The EU’s Network and Information Security (NIS) Directive Goes Live Amidst Range of Expanding Cybersecurity Efforts
Yesterday was the “go live” date for the EU’s Network and Information Security (NIS) Directive. The NIS Directive was adopted in 2016, and as a directive, it sets out objectives and policies to be attained through legislation at an EU member state level within a certain timeframe (a process called transposition). Member states were required to transpose the NIS Directive into national law by May 9, 2018.
As the first EU law specifically focused on cybersecurity, the NIS Directive has three parts, affecting both industry and member state governments.
- Requirements on organisations: The directive establishes security and incident notification requirements for “operators of essential services” (OES) (e.g., providers of energy, transportation, healthcare, drinking water, some financial services) and, to a less stringent extent, “digital service providers” (DSP) (online marketplaces, online search engines, and cloud service providers). The NIS Directive requires these companies “to have regard to the state of the art technologies” to manage risks posed to the security of the networks and information systems used to provide the covered services, and take appropriate measures to prevent and minimise the impact of incidents. Security incidents of certain magnitudes must be reported to national competent authorities. The above obligations apply whether the OES or DSP manages its own network and information systems or outsources them.
- National activities: The directive requires member states to adopt national cybersecurity strategies; to designate national competent authorities; and to have one or more computer security incident response teams (CSIRTs), corresponding at least to the sectors covered by the directive, to detect, prevent, and respond to cyber incidents and risks.
- EU-wide collaboration: The directive emphasises coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation regarding threats and incidents, and a strategic NIS “cooperation group” to support and facilitate cooperation and information exchange among member states.
Officials in Brussels and other EU capitals have worked hard to make NIS successful. Many countries have updated or issued, for the first time, their national cybersecurity strategies. CSIRTs have been established, and legislation has been readied to transpose NIS. The European Commission has issued guidance to countries on effective implementation of NIS. ENISA – the EU Agency for Network and Information Security – has also issued a range of guidance, including recommendations on the use and management of CSIRTs and recommendations regarding the security and incident notification measures for DSPs. . The NIS cooperation group – composed of representatives of member states, the Commission, and ENISA– reportedly meets regularly to coordinate efforts among EU countries, including sharing information about how to implement NIS as consistently as possible. To that end, the cooperation group has issued non-binding guidelines on security measures and incident notification for OESs. The EU member states that have held the EU Presidency since NIS was adopted- Slovakia, Malta, Estonia, and now Bulgaria—have all made NIS implementation a priority, driving NIS-related activity including in the Cooperation Group.
Of course, steps remain. Some countries need to finish transposing NIS (not all countries made the deadline). Per the directive, they also have another six months to identify the operators of essential services established in their territories (this information might not be made public for security reasons). And equally importantly, organisations covered by NIS will be determining if they must change their security practices to meet its requirements, and if so, how. The European Commission understands that more needs to be done, and announced May 4 that, to help member states rapidly transpose the NIS Directive and build their capabilities, the Connecting Europe Facility programme is providing €38 million in funding until 2020 to support national CSIRTs as well as other NIS Directive stakeholders, such as the operators of essential services and digital service providers.
As part of the May 4 announcement above, European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, Commissioner for Migration, Home Affairs and Citizenship Dimitris Avramopoulos, Commissioner for the Security Union Julian King and Commissioner Mariya Gabriel, in charge of Digital Economy and Society, issued a statement, noting that “The adoption of the NIS Directive two years ago was a turning point for the EU’s efforts to step up its cybersecurity capacities.” This is true. However, NIS is just one of an expanding list of activities driven out of Brussels to improve cybersecurity. Many people close to the action in Brussels reported that attention to cybersecurity rose quickly among senior policymakers in the wake of the May 2017 WannaCry ransomware attack. In September 2017, EU President Jean-Paul Juncker made cybersecurity a major theme – for the first time ever — of the “State of the EU” address, highlighting the need for the EU to better protect Europeans in the digital age. That same month, the European Commission issued a package of cybersecurity legislative and other proposals. This included a new EU cybersecurity strategy, “Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU,” with a focus on protection and prevention of cyberattacks. Further, the Commission announced the intention to set up a “cybersecurity competence network” and a “European Cybersecurity Research and Competence Centre,” and a recommendation to establish an EU-wide “Coordinated Response to Large Scale Cybersecurity Incidents and Crises.” It also proposed a new law – the Cybersecurity Act — to increase and make permanent ENISA’s mandate, as well as develop an EU-wide certification scheme. This Act is currently being debated in Parliament and the European Council.
All these EU efforts are essential. They include important plans and activities: increasing cybersecurity-related education and training, stepping up law enforcement activities, and accelerating cyberthreat information sharing, to name a few. They also, of course, complement an array of actions being taken by the member states individually.
Palo Alto Networks commends European policymakers for putting cybersecurity front and center. The NIS Directive hits a key milestone today, but today is simply a stage on a journey. The EU understands that cybersecurity is essential to economic activity and growth as well as to the user confidence in online activities that underpins it. Companies in Europe, across all sectors, must ensure their business are resilient to cyberattacks as they embrace the digital world, EU governments need secure online operations, and consumers need trust in their online experiences. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit. Palo Alto Networks looks forward to continuing to contribute to Europe’s efforts.
Cybersecurity CEO: What Keeps Chief Information Security Officers Up At Night?
Accountability to the boardroom tops the list of late night worries
Los Angeles, Calif. – June 18, 2018
Getting a good night’s sleep has become increasingly difficult for CISOs. The way I see it, there are 3 clear reasons for this and they all center around RISK. After all, aren’t we as Cybersecurity Professionals all in the RISK business?
I had the privilege of presenting at two incredible events this quarter – the FS-ISAC Summit and the Gartner Security & Risk Management Summit – and the CISOs in attendance agreed. If you don’t – let me try to convince you with the points below, and of course, I welcome your feedback !
So What Keeps a CISO Up at Night?
1. Accountability to Leadership – Being held accountable to delivering on expectations as the board/C-Suite provide investments to improve security.
While cybersecurity is now a board-level conversation globally, many CEOs still don’t get it. A 2016 Forbes article by Steve Morgan, founder and Editor-in-Chief at Cybersecurity Ventures refers to a which states that more than 90 percent of corporate executives say they can’t read a cybersecurity report and aren’t prepared to handle a major attack.
You know what – I’m ok with that, because at the C-level that’s not their job. What they need is their CISO to position risk effectively and help them understand the delta between the current state of their technology hygiene and what a healthy state will look like.
That’s a challenge in and of itself because the CISO is tossing and turning at night asking, “Am I buying the right technology? Does it have staying power? Can it scale? Am I patched? Is my environment truly healthy? How will I really know?”
Sounds like a restless night to me.
Being able to effectively communicate the current state and what “good” looks like is imperative for a CISO to develop an action plan with target milestones to present to their board.
2. Capability – Do I have the right skills, and right people, to do the right things?
The cybersecurity labor crunch is getting worse, not better. Identifying the right skill sets is the easy part. Finding experienced people is a whole different story.
For many organizations, a shortage of cybersecurity workers is their greatest risk factor. In response, MSSPs (managed security services providers) have become a popular choice. But finding and vetting the right MSSP is an altogether new challenge for CISOs and their teams.
Risk presents itself in a number of ways here:
- Have you assessed all third parties and contractors supporting your environment?
- Are you highly dependent on one or a small subset of individuals to run a portion of your technology stack?
- Do you have documented processes and procedures to follow in the event of turn over?
- What is your training plan to ensure your team keeps up with security trends within your technology stack?
There is no easy answer to recruiting and retaining the right cybersecurity people – I’ve said it before and I’ll say it again – there is a 0% unemployment in our space. What’s important is that you match the team you have (internally and externally) to the security action plan you set out. What skills do you need? Where are they coming from? Who is providing the direction? And – how has my plan been assessed and vetted?
3. Compliance & Privacy Regulation – yes the dreaded acronym – GDPR. We also have to consider state legislation and/or government regulations on security, privacy & compliance.
Take for example the General Data Protection Regulation (GDPR), which applies to anyone, literally any company in the world, who receives data from the EU. What’s scary about the GDPR is the financial risk associated with non-compliance.
GDPR is one of numerous compliance mandates that organizations globally are grappling with. There’s also DFARS, NYCRR 500, FISMA, GLBA, SOX, and others.
The challenge here is it’s easy to think, “that will never happen to me”. That’s what we all used to think about cybersecurity incidents right? Right?
Given the financial pain of non compliance, CISO’s can’t afford the risk. To me this one comes down to expert advice. As a CISO you need to surround yourself with the right information. If you haven’t already, engage three kinds of experts to support your compliance readiness:
- A cybersecurity service provider to provide recommendations and risk mitigation tactics
- A managed security services provider to support with 24×7 monitoring and management of security technologies
- Legal counsel to review your organization’s efforts and provide legal feedback on the compliance regulations your company is subject to specifically
So there you have it – CISO’s are looking a little sleepy because they’re constantly concerned with being accountable to leadership, managing their capabilities and meeting compliance requirements. In today’s landscape it’s important that they balance all 3 with their organization’s risk profile. How they effectively communicate their current state vs a healthy state and what risk looks like at different levels of investment is critical.
I heard an excellent keynote on Day 1 of the Gartner Summit that referenced how CISOs need to operate in the center of what is important, what is dangerous and what is reality.
If they can find that balance, they should be able to get a good night’s sleep! Easier said than done, I know…
What else is keep you up at night? Let’s keep the conversation flowing.
About Herjavec Group
Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Consulting, Identity & Access Management, Managed Security Services, and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom, and Canada. For more information, visit .
Cybersecurity, Information Security, Network Security, Information Assurance: What’s the Difference?
As hackers, security breaches and malware attacks continue to dominate headlines, cyber crime has emerged as a global “pandemic” that last year cost people and organizations an estimated $600 billion, according to CNBC. So it’s not surprising that combating such activities has become a lucrative and rewarding career.
So, if you’re considering launching a career or advancing into a leadership role in this booming field, you may be wondering which path is right for you. For instance, what is the difference between cybersecurity, information security, information assurance and network security? In this post, we will take a closer look at each of these related but separate disciplines.
“Information security refers to the processes and methodologies that are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption,” according to the SANS Institute.
An “information system” can be any point of data storage, including points outside of cyberspace, which explains the difference between information security and cybersecurity: Information security aims to protect all data while cybersecurity aims to protect only digital data.
Cybersecurity is a subset of information security. According to Cisco, “Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.”
A successful cybersecurity practitioner must have experience within the environments that they will defend and must understand both theory and application. These skills are most often gained through hands-on experience, education and lifelong learning.
“Network security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment,” according to the SANS Institute.
Network security experts focus on internal protection by keeping close surveillance on passwords, firewalls, internet access, encryption, backups and more. Their main focus is to protect internal information by monitoring employee behavior and network access. In contrast, cybersecurity experts would likely focus on external threats by looking for hackers trying to infiltrate the network and by gaining intelligence on potential future attacks. If you work in network security, you will likely be implementing and monitoring software used to detect threats and protect a company’s network.
Information assurance encompasses a broader scope than information security, network security and cybersecurity. Whereas the aforementioned security functions are generally focused on preventing access by hackers or unauthorized users, information assurance is also concerned with ensuring that key data and information is always available to users who are authorized to access it.
According to Techopedia, the five key terms that help define information assurance are:
- Integrity (ensuring that information and systems can only be accessed by authorized users)
- Availability (ensuring that information is reliably accessible and available to authorized users as needed)
- Authentication (ensuring that users are who they say they are, through usernames, passwords, biometrics, tokens and other methods)
- Confidentiality (restricting access through the use of classification or clearance levels, such as in the military)
- Nonrepudiation (ensuring that someone cannot deny an action taken within an information system because the system provides proof of the action)
Information assurance professionals are often “former hackers and security experts who understand both white hat and black hat hacking,” according to the InfoSec Institute. “They keep up to date with the latest security alerts. They update and patch current systems, and they work with developers to review software for future deployments. During cyber threats, the information assurance analyst is able to triage issues and find the best resolution to mitigate any damages.”
Working in Information/Cyber/Network Security or Information Assurance
While these four disciplines are distinct, they all share common goals and typically require similar skill sets that involve a range of diverse, multidisciplinary capabilities. For example, practitioners must understand overall theory as well as advanced technology, and then apply specific knowledge and skills in the areas of technology, law, policy, compliance, governance, intelligence, threat assessment, incident response and management.
Of course, it is also critical to remain current on the latest trends, hacking techniques and advances in cybercrime in order to stay ahead of the perpetrators and safeguard an organization’s vital assets and information. So a fascination with the underlying technology is essential.
To help tie it all together, many people staking out a career in the fields of information assurance, information security, network security and cybersecurity find it extremely helpful to earn an advanced degree to burnish their knowledge as well as their educational credentials.
And since these fields are experiencing a well-documented talent shortage, demand is high (and so is the pay) for qualified professionals who possess the right combination of skills, experience and education. Today, there are many options when it comes to advancing your education – from individual classes and professional certifications to specialized master’s degree programs that are designed to help open the door to the widest range of opportunities.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. .
Objective of Cybersecurity Disaster Recovery Plan: IT Security Methods
It is pretty sad that half of the organization could not recover from the cyber attacks. So, it is always important to take necessary precautions to overcome from this cyber crimes and provide information security. Are you and your organization prepared to face this cyber attack? If not, then do get panic. Here comes the blog with the complete cybersecurity disaster recovery plan templates to help you decide things before and after being faced by any cyber attacks. Data security or information security plan has greater importance in the proper functioning of an organization in this cyber era.
How Well Cybersecurity and Disaster Recovery Plan Fit in Together?
There has been a misconception among users that disaster recovery and cybersecurity recovery is the same. Well, it is not the same! The major role of disaster recovery of information is to ensure business continuity even after any catastrophe from any natural or man-made activities is caused. On the other hand, cybersecurity or information security protects the IT assets from the litany of threats that haunts the digital environment or after a data breach.
Both cybersecurity disaster recovery plan and information security plan strives to minimize the impact of unexpected incidents. If there are no proper plans gathered to beat any cyber attacks then the organization leaves itself vulnerable. Both these recovery strategies exhibit enough activities to restore the business operations as quick as possible. Besides this, they both are designed to offer limitless resilience power to minimize the occurrence of any such instance in the future.
Mark Testoni, President and CEO of SAP National Security Services quoted “The threats behavior within security recovery plans are more vigorous than within the disaster recovery.” For instance, Ransomware attacks like WannaCry are prone to destruct the IT assets and thus requires adequate information security recovery plans to analyze that how to respond to the new threats and risks in the cyber world.
Worried about Cyber Security Issues and Challenges?
Are you worried about losing your crucial data? Do not let any of the attacks breach or misuse your data. Most of the security experts recommend following multiple plans with suitable policies and procedure. See how to do cybersecurity disaster recovery plan for your organization without any loophole.
|Disaster Recovery Plan||Security Recovery Plan|
|Primary Role||Ensures business continuity of any destructive attacks that has occurred||Protects IT assets after a breach|
|Mode of Response||Open communication with stakeholders, ensures fast recovery process||Provides a secret approach to collect the evidence and in analyzing the root cause|
|Strategic Differences||Quick and accurate recovery process||Protective approach to prevent future loss|
|Plan Management||A set of dedicated team devotes to focus any disaster recovery and plans it accordingly||Dedicated team keeps the update of any latest cybersecurity threats and manipulates the plans if required|
Best Cybersecurity Disaster Recovery Plan Template
Whether it is a classic virus or the latest network attack, any security threats can create a chaos and rule over us. Therefore, it is important to customize your data and integrate cybersecurity into the disaster recovery strategy.
1. Execute Tools and Controls for Layered Protection
- Take preventive measures like firewall to analyse and inspect the content that is received. Installing an antivirus can block viruses and vulnerabilities
- Make sure to control strictly on any changes and software uploads
- Strict Access control and audits to prevent any malicious software being attacks
- Timely monitoring to detect the issues early so as to take stringent actions
2. Proper Planning for the Recovery Phase
- Initiate an incident management roles and responsibilities
- Create a larger Business Continuity Plan and Cyber Incident Response Plan with a Crisis management strategy
- Ensure to create necessary arrangements for communication purpose
- Before the occurrence of any attacks or incidents, identify and fix gaps in crisis planning
- Based on the recent cyber attacks like Ransomware, generate and solve “What If” scenarios
- Seek constant improvement and keep a track and update on the recent cyber attacks
3. Create a Document for Improved Recovery
- Procedures, metrics tracking, etc. should be documented for advanced response times and recovery
- Create and develop diagrams of equipment and infrastructure
- Well-maintained assets and systems inventory like copies of agreements with vendors and providers
- Gather regulatory compliance information like who, when, how, which will help to fix issues in the event of a data breach
- Prioritize the crucial applications, which needs to be recovered first
It’s an evolving business world where things keep on changing. Therefore, the organization must take the necessary actions to mitigate the risk due to cybersecurity threats and disaster. With the recent increase of cyber risks and information breach, it has become important for the organization to dedicate more resources to prevent such attacks to provide proper information security. In such instance, the cybersecurity disaster recovery plan plays a vital role. Hence, make a practice to manage the above-discussed strategies across different teams within the organization. This will bring an environment to control the risk with the ever-growing cyber attacks.
Cyber Security Disaster Recovery Plan