NIS2 Directive: Ignorance can cost you
Recently, we highlighted the background of the new legislation NIS2 here in our blog. Now we need to clarify what tasks this entails for companies: What are the potential consequences of ignoring NIS2? And how can UEM help IT admins implement some of the regulations?
- Inadequate protection of IT systems is an open barn door for hacker attacks.
- Updating relevant business processes is critical.
- NIS2 is a real challenge, but failure to implement it will be very expensive in the future.
- Especially in times of skills shortages, UEM is an important building block for securing critical infrastructures.
I recently discussed which organizations based in the EU fall under the scope of the new NIS2
directive in the blog article “NIS2: It's getting CRITICAL”. But the arc can also
be drawn to my Star Wars series of articles. Let's put it this way: the building technology of the Death Star would definitely fall the new NIS2 directive. Today, however, we’re taking a more concrete look at the extent to which NIS2 goes beyond the
previous regulations, what companies have to do, and what challenges await IT admins in the process.
One thing is clear: all affected companies are required to expand their activities in the areas of risk analysis, information security, measures assessment and implementation, incident response management, crisis management and training.
A central aspect in the broadest sense is cybersecurity. Particularly in times of a shortage of skilled workers, NIS2 implementation is a real challenge for many companies when even
more manpower is now required for corporate security.
In concrete terms, this means that CRITIS companies must update their technical and organizational security measures in the area of incident management as well as their business continuity plans. They are also required to conduct regular risk assessments to provide additional safeguards for all potential points of entry. Just here again the keyword: Death Star.
Affected companies must present effective concepts for risk analysis and also evaluate in them how effective which measures are. In addition, there must be regular training in the area of cyber security. Not to be forgotten: supply chain security, asset management and even personnel security fall under NIS2.
Here – and this is important for affected companies – the security measures required are not based on the cybersecurity costs invested, but primarily on the potential impact. For example, some affected CRITIS companies must register with the European Union Agency for Cyber Security (ENISA) and usually report security incidents in several stages:
- Initial report within 24 hours
- Update of this initial report within 72 hours
- Final report to the BSI within one month
Under NIS2, while top management at CRITIS companies will have overall responsibility for cybersecurity and the prevention of security incidents, IT specialists typically will continue to be responsible for technical implementation of security measures. If companies fail to meet the new requirements, they can be fined heavily.
So it is now becoming really critical for CRITIS companies and they urgently need to take security measures to better protect themselves against threats. At the same time, existing
budget and, above all, personnel limits must be taken into account. In doing so, it pays off relatively quickly to invest in defense and recovery measures.
The fact is that complying with NIS2 requirements makes sense for companies overall, because it significantly reduces the risk of cyberattacks. Last but not least, companies also benefit from improved efficiency and productivity.
There is currently no single tool that ensures that all NIS2 requirements are met in full. Rather, many existing solutions used to enhance cybersecurity before NIS2 can now contribute to NIS2 compliance. In addition to Network Access Control and monitoring solutions, Unified Endpoint Management supports IT admins with automated management and monitoring of all network endpoints. This starts with a comprehensive inventory of installed hardware and software. It is important not to neglect any endpoint types. Record controllers and network devices as consistently as Windows computers or mobile devices. This type of asset management helps provide a solid foundation for fulfilling some NIS2 requirements for transparency, risk analysis and general information security.
When NIS2 talks about cyber hygiene and incident prevention, it naturally includes vulnerability and update management. Of course, thanks to automated vulnerability
management, patches and hotfixes can be applied company-wide at any time by policy to all IT and/or OT devices affected by a security vulnerability. With the help of continuous monitoring,
IT teams simply always know the exact state (BIOS/UEFI, OS, applications, configuration, permissions, etc.) of each device without the hassle of checking each device individually. Threats
displayed by Defender are also valuable information. Only those who have transparent information about vulnerabilities can eliminate
them and prevent them from reoccurring.
And as obvious as it may sound, consistent update management is a central building block for reliable IT security. This means installing the latest version of software and operating systems wherever possible and keeping them up to date. That way, only what is necessary and trustworthy is on each computer.
Security measures such as hard disk encryption (defense control), allow or block listing of software and a ticket system for rapid response round off a comprehensive UEM solution and help IT admins fulfill portions of the NIS2 requirements.
Vulnerabilities in critical infrastructure are more than just local challenges. Learn how automated vulnerability management can help your organization address them in our whitepaper.