Improving Data Security To Ensure Cybersecurity Compliance

Uploaded on 2023-06-20 in BUSINESS-Services-Law, FREE TO VIEW, GOVERNMENT-National

The UK government is set to follow the new NIS 2 Directive (NIS 2) that has been recently adopted by the EU. NIS 2 replaces the existing legal framework (NIS Directive) modernising it to keep up with increased digitisation and an evolving cybersecurity threat landscape.

This is intended to improve cybersecurity risk management and reporting obligations across several new sectors such as energy, transportation, healthcare, food and waste management. 

The new NIS 2 Directive eliminates certain classifications, and clarifies businesses as either ‘essential’ or ‘important’, while using a size-cap rule to determine which entities fall within its scope . It is expected that businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process, it is highly likely that policies and processes will play a much greater role. What steps, then, should businesses take to protect their data from cyberattacks and be compliant with NIS 2?

Protecting The Many Points Of Vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud.

In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured. 

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations. 

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed. 

Zero Trust & A Cybersecurity-Aware Culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. But, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST)  risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access.

A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed.

This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike. 

Encrypting Valuable Data To Guard Against Threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced. 

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity.

Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber attacks and the loss of valuable information, ultimately resulting in safer data. 

 

John Michael is Founder & CEO of iStorage

You Might Also Read:

Exploring The Benefits Of Continuous Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Manufacturers Are Today's Top Target For Cyber Crime 
Data Sovereignty »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Hyve

Hyve

Hyve provide a wide range of managed web hosting services including private, hybrid and public VMware cloud hosting.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

Hitachi Systems Security

Hitachi Systems Security

Hitachi Systems Security provides customized services for monitoring and protecting the most critical and sensitive IT assets in our clients’ infrastructures 24/7.

Intensity Analytics

Intensity Analytics

Intensity Analytics is a software firm that develops next-generation, physical user and entity behavioral authentication ("physical UEBA") security software technology.

Synack

Synack

Synack provides a hacker-powered intelligence platform that uncovers security vulnerabilities that often remain undetected by traditional pen testers and scanners.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Concordium

Concordium

Concordium aims to build the world’s leading open-source, permissionless, and decentralized blockchain with built-in user identity at the protocol level.

RocketCyber

RocketCyber

RocketCyber is a Managed SOC platform empowering Managed Service Providers (MSPs) to deliver security services to small and medium businesses.

BullWall

BullWall

BullWall is a digital innovator dedicated to fight cybercrime in its many forms. Our overarching purpose is to stop new and unknown strings of ransomware attacks in its tracks.

iON United

iON United

iON United is a full-service IT security solutions provider and one of the most trusted names in cybersecurity in Canada.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

VP Techno Labs

VP Techno Labs

VP Techno Labs is an award-winning cybersecurity firm focusing only cybersecurity to develop cutting edge solutions for emerging business.

PROVINTELL Cyber Security

PROVINTELL Cyber Security

PROVINTELL is a Managed Security Service Provider (MSSP) specialising in Next-Gen Cyber Defense and Response to detect and respond to threats.

IT-Schulungen.com / New Elements GmbH

IT-Schulungen.com / New Elements GmbH

Under the name IT-Schulungen.com, the Nuremberg-based New Elements GmbH has been operating one of the largest training centres in the German-speaking world for over 20 years.