Rolling into the train station of a European city (beyond the pristine, always-safe bubble of Luxembourg) a pickpocket tried to steal my professional phone from my coat. Talking about it with my mom, she questioned why I had my phone in my pocket and she was right. In some countries it is unthinkable to go out with the phone in your hand because you risk dying. Luxembourg: In 10 years living here, I had not face such a situation. Let’s face it, we take security here for granted, and my subconscious extrapolates that same behaviour to every other place I go (Am I the only one?)
Why us?
This is the question that till today we hear from directors when we talk about NIS 2. Although the answer is evident to cybersecurity professionals, it can be hard to swallow when as a company director, we think in profit terms and not too much on the role of information technology in it. Let’s face is natural in human beings that we take security for granted cause “it never had happened to us” since we have not suffered a cyberattack so far, we do not think as much as we should about security “outside”
However, cyberattack statistics speak for themselves, showing that even the smallest businesses are vulnerable to attacks. In Luxembourg some companies have already been affected and with them, some of their clients, Hence the need for a law that seeks the resilience of important & essential companies for society.
The new sectors have been chosen based on their criticality for the economy and society: Operators of essential concern to entities where a potential disruption of services would have an almost apocalyptic impact in society. Important entities: where a potential disruption of services would not have serious societal or economic consequences, however, they are a supreme financial playground for cybercriminals; therefore, they are logically being included in the NIS2 policy. This block of companies will be subject to a reactive supervisory regime, whereby supervision is triggered by indications of an incident. The target is to ensure the resilience of critical supply chains and avoid shortages in case of a cyberattack.
Think about “critical sector” as a society, sometimes it is not so easy because what is “critical” for the reader of this article, perhaps is not for me, but here comes the law to establish some parameters about “criticality.” Take the case of insulin, a shortage on the insulin will not affect me or my family but maybe my neighbor. In that case for example, any interruption or compromise within the production process of the pharmaceutical could have an impact on public health: A cyber attack that puts the integrity of the drug development and/or production processes at risk, could damage the quality of the product that ended distributed in the population. Same for the distribution.
The collection of personal and medical data also makes this sector and many companies in the health sector (clinics, hospitals, laboratories) very attractive targets for cybercriminals. Therefore, these companies must comply with the GDPR. A data breach could lead to serious damage to the population such as identity theft, fraud or blackmail, not to mention the significant losses that these companies may have (financial and reputational). In addition, liabilities outlined in the NIS 2, now come with a specific name. It is no longer enough for the company to “respond” for negligence, penalties for directors of the companies can be severe if negligence is demonstrated in the implementation and monitoring of an ISMS.
The use of ISO 27000 family to apply NIS2.
In our experience, the implementation of an ISMS within the framework of ISO 270001 is ideal because it allows us in a series of organized and coherent steps to identify:
· Business critical processes: the core of the entity. What is important to the society from your company?
· Conduct a risk assessment: recollect the risks and threats that could disrupt those critical processes.
· Develop and implement a cybersecurity strategy: Based on the above risk analysis, a security strategy focused on the measures required by NIS 2 is developed. This includes technical and organizational measures to prevent, detect and respond to information technology incidents.
· Develop and deploy an incident response plan: highlighting the steps to follow in the event of a cybersecurity incident; this includes reporting incidents, containing the damage, and restoring services.
· Continuous improvement plan: to ensure the maximum resilience of the company and that the requirements of NIS 2 are met at all times. Technology, people and procedures to protect cover the risk and threats.
Whilst ISO 27001 includes business continuity management (BCM), it doesn’t define a specific process for BCM implementation. ISO 22301 complements ISO 27001 with its inclusion in this process. In short, ISO 27001 and ISO 22301 combined facilitate the implementation of a plan that links and harmonizes the information security management system with a business continuity plan.
A clarification: it must be said that although this formula facilitates compliance with NIS2, the same “recipe” does not apply equally to all entities since the priorities for a public entity (continuity services to the population) are not the same as for a private one (revenues and BC); even the priorities of a Postal and courier services are not the same as those for a Food distribution. Through experience with different types of entities in both sectors (public and private), AdronH has learned to successfully adapt the implementation process according to the requirements of each entity, Including the smallest.
We have managed to gather professionals with experience in the area and passionate about their activities that effectively respond to each entity’s particular needs.