The correct use of cyber security is now more important than ever. Due to increasing threats, the risk of attacks is constantly growing. The legislature also recognized this and created the NIS2 guideline. Axians gives tips on how companies should proceed now.
A quarter of a million newly discovered malware variants, 2.000 identified vulnerabilities in software products per month, 21.000 newly infected systems every day, 68 successful ransomware attacks and two attempts per month on municipal facilities or municipal companies alone. Alarming figures are mentioned in the current cyber security situation report from the Federal Office for Information Security (BSI): The office warns that criminals are evolving. Today, professional cybercriminals are widely networked and work in a division of labor. They use artificial intelligence (AI) and other modern technologies for their attacks.
Because of these conditions in the cyber security landscape, the EU has issued Directive NIS2. The requirements of the directive are currently being incorporated into national laws and must be codified by October 17, 2024. All affected institutions are then obliged to implement a series of cyber security measures.
What requirements do companies have to meet for NIS2?
Among other things, companies must have a risk management concept, introduce emergency plans and report security incidents to the BSI. Technical protective measures are required, such as systematic data backup, concepts for access control, encryption and vulnerability management. Analogous to the IT Security Act 2.0, NIS2 also stipulates that companies must take the vulnerabilities of their supply chains into account in their security concepts so that criminals cannot break into systems via suppliers. It is important to finally implement the state of the art by incorporating security standards and processes that were already recommended as best practices before NIS2.
Anyone who has paid attention in recent years to securing their business against criminals in accordance with the applicable standards only needs to make a few adjustments in order to meet the requirements. But companies and institutions that now fall into the NIS2 area for the first time and have previously neglected the topic of cyber security are now facing major challenges. To prepare for the requirements, new companies should take protective measures early. The path to the goal takes five steps.
Is the company affected by NIS2 legislation?
First of all, companies should clarify whether they belong to the extended circle of the NIS2 regulation. There are two main groups: operators of critical facilities and “particularly important” or “important” facilities. What matters is whether these companies operate in economic sectors that are subject to regulation. There is still a lot of uncertainty here. To provide clarity, companies should ask themselves the following questions: Am I active in one of the regulated sectors? Does my business meet the official thresholds? Is the turnover high enough and is the number of employees correct? If the answer to these questions is yes, the NIS2 protection requirements apply. However, it is advisable for all companies - regardless of whether they fall under NIS2 or not - to put their own security concepts to the test and check whether they correspond to the state of the art. Those responsible for IT should also not forget to determine which areas of the company need to be protected.
How secure is the IT infrastructure?
The next step is to find out where the biggest weak points lie. How is cybersecurity structured in the company? What is the current protection level? A risk assessment shows where the security strategy best starts - namely where companies can achieve the fastest improvements. Afterwards, users should repeat the process at regular intervals. Continuous assessment can help to gradually increase IT resilience.
What is the security of the supply chain?
In the mandatory risk assessment, not only your own company risks should play a role, but also the specific weak points of the supply chain should be taken into account. If vulnerabilities are identified, countermeasures must be taken to comply with regulatory requirements and protect the interfaces. External Attack Surface (EAS) scans, for example, can help with this. It is advisable to act proactively and carry out a risk analysis to identify possible vulnerabilities in the supply chains. Affected facilities can then work out a common security concept with their supplier companies.
Which system is suitable for attack detection?
In order to ensure the required security of information systems, attack detection systems are also recommended. For many companies, implementing a security information and event management solution (SIEM system) is advisable as it forms the basis for the majority of intrusion detection systems. The SIEM collects data that can also be evaluated in a security operations center (SOC). It provides useful information for IT operations, such as indications of misconfigurations. The variety of SIEM options offers numerous possibilities to meet the company's own needs. For example, companies can decide whether to use a self-managed SIEM system or the services of a professional SOC. The range of services offered ranges from your own in-house operation or a co-managed SIEM to fully managed IT/OT SOC services from external ICT service providers such as Axians.
What does a sensible security concept for NIS2 look like?
It is important not only to purchase IT security systems consisting of hardware and software, but also to establish rules and procedures that continuously define, manage, monitor, maintain and continually improve information security. Companies can proceed according to the modular principle: First, steps should be taken that quickly increase the security level. The protection can then be expanded level by level. Security standards such as BSI-Grundschutz or ISO 2700x as well as a zero trust architecture can serve as guidance. In particular, the orientation to the Basic Protection Compendium offers great assistance, as it contains a best practice catalog of security measures.
The legislature has recognized the seriousness of the situation and has tightened the requirements with new regulations. The growing threat situation shows that companies should tackle implementation directly. In order not to get lost in detailed technical decisions, you can seek support from experienced ICT service providers such as Axians. These implement systems for customers on a daily basis as required by the NIS2 regulation. Professional assessments, advance advice and ongoing support help to quickly develop a suitable strategy and relieve the burden on IT departments in companies.
More at Axians.com
About Axians
Axians supports private companies, public institutions, network operators and service providers in modernizing their digital infrastructures and solutions. Whether applications or data analytics, corporate networks, shared workspace, data centers, cloud solutions, telecommunications infrastructures or internet security.