Skip to main content

Looking under the microscope at the NIS directive

(Image credit: Image source: Shutterstock/Toria)

The clock is ticking down to the General Data Protection Regulation (GDPR), and most businesses are scrambling to ensure that they are prepared for its implementation on the 25th May. Organisations are being peppered with advice from all directions on how to prepare for the upcoming regulation and avoid the fine of €20 million, or 4 per cent of their annual turnover. Each team within an organisation needs to ensure that they are taking the right steps to prepare. For example, many Security and IT teams are working overtime to ensure that defences are heightened to protect against a potential data breach; CFOs are drawing up financial plans to ensure the business would be able to survive the maximum fine; and legal teams are hard at work guaranteeing compliance with the demanding requirements.

However, compared to the GDPR there seems to be little to no noise and attention to its quiet cousin: The Networks and Information Systems (NIS) Directive. This is surprising, as the NIS Directive comes into play two weeks before the GDPR, on the 9th May, and organisations found to be non-compliant will face a similar fine of between €10 million and €20 million, or 2-4 per cent of their annual global turnover. So, this is certainly not something that businesses should ignore. For some organisations, the GDPR and NIS Directive may will necessarily be implemented in tandem, adding complexity to planning and deployment. In other words, those affected by the NIS Directive may also be required to comply with the GDPR, facing the potential for two sets of monumental fines if they are found to be non-compliant with both regulations.

The NIS directive: Under the microscope

Unlike the GDPR, the NIS Directive does not apply to everyone that handles EU residents’ data, but instead targets organisations that are classed as “essential services”. These services are defined by the Centre for the Protection of National Infrastructure (opens in new tab) (CPNI) as “…(facilities, systems, sites, property, information, people, networks and processes), the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.” This includes a wide range of industries such as Emergency Services, Energy, Finance, Food, Government, Healthcare Providers, Satellite Communications Transport and Water as well as Digital Infrastructure: this also includes Online Marketplaces, Online Search Engines, and Cloud Computing Services.

While the GDPR focuses on data privacy, the NIS Directive aims to raise the overall levels of cybersecurity readiness for these essential services across the EU by establishing common standards for preparedness, cooperation, response and cybersecurity awareness.

Key points of the NIS Directive are as follows:

  • Operators of essential services are responsible for their own compliance. However, member states should encourage businesses to develop thorough response and recovery measures, security awareness education programs and risk assessment plans.
  • Operators of essential services must take appropriate action to develop an EU-wide culture of risk management, including implementing security awareness training.
  • Operators of essential services are required to take appropriate technical and organisational measures to secure their network and information systems and minimise the impact of security incidents.
  • If any significant security incidents do occur, operators are required to notify local CSIRTs (Computer Security Incident Response Teams) and other relevant bodies “without undue delay”.

Overall the regulation endeavours to improve Union and international cooperation in information and network security. As the cybersecurity threat landscape continues to grow in likelihood and impact, improvement only be achieved if individual organisations within member states fulfil the regulation’s requirements.

A reaction to the growing threat landscape

It’s not hard to understand the ‘why” for the NIS Directive, considering the growing cybersecurity threat landscape. 2017’s newspaper headlines were dominated by cyberattacks that struck large corporations and threatened critical national infrastructure. Think about the impact that the WannaCry attack in May 2017 had on the UK’s National Health Service (NHS). 80 out of the 236 NHS trusts across England suffered disruption, as well as another 603 NHS organisations, including 595 GP practices (opens in new tab).  Staff resorted to paper and pen, and some also made use of their personal mobile phones, exposing organisations to additional cyber risk. Moreover, many other organisations that are “essential services” under the NIS Directive, such as international shipper FedEx and Spanish telecommunications company Telefonica, were also affected by the attack.

The repercussions of falling victim to a cyberattack are only likely to worsen as these attacks diversify and attackers improve their tradecraft. A significant attack might impact organisations at all levels, internally and via the extended supply chains they support and depend upon.

Giving your employees a seat at the security table

Importantly, the NIS Directive explicitly sets forth requirements for education, awareness and training programs that relate to network and information security. Security awareness is required both on a member-state level and an organisational level, as one of the objectives of the NIS Directive is to develop an EU-wide culture of risk management. This needs to be promoted “downwards” from the EU, but organisations also must play a part, from the ground up, by educating employees on how to spot and respond to cyber threats.

Every company is unique, but there are several common best practices that all organisations should consider when implementing security awareness training:

  • Organisation-wide participation: To develop a culture of risk management and cybersecurity within an organisation, you need executive and board-level support and buy-in. The C-suite should act as role models for the rest of the business, so they need to be perceived as cyber-aware and supporting of the cybersecurity cause. This will make a big difference in developing an internal culture of cybersecurity.
  • Clear communications: Don’t patronise and alienate your employees. You need to give them a seat at the security table, and having a clear internal communications strategy is a good way to keep them in the loop. For example, the board must inform their employees before they implement a security training programme, giving them background information on why the training is important and what is expected of them. This should be continually communicated throughout the campaign so that employees never need to question why they are participating.
  • Baseline vulnerability measurements: Before starting a training campaign, it is important to gauge employees’ susceptibility to phishing, measure levels of cybersecurity knowledge, and identify important metrics like the rates of malware infections and successful phishing attacks from the wild. These baselines allow you to mark your starting point and monitor progress from there.
  • Regular, ongoing assessment and training: To change mindsets and reduce the mistakes and risks associated with end-user behaviours, cybersecurity training and assessment must become a regular pursuit. In order to develop new skills, end users must be given the benefit of regular cybersecurity education and the opportunity to learn over time.  

Those organisations that are classified as ‘essential services’ shouldn’t be surprised by the NIS Directive.  They should be ready, and this requires putting the directive under the microscope, alongside the GDPR, for careful analysis about organisational impact and new discussions about risk., Every business is essential to someone -- and so all businesses should take note of the NIS Directive and its requirements and see the standard as the bar everyone should meet. In order to properly defend against cyber-attacks, we need a virtual army of able employees who can recognise and report attacks to stop them in their tracks.

Alan Levine, Security Advisor to Wombat Security, a division of Proofpoint (opens in new tab)
Image source: Shutterstock/Toria

Alan Levine is Security Advisor to Wombat Security Technologies. He is the former CISO of two Fortune 500 companies, with 20 years of experience leading global cybersecurity programs. He was a founding member of the Microsoft Security Council and Oracle's GRC Council.