Improving Data Security To Ensure Cybersecurity Compliance

Uploaded on 2023-06-20 in BUSINESS-Services-Law, FREE TO VIEW, GOVERNMENT-National

The UK government is set to follow the new NIS 2 Directive (NIS 2) that has been recently adopted by the EU. NIS 2 replaces the existing legal framework (NIS Directive) modernising it to keep up with increased digitisation and an evolving cybersecurity threat landscape.

This is intended to improve cybersecurity risk management and reporting obligations across several new sectors such as energy, transportation, healthcare, food and waste management. 

The new NIS 2 Directive eliminates certain classifications, and clarifies businesses as either ‘essential’ or ‘important’, while using a size-cap rule to determine which entities fall within its scope . It is expected that businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process, it is highly likely that policies and processes will play a much greater role. What steps, then, should businesses take to protect their data from cyberattacks and be compliant with NIS 2?

Protecting The Many Points Of Vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud.

In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured. 

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations. 

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed. 

Zero Trust & A Cybersecurity-Aware Culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. But, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST)  risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access.

A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed.

This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike. 

Encrypting Valuable Data To Guard Against Threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced. 

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity.

Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber attacks and the loss of valuable information, ultimately resulting in safer data. 

 

John Michael is Founder & CEO of iStorage

You Might Also Read:

Exploring The Benefits Of Continuous Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Manufacturers Are Today's Top Target For Cyber Crime 
Data Sovereignty »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

JYVSECTEC - JAMK University of Applied Sciences

JYVSECTEC - JAMK University of Applied Sciences

JYVSECTEC is a cyber security research and development and training centre

Cybercom Group

Cybercom Group

Cybercom offers strategic advice, testing & quality assurance, security solutions, system development, integration, management and operation services.

US Cyber Command (USCYBERCOM)

US Cyber Command (USCYBERCOM)

USCYBERCOM conducts activities to ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Rafael

Rafael

Rafael has more than 15 years of proven experience in the cyber arena providing solutions for national security as well as commercial applications.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

Untangle

Untangle

Untangle provides network security products designed specifically for the below-enterprise market, safeguarding businesses, home offices, nonprofits, schools and governmental organizations.

Euro-Recycling

Euro-Recycling

Euro-Recycling is a leading UK provider of Secure On-Site Data Media Destruction Services.

ComoNExT Innovation Hub

ComoNExT Innovation Hub

ComoNExT is a Digital Innovation Hub and a startup incubator with a focus on the issues of digital transformation and Industry 4.0.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

TRU Staffing Partners

TRU Staffing Partners

TRU Staffing Partners is an award-winning contract staffing and executive search firm for cybersecurity, eDiscovery and privacy companies and professionals.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

SSL2BUY

SSL2BUY

SSL2BUY is a leading SSL certificate provider, authorized to sell top CA brands like Comodo, DigiCert, GlobalSign, Thawte, GeoTrust and more.