NIS2 Directive: Decoding its Significance and Implications

Post a Comment
                     <div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><p>We all have been witnessing the growing threats associated with increasing digitalization and the number of cyberattacks.</p>

As early as 2016, the European Union recognized that this was a major challenge for organizations and citizens and introduced NIS (Network and Information Security) security measures.

The idea was to improve the cybersecurity capabilities of networks and infrastructure systems in seven sectors, including energy, transport, banking, financial markets, healthcare, drinking water, and digital infrastructure.

As cybersecurity continues evolving, NIS EU legislation has had to be improved and security measures increased. For example, the Hornetsecurity Security Report, shows that phishing retains its top spot, accounting for 43.3% of email-based attacks.

In 2023, the European Union adopted the second version of the Network and Information Systems Directive (NIS2) and improved the security measures.

This article is about NIS2, what the regulation requires, a high-level overview of steps you should take now in your organization, and how Hornetsecurity’s various products can help you.

             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>NIS vs NIS2</h2></div>
                </div><div>
                        
                        
                        
                        
                        <div><p>The main difference between NIS and NIS2 lies in the expanded industry sectors that are covered by NIS2, the adding of “teeth” in the form of sizeable fines, as well as the size of businesses that are in scope (see below).</p>

NIS is aimed at essential services and providers of digital services. Essential services include the three sectors; water, transport, and energy, and digital services include cloud computing, marketplaces, and search engines.

With NIS2 legislation, the European Union expanded the scope and classified it into essential entities and important service entities. Essential entities were already part of NIS, but NIS2 has expanded the scope of the sectors covered.

This means that more organizations in the European Union are subject to NIS2 requirements.

New in NIS2 are important service entities that cover additional areas.

Some of the industries that will now be affected by NIS2 as important service entities are healthcare, transport, finance, water supply, waste management, energy, digital infrastructure, and service providers, public electronic communications service providers, food industry, aerospace, postal and courier services, and public administration.

             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>User Training is Crucial</h2></div>
                </div><div>
                        
                        
                        
                        
                        <div>This cannot be understated; you cannot build a cyber-resilient organization without involving every single person who works there. This starts with the <a href="https://www.hornetsecurity.com/en/security-information/security-awareness-training/" rel="noreferrer" target="_blank">basic awareness</a> of asking someone unknown who isn’t wearing a badge in the office to identify themselves, and if the answer doesn’t stack up, calling security.

When someone calls you claiming to be from the IT helpdesk and asks you to approve the MFA prompt you’re about to receive on your phone, don’t assume they’re telling the truth. Always double-check their credentials first to ensure that it’s a legitimate request.

What you’re trying to foster is “polite paranoia”, making it normal to question unusual requests, and understanding the risk landscape and sharpening instincts. Most people who work in businesses aren’t cyber or IT savvy and weren’t hired for those skills. However, everyone needs to have a basic understanding of how identity theft works in our modern digital world, both in their personal and professional lives.

They also need to have a grasp of the business risks introduced by digital processes, including emails.

By having this context they’ll be able to understand when things are out of context or unusual and have enough suspicion to ask a question or two before clicking the link, wiring the funds, or approving the MFA prompt.

And this isn’t a once-off tick on a form to achieve compliance with a regulation.

Often, the long, tedious, and mandatory presentations that organizations conduct once a year or quarterly, followed by multiple-choice quizzes, are perceived as time-wasters by the staff. They want to rush through them quickly and typically forget any insights gained.

Instead, the training program should be designed to be ongoing, consisting of bite-sized, interesting, immediately applicable, and fun training modules combined with simulated phishing attacks to test users. If any user clicks on a phishing email, they should be given additional training.

Over time, the system should automatically identify users who rarely fall for such attacks and interrupt them with infrequent training, while the persistent offenders are given additional training and simulations on a regular basis.

The other reason for ongoing training is that the risk landscape is continuously changing. Some months ago, malicious emails with QR (Quick Response) codes to scan were the exception, now they’re a very familiar sight, requiring ongoing awareness of staff not to scan them on their phones (outside of established business processes).

Security experts often lament the priorities of staff, saying, “if they only took a second to read the email properly, they’d spot the signs that it’s phishing”, or “they just don’t take security seriously”.

This is a fundamental misunderstanding of the priorities and psychology of the average office worker, clicking a link in an email will at most get you a slap on the wrist, not fulfilling an urgent request by the boss can get you in serious trouble or even fired.

And this is why the entire leadership, from middle managers all the way to the C-suite must lead by example. If they do and communicate their understanding of the basics and secure processes, staff will follow suit.

But if the CFO requests an exemption from MFA or bypasses security controls regularly because “it’s more efficient”, there’s no chance that his underlings will take cyber security seriously.

             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>A Day in the Life at Cyber Resilient Inc.</h2></div>
                </div><div>
                        
                        
                        
                        
                        <div>What does it look like at an organization that has embraced this approach? First of all, no one fears speaking up or asking “silly questions” about weird emails or strange phone calls. If there is an incident and someone clicks something they shouldn’t have, there’s no blaming and accusations, it’s not personal, there was a failure of a process.

This brings a strong sense of psychological safety, an important foundation for cyber resiliency.

Transparency is promoted from the leadership all the way throughout the organization. Understanding that we’re all human, we’re “all in this together” and being upfront about making mistakes, without fear of retribution, will improve the cyber resiliency culture.

Talking about new cyber risks and exploring not just business risks but also the risks in people’s personal lives is another strong result of a good security culture.

Our working and personal lives are blended like never before, with people sending and receiving emails from their personal devices, sometimes even working from their personal laptops (BYOD), which means that the risks to the business aren’t confined to corporate assets and networks.

Compromises of users’ personal identities can be used by criminals to then pivot to compromise business identities and systems.

Looking at it in the mirror – in an organization where cyber resiliency isn’t valued, staff will be fearful of making mistakes and be unsure what processes to follow if they think they might have made one. Individuals are blamed when incidents do occur, ensuring that any future issues are swept under the rug to avoid the same fate.

And staff don’t understand IT, they don’t understand the risk landscape and they routinely put the organization at risk because of this lack of understanding.

             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>Implementing Security Awareness Service</h2></div>
                </div><div>
                        
                        
                        
                        
                        <div>As mentioned, it’s important that security awareness training is incorporated into the work life of your users, it can’t be something that’s done once every six or twelve months. Hornetsecurity’s <a href="https://www.hornetsecurity.com/en/services/cyber-security-awareness-service/?LP=hornetsecurity-Article-SAS-EN&amp;Cat=Blog&amp;utm_source=hornetsecurity-blog&amp;utm_medium=content&amp;utm_campaign=security-awareness-service&amp;utm_content=Article&amp;utm_contentid=ai-cybersecurity-large-language-models-threat-landscape" rel="noreferrer" target="_blank">Security Awareness Service</a> was designed with exactly this in mind, providing short video trainings, coupled with spear phishing simulations.

But overworked IT teams also don’t want to spend a lot of time on scheduling training and simulations, so it incorporates the Employee Security Index (ESI) which measures each user’s (and group, department) likelihood to fall for targeted, simulated, attacks.

This is mostly hands-off for the administrators, so the users who need extra training and tests receive it, whereas staff with already sharp instincts are tested less frequently. You can also track ESI over time and see the forecast for it.

                     <img alt="Employee Security Index dashboard" height="794" src="https://www.hornetsecurity.com/wp-content/uploads/2024/04/Employee-Security-Index-dashboard.png" title="Employee Security Index dashboard" width="1600" />
                </div><div>
                        
                        
                        
                        
                        <div><p><em>Employee Security Index dashboard</em></p></div>
                </div><div>
                        
                        
                        
                        
                        <div>There’s also a gamification aspect where users can compare themselves to others, which creates a strong incentive to be more cautious and sharpen instincts. The training material is available in multiple languages.

Another benefit of the Security Awareness Service is the statistics, it gives the security teams and business leaders data to understand the current risk profile of their staff, and where boosts of extra training might need to be deployed.



             </div><div>
                        <div>
                        
                        
                        
                        
                        <div><div></div></div><div>
                        
                        
                        
                        
                        <div><em>Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s </em><a href="https://www.hornetsecurity.com/en/services/cyber-security-awareness-service/?LP=hornetsecurity-Article-SAS-EN&amp;Cat=Blog&amp;utm_source=hornetsecurity-blog&amp;utm_medium=content&amp;utm_campaign=security-awareness-service&amp;utm_content=Article&amp;utm_contentid=ai-cybersecurity-large-language-models-threat-landscape" rel="noreferrer" target="_blank"><em>Security Awareness Service</em></a><em> for comprehensive cyber threat education and protection.</em>

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

Discover the latest in cybersecurity: How to Spot a Phishing Email in The Age of AI. Learn how AI fuels sophisticated phishing attacks and gain actionable insights to protect your business.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>Conclusion</h2></div>
                </div><div>
                        
                        
                        
                        
                        <div>Everyone in business today is somewhat aware of the risks of cyber-attacks, <a href="https://www.hornetsecurity.com/en/knowledge-base/phishing-the-danger-of-malicous-phishing-mails/" rel="noreferrer" target="_blank">phishing messages</a>, and identity theft. It’s essential for businesses to recognize that cybersecurity threats are constantly evolving, especially in the age of AI.

Threat actors are leveraging AI tools to create sophisticated phishing attacks that can lead employees to click on malicious links or disclose sensitive information. The phishing samples we’ve shared should serve as a good source for communicating the signs of scam emails to your staff.

             </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div>
            <div><div></div> 

                    <div><ul><li>Name*<div> </div></li><li>Surname*<div> </div></li><li>Business Email*<div>
                        
                    </div></li><li>Phone*<div> </div></li><li>Company*<div> </div></li><li>Comment<div></div></li><li>Privacy*<div><ul><li>
                                                        
                                                        Please send me information about Hornetsecurity's products, webinars and reports.
                                                </li><li>
                                                        
                                                        I agree to the processing of my data and the establishment of contact by Hornetsecurity in accordance with the data protection guidelines for business partners.
                                                </li></ul></div></li><li><div><i></i>Hidden</div>campaign<div> </div></li><li><div><div></div><div></div>
        You need to enable Javascript for the anti-spam check.</div></li><li>Phone<div></div><div>This field is for validation purposes and should be left unchanged.</div></li></ul></div>
    <div>  
        
        
        
        
        
        
        
        
        
    </div>
                    <p>Δ</p>
                    </div>
                     <div></div>
                </div>
                </div>
                        
                        
                        
                        
                </div><div>
                        <div>
                        
                        
                        
                        
                        <div>
                        
                        
                        
                        
                        <div><h2>FAQ</h2></div>
                </div><div>
                        
                        
                        
                        
                        <h4>How are Large Language Models (LLMs) impacting cybersecurity?</h4>
                        <div>LLMs, such as ChatGPT, have significantly altered the threat landscape by enabling automation and sophistication in malicious activities. They’ve democratized cybercrime, allowing even novice criminals to conduct sophisticated attacks. Specifically, LLMs are enhancing code quality, refining phishing emails, translating attacks into multiple languages, and facilitating targeted research for social engineering attacks.</div>
                </div><div>
                        
                        
                        
                        
                        <h4>What characteristics make phishing emails successful?</h4>
                        <div>Successful phishing emails blend seamlessly into normal communication flows, evoke emotions such as greed, shame, or fear, and prompt urgent actions. They mimic the appearance of legitimate messages, utilize familiar logos and formats, and contain requests that seem plausible, like providing personal details or clicking on links.</div>
                </div><div>
                        
                        
                        
                        
                        <h4>How can organizations improve their cyber resilience?</h4>
                        <div>Organizations can enhance cyber resilience through comprehensive user training, which fosters a culture of “polite paranoia” and encourages questioning unusual requests. Continuous, engaging, and practical training modules combined with simulated phishing attacks help users recognize and respond to threats effectively. Leadership plays a crucial role in setting the tone for security awareness and adherence to secure processes throughout the organization.</div>
                </div>
                </div>
                        
                        
                        
                        
                </div>
                        
                        
                </div><p>Der Beitrag <a href="https://www.hornetsecurity.com/en/compliance/nis2-directive-decoding-its-significance-and-implications/" rel="noreferrer" target="_blank">NIS2 Directive: Decoding its Significance and Implications</a> erschien zuerst auf <a href="https://www.hornetsecurity.com/en/" rel="noreferrer" target="_blank">Hornetsecurity</a>.</p>

Article Link: https://www.hornetsecurity.com/en/compliance/nis2-directive-decoding-its-significance-and-implications/

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment