Improving Data Security To Ensure Cybersecurity Compliance

Uploaded on 2023-06-20 in BUSINESS-Services-Law, FREE TO VIEW, GOVERNMENT-National

The UK government is set to follow the new NIS 2 Directive (NIS 2) that has been recently adopted by the EU. NIS 2 replaces the existing legal framework (NIS Directive) modernising it to keep up with increased digitisation and an evolving cybersecurity threat landscape.

This is intended to improve cybersecurity risk management and reporting obligations across several new sectors such as energy, transportation, healthcare, food and waste management. 

The new NIS 2 Directive eliminates certain classifications, and clarifies businesses as either ‘essential’ or ‘important’, while using a size-cap rule to determine which entities fall within its scope . It is expected that businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process, it is highly likely that policies and processes will play a much greater role. What steps, then, should businesses take to protect their data from cyberattacks and be compliant with NIS 2?

Protecting The Many Points Of Vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud.

In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured. 

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations. 

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed. 

Zero Trust & A Cybersecurity-Aware Culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. But, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST)  risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access.

A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed.

This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike. 

Encrypting Valuable Data To Guard Against Threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced. 

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity.

Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber attacks and the loss of valuable information, ultimately resulting in safer data. 

 

John Michael is Founder & CEO of iStorage

You Might Also Read:

Exploring The Benefits Of Continuous Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Manufacturers Are Today's Top Target For Cyber Crime 
Data Sovereignty »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clearwater Security & Compliance

Clearwater Security & Compliance

Clearwater Compliance specialize in Privacy, Security, Compliance and Risk Management Solutions for Health Care, Law Firms and other businesses.

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT is the national Computer Emergency Response Team for the Philippines.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

Intel

Intel

Intel products are engineered with built-in security technologies to help protect potential attack surfaces.

Valimail

Valimail

Valimail delivers the only complete, cloud-native platform for validating and authenticating sender identity to stop phishing, protect and amplify brands, and ensure compliance.

Winmill Software

Winmill Software

Winmill is a technology services company that provides expert consulting services in Application Development, Application Security and Cyber Security.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Cynical Technology

Cynical Technology

Cynical Technology is a Nepalese cybersecurity company with expertise in security consulting, auditing, testing and compliance.

CXI Solutions

CXI Solutions

CXI Solutions: Your trusted partner in cybersecurity. We offer a full range of cybersecurity solutions to protect your business from digital attacks and virtual threats.

Intertec Systems

Intertec Systems

Intertec Systems is an award-winning, global IT solutions and services provider that specializes in digital transformation, cybersecurity, sustainability, and cloud services.

Nuke From Orbit

Nuke From Orbit

Nuke's mission is to put you back in control of your digital identity when your smartphone gets stolen.

CODA Intelligence

CODA Intelligence

CODA's AI-powered attack surface management platform helps you sort out the important remediations needed in order to avoid exploits on your systems.

Skylark

Skylark

Skylark is a leading global IT services provider, transforming client’s businesses through innovative and advanced technology solutions.