NIS 2: the ultimate guide to prepare your company for Cyber-resilience
Essential strategies to ensure digital security
Introduction
In the digital age, cybersecurity has become a priority for all companies, regardless of their industry. One of the most significant challenges remains the lack of awareness and engagement from employees. According to Gartner, by 2025, it is expected that 45% of organizations will experience attacks on their supply chain software. Cyberattacks are having an increasing impact, making cybersecurity ever more crucial, and it is increasingly tied to the security level of the weakest partner in the chain.
The context
It is believed that by the end of 2024, we will witness highly sophisticated and impactful attacks arising from the use of Artificial Intelligence (AI) and Machine Learning (ML), capable of causing large-scale data breaches. Just consider what happened in June 2023 with the supply chain attack on MOVEit software, which affected over 130 organizations worldwide, including Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, Aer Lingus, PwC, Cognizant, and AbbVie, as well as law firms Kirkland & Ellis and K&L Gates.
Moreover, industry experts believe we will increasingly have to deal with cybercriminals who will use zero-day vulnerabilities and phishing techniques to orchestrate sophisticated supply chain attacks.
It is no coincidence that the NIS 2 Directive requires essential and important entities responsible for maintaining a high level of cybersecurity within their organizations to raise employee awareness of cyber threats, phishing, or social engineering. Every person within the organization plays a crucial role in ensuring cybersecurity.
What is NIS 2?
It aims to establish a common cybersecurity strategy, raising the security levels of digital services on a European scale. It integrates with other regulations and guidelines on data protection and privacy, such as GDPR, the DORA Regulation, and the Cyber Resilience Act, to address increasingly sophisticated and invasive cyber threats, which have seen a significant increase in recent years across all sectors.
It is worth noting that the National Cybersecurity Agency has issued a strategic document aimed at supporting cybersecurity research and innovation by the public and private sectors. It is the result of joint work between the National Cybersecurity Agency and the Ministry of University and Research.
What to do to comply with the NIS 2 Directive?
To prepare for the implementation of NIS 2, companies must start with a risk assessment to plan appropriate measures. It is essential to establish a solid governance framework to identify and document the roles and responsibilities of key stakeholders. Another key aspect is the regular training of employees to raise awareness and spread common digital hygiene practices. Finally, it is important to conduct periodic risk assessments and regular security checks to keep cybersecurity solutions up to date.
How can this challenge be addressed?
The NIS 2 Directive, whose transposition into national legislation in all EU countries is expected by October 18th, requires national security plans and specialized teams. It is essential to activate processes and dedicated training sessions to raise awareness and actively engage employees on cybersecurity issues, with the goal of providing them with the tools they need to recognize, prevent, and manage cyber threats.
5 Key steps to take
To simplify the implementation of this new regulation by Italian organizations, it is necessary to:
- Verify the scope of application;
- Define the measures;
- Establish the impact criteria;
- Assess the impact;
- Adopt a risk and information security management system.
Identifying your weaknesses and cyber risks, as well as ensuring cybersecurity and business continuity, becomes a must for CEOs of companies across Europe. Additionally, it will be crucial to recognize the importance of promoting a culture of cyber resilience through robust governance.
Sanctions
Failure to comply with the directives and reporting obligations imposed by the NIS 2 Directive results in the imposition of severe sanctions. Companies that do not comply with the provisions may face fines of up to 10 million euros or 2% of global turnover. This measure highlights the high level of importance the European Union places on cybersecurity, comparable to that reserved for personal data protection.
Conclusions
Companies do not have to do it all alone: implementing a comprehensive cybersecurity and cyber resilience plan is only possible with the support of a qualified IT team that will define security enhancement strategies with new IT infrastructure management solutions on one hand and define resilience reinforcement measures on the other. Don’t wait until it’s too late to protect your company from cyber threats.
CTA: Identify your weaknesses today, assess the risks, and take the necessary measures to ensure the continuity of your business. Contact us for a consultation and make sure you are always one step ahead of cyber threats!