Building An Identity-First Security Strategy
If 2022 taught us anything, it’s that no enterprise is too large or small to become a target of a cybercriminal. Yet, many businesses do not have adequate defences in place to sufficiently protect themselves. In the event of an attack, the casualties extend further than the targeted network. All individuals with data entrusted to that breached system are now at the mercy of the cybercriminal.
The severity of cyber threats is even more serious given the increase in state-backed cyber warfare last year as a result of geopolitical tensions.
Governments and citizens can no longer rely on enterprises – especially those supporting vital infrastructure – to decide if their cybersecurity strategy adequately protects sensitive data and information. Therefore, governments and regional organisations are asserting legal cybersecurity standards to increase overall protection.
An example of lawmakers addressing this is the European Union’s NIS2 (Network and Information Security) Directive, which seeks to extend the reach of businesses legally required to improve their cybersecurity standards, to mitigate future data breaches. However, while a worthwhile mission, NIS2 overlooks the role of identity verification in secure data management.
The NIS2 Directive
Previously the European Union has attempted to impose stronger cybersecurity standards; last December the NIS Directive was enacted into legislation. This requires all essential business services to implement a Computer Security Incident Response Team (CSIRT) and a national NIS authority. It mandates that these businesses must notify relevant authorities of any serious incidents. A year on, legislators have raised the stakes and enacted modifications to the NIS, known as the NIS2 Directive.
So what exactly has changed? Effectively NIS2 will extend the qualifying parameters of organisations and sectors that are obliged to adopt increased levels of cybersecurity. The existing NIS Directive encompasses critical sectors such as health, finance, energy and transport, and NIS2 goes one step further and imposes cybersecurity standards on public and private services providers with access to critical infrastructure and personal data. This includes services such as digital communication and postal as well as social media platforms. NIS2 came into effect in December 2022, and member states have 21 months to implement the required standards.
A promising feature of NIS2 is the voluntary peer-learning mechanism, whereby nations can enhance mutual trust by sharing cybersecurity best practices, ultimately strengthening regional security. Cybercriminals are nothing if not innovative, and organisations must treat cybersecurity as an evolutionary process, constantly changing and needing to be reviewed and updated in line with new emerging threats.
While the ambitions behind the proposed NIS2 are very promising, there are still many member states that do not adhere to the existing NIS Directive, let alone are ready for an extended version.
Strategising For Business Impact
Enterprises must now review the protection of their networks and systems to identify internal risks and vulnerabilities to ensure they are in line with the updated NIS2 standards. Once enterprises are satisfied that, at the minimum, their security meets the legislative baseline, they must also update internal procedures to reflect the next element of the NIS2 response. Like every great emergency service, there must be a response unit that, in the event of an attack, can assume control and manage the situation. For this reason, businesses need to ensure that in the event of a security incident, their procedures include plans to contact the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) within 24 hours of the attack.
As the legislative reach of the NIS2 now extends to smaller enterprises that may have limited experience and infrastructure in coordinating a cybersecurity strategy of this magnitude, the directive will likely lead to a rise in CISO roles in smaller-sized businesses. If an enterprise wants to truly adopt the components of the NIS2 and ensure greater security, it must invest internally in people, processes and technology.
Towards An Identified Union
The NIS2, while a promising start in strengthening cybersecurity, fails to avoid the pitfalls of the existing NIS Directive. The clear aim of this updated version is to protect data and information of critical importance, however, it only manages to update security and increase the response to an attack. What the NIS2 does not include, is tackling the main threat behind data breaches - identity.
Typically, an attacker will use identity to assume privileges given to the hacked user. Effectively protecting identities, both human and machine, is a top priority for enterprises.
Implementing identity-first security principles would consist of establishing frameworks such as Public Key Infrastructure (PKI)-based infrastructure. Implementing PKI digital certificates within critical infrastructure adds an encrypted layer that can verify and authenticate the identity of websites, networks and users attempting to access the system.
This would essentially act like a passport within a network system to determine that all employees accessing the network are genuine and secure.
Identity-first security is not only about encryption. It also involves the evaluation and management of access to data within a system. This is where the human element of identity comes into play. Every employee has the potential to benefit or hinder the security of the entire system. Adopting identity-first security principles - the process of securing identity management by reviewing and managing access points to sensitive data - is the only way businesses can be confident there are no vulnerabilities within their networks. When thinking about this in line with the NIS2 directive, employing identity-first security ensures a promising cybersecurity strategy for a future-proof union.
Cybersecurity is now the responsibility of all and must be treated as such. A legislative development that legally mandates entities to improve their cybersecurity defences is a meaningful step towards securing the future.
While the main tenets of the NIS2 are strong, namely extending its reach to encompass the many players in the data network, it ultimately fails to go far enough to protect data and identity. Much like when strengthening a fortress, it is not enough to build a higher wall, one must also search to shore up weak points around the perimeter.
Tim Callan is Chief Experience Officer at Sectigo
You Might Also Read:
____________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquires: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible