Building An Identity-First Security Strategy

Uploaded on 2023-01-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

If 2022 taught us anything, it’s that no enterprise is too large or small to become a target of a cybercriminal. Yet, many businesses do not have adequate defences in place to sufficiently protect themselves. In the event of an attack, the casualties extend further than the targeted network. All individuals with data entrusted to that breached system are now at the mercy of the cybercriminal.

The severity of cyber threats is even more serious given the increase in state-backed cyber warfare last year as a result of geopolitical tensions.

Governments and citizens can no longer rely on enterprises – especially those supporting vital infrastructure – to decide if their cybersecurity strategy adequately protects sensitive data and information. Therefore, governments and regional organisations are asserting legal cybersecurity standards to increase overall protection. 

An example of lawmakers addressing this is the European Union’s NIS2 (Network and Information Security) Directive, which seeks to extend the reach of businesses legally required to improve their cybersecurity standards, to mitigate future data breaches. However, while a worthwhile mission, NIS2 overlooks the role of identity verification in secure data management.

The NIS2 Directive

Previously the European Union has attempted to impose stronger cybersecurity standards; last December the NIS Directive was enacted into legislation. This requires all essential business services to implement a Computer Security Incident Response Team (CSIRT) and a national NIS authority. It mandates that these businesses must notify relevant authorities of any serious incidents. A year on, legislators have raised the stakes and enacted modifications to the NIS, known as the NIS2 Directive.

So what exactly has changed? Effectively NIS2 will extend the qualifying parameters of organisations and sectors that are obliged to adopt increased levels of cybersecurity. The existing NIS Directive encompasses critical sectors such as health, finance, energy and transport, and NIS2 goes one step further and imposes cybersecurity standards on public and private services providers with access to critical infrastructure and personal data. This includes services such as digital communication and postal as well as social media platforms. NIS2 came into effect in December 2022, and member states have 21 months to implement the required standards. 

A promising feature of NIS2 is the voluntary peer-learning mechanism, whereby nations can enhance mutual trust by sharing cybersecurity best practices, ultimately strengthening regional security. Cybercriminals are nothing if not innovative, and organisations must treat cybersecurity as an evolutionary process, constantly changing and needing to be reviewed and updated in line with new emerging threats.

While the ambitions behind the proposed NIS2 are very promising, there are still many member states that do not adhere to the existing NIS Directive, let alone are ready for an extended version.

Strategising For Business Impact

Enterprises must now review the protection of their networks and systems to identify internal risks and vulnerabilities to ensure they are in line with the updated NIS2 standards. Once enterprises are satisfied that, at the minimum, their security meets the legislative baseline, they must also update internal procedures to reflect the next element of the NIS2 response. Like every great emergency service, there must be a response unit that, in the event of an attack, can assume control and manage the situation. For this reason, businesses need to ensure that in the event of a security incident, their procedures include plans to contact the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) within 24 hours of the attack.

As the legislative reach of the NIS2 now extends to smaller enterprises that may have limited experience and infrastructure in coordinating a cybersecurity strategy of this magnitude, the directive will likely lead to a rise in CISO roles in smaller-sized businesses. If an enterprise wants to truly adopt the components of the NIS2 and ensure greater security, it must invest internally in people, processes and technology. 

Towards An Identified Union

The NIS2, while a promising start in strengthening cybersecurity, fails to avoid the pitfalls of the existing NIS Directive. The clear aim of this updated version is to protect data and information of critical importance, however, it only manages to update security and increase the response to an attack. What the NIS2 does not include, is tackling the main threat behind data breaches - identity. 

Typically, an attacker will use identity to assume privileges given to the hacked user. Effectively protecting identities, both human and machine, is a top priority for enterprises.
 
Implementing identity-first security principles would consist of establishing frameworks such as Public Key Infrastructure (PKI)-based infrastructure. Implementing PKI digital certificates within critical infrastructure adds an encrypted layer that can verify and authenticate the identity of websites, networks and users attempting to access the system.

This would essentially act like a passport within a network system to determine that all employees accessing the network are genuine and secure. 

Identity-first security is not only about encryption. It also involves the evaluation and management of access to data within a system. This is where the human element of identity comes into play. Every employee has the potential to benefit or hinder the security of the entire system. Adopting identity-first security principles -  the process of securing identity management by reviewing and managing access points to sensitive data - is the only way businesses can be confident there are no vulnerabilities within their networks. When thinking about this in line with the NIS2 directive, employing identity-first security ensures a promising cybersecurity strategy for a future-proof union. 

Cybersecurity is now the responsibility of all and must be treated as such. A legislative development that legally mandates entities to improve their cybersecurity defences is a meaningful step towards securing the future.

While the main tenets of the NIS2 are strong, namely extending its reach to encompass the many players in the data network, it ultimately fails to go far enough to protect data and identity. Much like when strengthening a fortress, it is not enough to build a higher wall, one must also search to shore up weak points around the perimeter.

Tim Callan is  Chief Experience Officer at Sectigo

You Might Also Read:  

PAM, IAM, Or Both?:

____________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« For Sale: Data Stolen From Volvo 
Cyber Security Issues For The Mobile Industry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Quotium

Quotium

Quotium provides automated testing technologies to make business software applications secure and robust.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

eco

eco

eco, with more than 950 member organizations, is the largest Internet industry association in Europe.

National Association of State Chief Information Officers (NASCIO)

National Association of State Chief Information Officers (NASCIO)

NASCIO's Cybersecurity Committee focuses helps state CIOs to formulate high-level security and data protection policies and technical controls.

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity make Cars & Infrastructures Cybersecure.

Techleap.nl

Techleap.nl

Techleap.nl is a non-profit publicly funded organisation helping to quantify and accelerate the tech ecosystem of the Netherlands.

Drootoo

Drootoo

Drootoo is transforming businesses and making them high performing entities with its unified cloud platform.

Upfort

Upfort

Upfort (formerly Paladin Cyber) unifies award-winning security and robust cyber insurance to deliver comprehensive cyber risk solutions.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

MISP Project

MISP Project

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

01 Communique Laboratory

01 Communique Laboratory

01 Communique Laboratory is an innovation leader in the new realm of Post-Quantum Cyber Security.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

Zorus

Zorus

Zorus provides best-in-class cybersecurity products to MSP partners to help them grow their business and protect their clients.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Orchestrate Technologies

Orchestrate Technologies

Orchestrate Technologies provides computer network and IT managed services for small and mid-market clients as well as small enterprise businesses.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.