6 key steps to ensure your organisation is NIS2 compliant

The countdown to comply with the new Network and Information Systems (NIS2) Directive is well underway. At present, organisations in EU Member States have until 17 October 2024 to implement the relevant changes to their security systems and strategies. Failure to meet the requirements after this date could lead to fines of up to €10 million or 2% of global annual revenue, whichever is higher.

When combined with GDPR fines, the rising cost of data breaches, and the irreparable damages cyber-attacks can have on customer trust and brand reputation, not being ready to comply with NIS2 could have a disastrous impact on businesses of all sizes. But what steps should security teams take to mitigate risk? And how can a modern Identity solution help? In this blog, we’ll use key insights to answer all the above.

Six steps to prepare for NIS2

Step #1 Identify your cybersecurity risks

Identifying cybersecurity risks has always been a top priority for any CISO – but the arrival of NIS2 intensifies the need even further. These new laws require that organisations take appropriate technical, operational, and organisational measures to better manage risk. Considering this, having the right processes, systems and technologies in place to quickly identify threats, assess their impact, and mitigate them is crucial.

Step #2 Evaluate your security posture

Now that you have evaluated your risks, how are you managing them and who in the business is accepting them? With Tessian research showing that almost 85% of all data breaches happen because of human error¹, evaluating your security posture should be your next move. Security is the responsibility of everyone and having accountability for owning risks and managing issues should be transparent. Defining risk tolerance and mitigations ensures a clear understanding of where improvements and investments can be made as part of a security investment programme.

Step #3 Safeguard privileged access

Privileged users are a top target for account takeover attacks. Once inside, threat actors can exploit these accounts to steal data, take down critical infrastructure, and disrupt essential services. To ensure this doesn’t happen, NIS2 recommends that you implement best practices such as:

• Reduce use of privileged access – Tightly control and audit access to privileged accounts and their usage. Using these accounts should be kept to a minimum and automation implemented for regular repeatable tasks where possible.
• Continuous Authentication – As part of a Zero Trust strategy, evaluating the access context of device type, user and location, all provide key parameters to define re-authentication requirements and factors.
• Access Logging – Access controls provide an audit trail of user activities on systems and networks. Log analysis can be used to track user authentication attempts across a broad range of applications and infrastructure using security device logs that record possible attacks. Log analysis is fundamental to proactive threat detection and incident response, and building a strong security posture.

Step #4 Strengthen your ransomware defences

Ransomware is a huge concern for every business today – and is one of the primary drivers of the NIS2 Directive. To proactively mitigate these threats, your security team must introduce security solutions and best practices that stop ransomware attacks at their source. If you were to lose your critical infrastructure due to ransomware, how would you respond? How would your operations continue? And what impact would it have on your customers? Having a defined playbook for different scenarios ensures everyone is on the same page when dealing with ransomware. But there are precautions that can be taken to minimise the likelihood and impact of ransomware:

• Education & Awareness – Prevention is better than cure and security awareness training is key to preventing ransomware. It’s important employees know how to spot phishing emails or nefarious websites that look to gain a foothold.
• Secure backup processes – Backing up data to a secure secondary location with strictly limited access is key to the ability to recover from a ransomware event. Testing regularly and maintaining documentation will provide confidence in the ability to recover quickly with minimal impact.
• Harden endpoints – least privilege access, hardening benchmarks, restricted ports and network segmentation are all industry best practices that can prevent and protect against ransomware attempts.

Step #5 Embrace a Zero Trust strategy

Traditional perimeter-based security architectures aren’t suited to the world of cloud services and hybrid workforces. Instead, your organisation must adopt a Zero Trust strategy that assumes risk in everyone and everything. By applying context to every authentication process such as user, device type, location and frequency, authentication models can be finely tuned to ensure systems and data are protected.

Step #6 Scrutinise your software supply chain

The dramatic rise in supply chain attacks was another key motivator for EU regulators when drafting the new NIS2 Directive. Considering this, organisations should take a fresh look at their software supply chain and should implement some key measures:

• Secure source code – Stringent IAM controls around who, what, where and when access is granted. MFA should be mandated and provides an additional layer of protection credential compromise.
• Change Management – Use of automation to manage changes, code signatures and code commits is key to providing high assurance and auditability, and help prevent secrets being committed to source code repositories.
• Security Testing – Automated end to end security testing to identify bugs and errors in the code before release. Ensuring that suppliers are performing robust Static Application Security Tests (SAST) and Dynamic Application Security Tests (DAST) security scans.

How can Identity help with NIS2 compliance?

In the digital-first world, Identity is the security bedrock that underpins everything from policies and operational procedures, to the IT systems governing access to critical information within an organisation. Here are some examples of how a modern Identity solution can help ensure NIS2 compliance:

It enables fine-grained access control

Every company has sensitive documents, programs, and records. Protect them too strictly, and your company's work grinds to a halt. Leave them open, and catastrophic security issues can arise. By distributing access based on individual roles within the organisation, Identity ensures only the right people have access to the resources they need, when they need them and how they need them. Access context combined with Identity allows organisations to analyse, validate and revalidate access automatically and ensures revocation occurs when access is no longer needed.

It strengthens authentication processes

Usernames and passwords don’t just inconvenience employees and customers, they also put their data at risk. By adding an extra layer of security with Multi Factor Authentication, Identity helps eliminate the risk of data breach through credential theft and ensures every user is who they say they are. MFA can be further enhanced by implementing phishing-resistant authenticators such as Okta FastPass and FIDO2 WebAuthn, which earn top marks in security and usability, proving that you really can have both.

It enables swift incident response

With businesses facing a growing number of threats and incidents, ensuring auditability and accountability of operations is key to assessing, preventing and remediating any issues quickly. With a strong fine grained access program, IT teams can move at speed to assess and recover systems and minimise impact to operations and their customers.

It simplifies compliance monitoring

Identity management provides organisations with the ability to monitor and audit user activities, ensuring compliance with regulatory requirements. It also empowers security and compliance teams to demonstrate accountability by documenting who accessed specific resources and when. Many compliance regimes are now requiring organisations to implement strong access control processes and MFA as part of the standard operations to build a strong security culture and ensure staff are following best practices. Using phishing resistant MFA methods and moving away from passwords minimises potential threat vectors, increases security usability and experience, and helps maintain compliance across a range of certifications.

Still unsure if your organisation is ready for NIS2? To help isolate the gaps and learn more about how Identity can help your IT and security team maintain full compliance, reach out to our team

^{1. The Psychology of Human Error, Tessian
https://www.tessian.com/research/the-psychology-of-human-error/}