NIS Directive Compliance: It’s just as important as the GDPR
IT security managers have had plenty on their plate this year coordinating compliance efforts in advance of the forthcoming EU General Data Protection Regulation (GDPR). But while the sweeping new privacy law has dominated the headlines for the past year or more, there’s another important piece of regulation on its way from Brussels, that will apply specifically to “operators of essential services” (OES). It’s known as the EU directive on the security of Networks and Information Systems (NIS).
With the same huge fines of up to £17m or 4% of global annual turnover levied for non-compliance, it’s vital that you consider the NIS Directive alongside GDPR efforts.
Protecting essential services
This new piece of legislation is slightly different from the GDPR in that it is a directive rather than a regulation, meaning it is more open to interpretation by individual member states. The government is currently consulting over exactly this. The other key difference is that, rather than focusing on any organization which processes consumers’ personal data, it covers only OES organizations such as those in utility, healthcare, transport, and similar sectors. As such, it’s aimed at improving general security standards within such organizations to ensure availability even in the event of a major attack.
The National Cyber Security Centre (NCSC) has this:
“Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have. There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.”
There’s still plenty to be thrashed out during the consultation stage, but with a deadline for implementation into UK law of 9 May 2018, it pays to start preparations now if you want to avoid a last-minute GDPR/NIS compliance rush.
Time to comply
The NIS Directive has 14 key principles, as part of four top-level objectives:
- Have “appropriate structures, policies and processes” in place to understand, assess and manage security risks
- Have “proportionate” security in place to protect key services and systems from attack
- Ensure security remains effective and can detect any “events” which could threaten essential services
- Put in place capabilities to minimize the impact of an incident on the delivery of essential services
Fortunately, there is plenty of information already published on each topic area, which should speed compliance efforts. As with the GDPR, following best practice frameworks like ISO27001 and the government’s Cyber Essentials will also help.
At Delinea, we’re particularly interested in the attention NIS pays to identity and access control; a key part of effective cybersecurity. IT requires organizations to be clear about who is authorized to access their network and information systems or associated sensitive data, carefully restricting and periodically reviewing such rights.
“For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.”
It’s good to see access controls getting major billing here. Increasingly cybercriminals are taking advantage of password-based systems and the organizational “weak link” of poorly briefed staff to steal credentials in order to gain full network access. To ensure NIS compliance and all-round good security practice, we’d recommend at the very least that organizations implement:
- Single sign-on and multi-factor authentication for key systems to reduce the risk of password-theft
- Least-privilege access policy so general users and system administrators only have access to the systems and applications they need for their roles
- Strong user education programs to make staff aware of common phishing and other tactics
As the brute force attacks on Scottish Parliament staff recently highlighted, password-based authentication systems are woefully ineffective against modern cybercriminals and nation-state cyber criminals. So, ensure you take the time to revisit your access controls as part of NIS Directive compliance efforts. If you haven’t, make this a priority today; and be sure to consider it alongside GDPR compliance plans to avoid duplicating efforts.
What does cybersecurity like this cost? Not as much as you think