over time, it can be very difficult for financial institutions to understand which parts of their systems are linked into and dependent on each other – and therefore what the domino effect might be if something does go wrong.
“Trying to take one complex application or algorithm out of the mix without impacting something else is like attempting to fix a leak without knowing anything about the pipe system.”
Initially adopting a zero-trust model, where applications are allowed to speak to each other only after passing several layers of authentication, is the best approach.
“Once this has been done, dynamic controls can be embedded so the IT networks are not only immune to cyber vulnerability, but also increasingly transparent and self-auditable, future-proofing in the face of potential cyber threats,” Locke added.
“To do this, companies must first rationalise the way these applications interact and share data within the systems, removing unnecessary dependencies which can make the effects of an outage or cyber breach far worse than it otherwise would be. This requires deep infrastructural expertise.”
Whilst older rules require yearly tick-box compliance exercises, the new regulations necessitate continued assurance of critical applications.
“Insights into infrastructure can create a real-time picture of the entire network. Once this level of visibility has been achieved, organisations can confidently rationalise the way that different applications share data within the system,” said Locke.
“This means they can fit the right security policies within each segmented application, preventing unnecessary or illicit data flows which can create cyber vulnerability.”