In the past few years, an extensive variety of regulations, guidelines and directives have been introduced and updated in the EU and the UK, leaving organisations vulnerable to severe consequences. It is easy to feel lost or frustrated in this sea of compliance, or to assume that your business will not be improved or affected by cyber security concerns.
However, regulations are a reality within today’s business world, and the cyber security issues they address are not only compelling but also rapidly escalating. Therefore, while they can seem burdensome and unnecessary, compliance measures such as the Network & Information Systems (NIS) Regulations will ultimately help keep your business resilient and operations safe while protecting your revenue.
Whenever a new regulation is created and implemented, it is a useful time to take stock of your current cyber security measures. These regulations are written with expert advice, responding to issues that currently hinder business or put customer data at risk. The NIS, for example, was written expressly to ensure that organisations critical to society and the national economy were taking steps to heighten their cyber security abilities, therefore heightening the EU’s overall cyber resilience. Complying with the NIS, therefore, will have a positive effect on your cyber security posture.
There are institutional consequences if an organisation is not compliant with the NIS, such as fines up to £17 million, depending on the severity of the case. However, even if an organisation escapes a large fine, the effects of a preventable cyber attack under the NIS include prolonged customer mistrust and interrupted business processes.
With the NIS already enforced in the UK as of May 2018, organisations should have already realised the necessary changes in their cyber security processes. However, according to our own research, out of approximately 2,500 organisations that should have registered with the authorities set up by the NIS, only 10% did.
If you are one of these organisations, it is time to look at your cyber security posture and make some amends – not just for the sake of the NIS regulation, but for your organisation’s interests.
To transform your cyber security processes to become compliant to the NIS, consider these suggestions:
- Understand your supply chain vulnerabilities. You are likely connected to a network of third parties, necessary for running your organisation, which are often the site of data breaches or other cyber attacks. Therefore, it is imperative to consider and monitor your third-party ecosystem, ensuring that they are secure, while maintaining a mitigation strategy for these potential cyber attacks.
- Make risk management a continuous feedback loop, regularly determining common cyber risks and effective mitigation strategies. This allows you to accurately respond to any risks, and adapt inadequate mitigation plans.
- Create a culture of cyber security within your organisation. A secure culture begins with individuals. Organisations must be responsible for teaching their employees how to avoid basic security risks, such as avoiding phishing emails or consistently locking computers when away from desks. Additionally, there should be a risk reporting process, with stakeholders across the organisation aware of their responsibilities and necessary responses in case of a cyber attack, data breach or other concern. Finally, due diligence practices should be repeated at regular intervals and verified.
More guidance on this can be found at the UK’s National Cyber Security Centre’s website, which provides organisations with a Cyber Assessment Framework.