Improving Data Security To Ensure Cybersecurity Compliance

Uploaded on 2023-06-20 in BUSINESS-Services-Law, FREE TO VIEW, GOVERNMENT-National

The UK government is set to follow the new NIS 2 Directive (NIS 2) that has been recently adopted by the EU. NIS 2 replaces the existing legal framework (NIS Directive) modernising it to keep up with increased digitisation and an evolving cybersecurity threat landscape.

This is intended to improve cybersecurity risk management and reporting obligations across several new sectors such as energy, transportation, healthcare, food and waste management. 

The new NIS 2 Directive eliminates certain classifications, and clarifies businesses as either ‘essential’ or ‘important’, while using a size-cap rule to determine which entities fall within its scope . It is expected that businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process, it is highly likely that policies and processes will play a much greater role. What steps, then, should businesses take to protect their data from cyberattacks and be compliant with NIS 2?

Protecting The Many Points Of Vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud.

In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured. 

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations. 

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed. 

Zero Trust & A Cybersecurity-Aware Culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. But, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST)  risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access.

A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed.

This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike. 

Encrypting Valuable Data To Guard Against Threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced. 

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity.

Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber attacks and the loss of valuable information, ultimately resulting in safer data. 

 

John Michael is Founder & CEO of iStorage

You Might Also Read:

Exploring The Benefits Of Continuous Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Manufacturers Are Today's Top Target For Cyber Crime 
Data Sovereignty »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Intelligence-sec

Intelligence-sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

Superscript

Superscript

Superscript (formerly Digital Risks) is an insurance broker for small businesses, sole-traders, landlords and high-growth tech firms. Our services include Cyber Liability insurance.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Bericon Forensics

Bericon Forensics

Bericon is one of the longest established forensic science consultancies in the UK. Activities include computer and mobile phone forensics.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

VXRL

VXRL

VXRL is a Hong Kong-based cybersecurity company. We provide consulting services, penetration testing, and corporate training.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

SOC Experts

SOC Experts

SOC Experts is a pioneer (we started SOC training well before people realized how big the domain was going to be) and the only institution to provide end-to-end training on Security Operations Centers

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

General Informatics

General Informatics

General Informatics is a team of technology enthusiasts with one mission: to make our clients even more successful through the best use of technology.

Cylab - Carnegie Mellon University

Cylab - Carnegie Mellon University

Carnegie Mellon University CyLab is the University's security and privacy research institute.

All About Cookies

All About Cookies

All About Cookies is an informational website that provides tips, advice, and recommendations to help you with Online Privacy, Identity Theft Prevention, Antivirus Protection, and Digital Security.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

Control D

Control D

Control D is a modern and customizable DNS service that blocks threats, unwanted content and ads - on all devices.

CyberForce Global

CyberForce Global

CyberForce Global are at the forefront of start-up technology recruitment in areas including cybersecurity, IT infrastructure, software, fintech, blockchain and more.