Cyber security is one of the top priorities for any business, but for industries deemed important or critical this becomes an even greater area of focus. Threat actors are upping the ante when it comes to attacks, with new and sophisticated malware and attack chains that exploit any enterprise security weaknesses.
Through the Network and Information Security 2 (NIS2) Directive, the European Union (EU) has sought to respond to these threats and bolster the defenses of organizations against targeted phishing attacks, data breaches, and extortion through ransomware.
It lays out a series of cyber security standards to be met by 17 October 2024 and compels firms to adopt stronger measures against leaks and breaches through the use of systems such as identity management tools.
What is NIS2?
NIS2 is a directive from the European Commission that supplements and modifies existing cyber security laws across the 27-nation bloc.
Formally introduced in January 2023, NIS2 applies to providers of key services across the public and private sectors. The directive seeks to address cybersecurity issues including supply chains, authentication, incident reporting, and understanding of vulnerabilities.
The list of industries NIS2 covers is an expansion of those in the original NIS directive, to include manufacturing, ICT service management, and public electronic communications networks.
NIS2 applies to all businesses with an annual turnover in excess of €10 million per year and 50 employees or greater, but divides organizations into two categories: ‘important’, and ‘essential’.
Essential entities under NIS2 include energy, financial services, and digital infrastructure, versus those important entities such as firms in the manufacturing, food, and research sectors.
Companies that fail to comply with the directive will face fines beginning at €10 million or 2% of annual total worldwide revenue for those in the essential category to €7 million and 1.4% of annual total worldwide revenue for those classified as important.
Organizations that don’t proactively address their compliance now will face a scramble to get affairs in order by October 2024. Businesses that are yet to take these first steps, or which feel they could do with greater guidance in their continuing efforts could seek advice from a third party. Security providers like Okta can provide the tools and insight to help firms achieve NIS2 compliance by the deadline.
Checklist for NIS2 compliance
Identifying the risks a business faces and assessing the potential damage posed by each of them compared to security measures in place is one of the first and most important steps to NIS2 compliance.
As one of the main threats against critical and important sectors, ransomware was a key consideration when NIS2 legislation was drafted. As such, it’s important that all firms assess their resilience to ransomware in order to achieve NIS2 compliance.
Firms need to carefully assess their response plan for a data breach and other cyber security incidents as another key consideration for NIS2 compliance.
The text for NIS2 specifically calls for identity and access management (IAM) to be strengthened throughout businesses, making it a key area for firms to look at as part of their journey to compliance and improved security.
Through considered IAM implementation, security teams can set granular permissions for key systems to ensure that personnel can only access what they are meant to, even in the event of a breach.
Features of IAM such as multi-factor authentication (MFA) can also help to fight security weaknesses common across industries including phishing attacks and poor password hygiene such as using common passwords.
Okta’s adaptive MFA is an example of a multi-layered IAM approach. It works to prove the legitimacy of users at the point of login, using context such as their IP address, the device they are using, and their location. This helps to flag suspicious activity and prevent attacks, without placing a large burden on the end user.
The significance of a proper MFA strategy linked to a comprehensive identity management strategy cannot be overstated. A recent study by Rapid7 found that 39% of ransomware incidents at the start of 2023 resulted from poor management of MFA.
Implementing enhanced authentication protocols can also help deny access to suspicious parties outright, or seek additional verification. IAM systems provide businesses with tools to respond to security incidents in real-time and prevent threat actors from escalating attacks or moving laterally through critical networks in line with NIS2 demands.
NIS2 states that IAM measures such as MFA can be used as part of clear zero-trust policies, under which users are continuously verified to ensure the systems or data they are accessing is within their remit.
Okta data shows that zero-trust strategies can reduce breaches by 50%, and cut the time to respond to attacks based on identity by 90%.
Another primary concern addressed in NIS2 is software supply chain vulnerabilities. Though always on the radar for security teams, the publicity surrounding the Log4Shell vulnerability has pushed supply chain concerns to the forefront in the C-suite, as well as at the legislative level.
NIS2 compels organizations to commit to regular audits of their third-party software vendors and work to establish clear security standards in all vendor contracts. Zero-trust strategies have another part to play here, as they help to clearly define the access arrangements of software vendors within an organization’s environment.
The directive necessitates that organizations hit by a cyber incident report this to their relevant national information regulatory authority (such as the CNIL in France or Datatilsynet in Norway) within 24 hours of discovering the attack, and provide a technical report within 72 hours.
When the time comes to provide these incident reports, Okta Workforce Identity Cloud allows admins to build an incident timeline via oversight of all access attempts across their estate. These clear reports can then be distributed to inform entire sectors and add to ongoing collaboration with law enforcement.
By identifying how compliant they are with the various demands of the NIS2 directive, businesses can establish a baseline for their security posture and use this to chart a clear journey to full compliance by October 2024.
In partnership with organizations such as Okta, these strategies can be realized practically to keep businesses not only in line with their obligations but also one step ahead of threat actors.
For more information on how you can get ready for NIS2, click here.
