Governance, Risk & Compliance: GRC
NIS Directive: OES and the Importance of Cybersecurity
Since the start of the Industrial Revolution, organizations have been constantly striving to improve efficiency. In the 18th and 19th centuries, it was the mechanization of manufacturing that revolutionized industry. Today, it’s the rise of digital technology.
What happens when the network and information systems of an organization that supports essential services, such as the provision of healthcare, are compromised by a cyberattack? Any breakdown in their reliability and security will not only require a robust disaster recovery and business continuity strategy, but it will also have a detrimental impact on society.
Implementing Technological Solutions: More Pros than Cons? Or Vice Versa?
As digital technology has developed, businesses and society have become increasingly reliant on network and information systems to facilitate everything from processing data to the supply of energy and water. This presents opportunities for organizations to streamline their operations, increase their competitive edge, and reduce their costs by implementing new technological solutions.
Adopting an innovative approach can, however, expose them to risks that have the potential to cause financial and reputational damage. For example, with such large volumes of digital data being processed daily, cyberattacks are a real threat – a vulnerability that can also harm the owners of the compromised data.
NIS, the EU Information Directive Eclipsed by GDPR
Network and Information Systems Directive (NIS) came into force in the United Kingdom (UK) in May 2018 – the same month the General Data Protection Regulation (GDPR) was imposed. Consequently, the NIS directive rather slipped under the radar as GDPR attracted largescale media coverage due to its wide-reaching scope.
NIS applies to organizations in the UK that are operators of essential services (OES). However, because NIS relates to loss of services rather than loss of data, it's arguably the more disruptive of the two new cybersecurity laws.
The organization understands and manages security risks to networks and information systems supporting the delivery of essential services that arise from dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third-party services are used.
With such critical aspects of society impacted, the NIS directive deserves the same level of attention and consideration as GDPR. The ramifications of an attack on any one of these OESs is unimaginable to most of the general population, who would be the ones affected.
What An Is OES and Why Compliance With NIS Is So Important
An OES is a public or private organization operating in the water, energy, transport, health, or digital infrastructure sector. The NIS Directive has been created to ensure organizations that operate in these critical sectors are prepared to cope with the growing number of cyber threats targeted on these sectors. Incidents that compromise network and information systems in any of these sectors have the potential to damage the UK's infrastructure and economy, and even put lives at risk. An attack on the UK's infrastructure is a very real possibility, as demonstrated by the 2015 attack on Ukraine's electricity network, leaving almost a quarter of million people without power.
Any OES that falls under the NIS Directive must meet four core objectives:
• managing security risk;
• defending systems against cyberattacks;
• detecting cybersecurity events; and
• minimizing the impact of cybersecurity incidents.
Organizations that fail to implement effective cybersecurity measures, as outlined by NIS, could face a fine of up to £17 million, or 4 percent of revenue – whichever is greater.
The financial damage caused by non-compliance with NIS shouldn't be an OES's only concern. Reputation is priceless. If customers don't think an organization is taking cybersecurity seriously, customers very likely won't trust the organizations, and will take their business elsewhere.
Third-party Risk Management and NIS: Asset or Weakest Link?
The drive to improve profitability and streamline operations motivates many organizations to outsource business functions that rely on technology. While third-party service providers don't fall within the scope of NIS, it's the responsibility of the OES to ensure suppliers have appropriate cybersecurity measures in place. Article 19 of the Directive states that:
Put another way, organizations are only as strong as their weakest link. With this in mind, OESs should incorporate a comprehensive third-party cyber resilience program into their strategy for achieving NIS compliance, including:
• Contractual terms of all third-party suppliers: review and record who currently has access to relevant systems and data, together with the level of access. Ensure all existing and new supplier agreements make provisions for cybersecurity.
• Robust (and tested) cybersecurity measures: conduct regular risk assessments of the entire supplier base, and evaluation of security controls deployed by third-party tech suppliers.
• Proactive and preventative measures designed to monitor networks and information systems: pre-assess the suitability of any potential third-party technology suppliers.
• Automated tools: systems and processes that enable incidents and data breaches to be reported efficiently and effectively.
If the NIS Directive is to achieve its objective, OESs must recognize the importance of cybersecurity, both in terms of the benefits to their business and society in general. An informed approach to the issues in question will ensure NIS is viewed as a progressive measure rather than a regulator chore. By embracing the four core objectives organizations won't only be protecting their own interests, but they will also contribute to the reliability and security of the national infrastructure. Clearly, the NIS directive deserves the same level of attention and consideration as GDPR.
The good news is there are options with respect to your best way to approach NIS compliance. You can work with an experienced provider like SAI Global and get advice you can trust and a solution that is out of the box.
Our advisory services will identify areas of weakness and our leading platform can provide the automation, visibility and audit trail you need to remain compliant with the NIS Directive. Contact us for further information or to arrange a Risk Advisory meeting.