Looking Beyond Compliance: Increasing Cybersecurity Regulations Make UEM Essential for All Industries
In the U.S., Germany and other major economies, state and federal regulators have been enacting or planning legislation to expand or require more comprehensive IT security regulations for a growing range of organizations and industries.
Many businesses, especially small- and medium-sized companies, are familiar with mandated IT security compliance for healthcare, financial services, energy and other areas deemed “critical infrastructure.” And depending on which states they operate, U.S. companies must also follow a variety of regulations that cover measures to prevent or report cybersecurity intrusions.
Just they must comply with a patchwork of laws, many U.S. companies also take a limited or case-by-case approach to implementing cybersecurity practices. But it’s clear that federal regulators in Europe and in America are taking a broader look not only at what is considered critical, but what organizations should or must have in place to secure IT infrastructure. That is going to require businesses to take a more comprehensive approach to security that is tightly integrated with regular IT management workflows and practices. In fact, it’s an approach that closely matches what Unified Endpoint Management (UEM) systems already do efficiently.
While a small- or mid-sized business may not consider itself “critical” from a national security point of view, they are in many ways more vulnerable to cyberattacks compared to larger, better resourced organizations. And as any IT admin can attest, a cyberattack can certainly have a critical, even catastrophic, impact on businesses of all sizes. The point is, all companies should take an expansive view of how cybersecurity is critical to them.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technologies (NIST) have published a range of recommendations that apply to critical infrastructure. Those include CISA’s Secure Cyberspace and Critical Infrastructure overview and NIST’s Cybersecurity Framework 2.0. The “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” issued by the White House in July 2021, also defines a variety of actions to increase cyber-resilience.
In Germany, the Federal Office for Information Security (BSI) recently issued updated IT security regulations in a law called IT-SiG 2.0. It’s part of a comprehensive policy first enacted in 2015 to increase the security of information technology systems and make “Germany's IT systems and digital infrastructures the most secure in the world." Among other things, IT SiG 2.0 expands the oversight of the BSI, the scope of Critical Infrastructure Regulation (CRITIS), and the obligations for CRITIS operators.
While reporting requirements vary by industry and jurisdiction in the U.S., German laws mandate reporting of IT security incidents. In addition, companies from the CRITIS sector are required to better secure their IT systems overall against digital attacks.
The U.S. and Germany have similar designations for critical infrastructure, including:
- Energy (nuclear and other power plants, transmission lines, mining, oil and gas extraction, refining and distribution.)
- Finance (banks, insurance companies, financial service providers, stock exchanges)
- Hazardous substances (chemical and biological substances, transport of hazardous goods, defense industry)
- Information technology and telecommunications (telecommunications, information technology)
- Healthcare organizations and providers (hospitals and others using patient health data)
- Government institutions (public authorities, administration and judiciary)
- Transportation (aviation, maritime, rail, mass transit, inland waterways, road, postal services)
- Utilities (health, emergency and rescue services, disaster management, food and water supply, waste disposal)
- Other (media, major research facilities as well as outstanding or symbolic buildings, cultural assets)
Simply implementing firewalls, virus scanners and other security solutions is not enough to meet the strict requirements of current IT security regulations in both countries. Instead, companies must take a comprehensive approach to ensure that their entire IT landscape is protected. That includes but is not limited to applying patches, hotfixes and important updates. In addition, they must also sensitize their employees to the topic of IT security and train them how to protect against external cyberattacks.
Cybersecurity also entails keeping accurate and current records of all devices and software used on business networks, detecting and remediate new or open vulnerabilities, maintaining backups of systems and practicing restoration and recovery procedures, and having appropriate emergency response plans in place.
Those are all essential steps. Implementing them effectively and efficiently means giving IT teams the systems they need to ensure security while keeping up with regular maintenance, optimizing performance, improving employee experiences, and planning and deploying new and updated hardware and software to support business growth.
Comprehensive protection and management of the IT landscape is what baramundi has focused on for more than 20 years. The baramundi Management Suite was developed to make IT infrastructure optimally manageable: Every single workstation in the company should be protected as well as possible without limiting employee productivity. UEM solutions such as bMS make this possible from the first day of onboarding new employees through offboarding. UEM solutions can also be used to keep a precise eye on the introduction of new software, and admins always know exactly which version of which software is running on which system and on which clients.
In addition to inventory, tasks such as the distribution of new software and the release of individual software packages for specific users or departments can be easily automated. IT teams always know which updates need to be installed on each system to close newly discovered security gaps. Automation helps them define when these updates should be applied. If the vulnerability is extremely critical, it may be necessary for the hotfix to be installed immediately after the computer is booted. Or IT can be flexible and set a time frame of 24 hours, for example, until the update is installed automatically on all affected systems.
It’s important for all companies, whether “critical” or not, to take a truly comprehensive approach to their own IT security strategy. After all, any gap in protection, no matter how small, can jeopardize security and, in the worst case, the future of the company.