The older and more mature an industry gets, the more standards it needs to align with. For example, financial services has been around for a long time and is heavily regulated. Cybersecurity is quite young in comparison, but it’s going in the same direction. This is a natural progression, because of the impact that the industry has on a country’s economy and ultimately its citizens. The EU Cybersecurity Act is the latest move in establishing industry-wide foundation of security by design and by default, which has been applied since 21 June 2019, and will be implemented as law across the EU as of 28 June 2021.
The arrival of these rules, business certifications, and governance are signs that cybersecurity is growing up. For a long time, the technology industry worked on the basis of ‘you must do this’ or ‘please be good’. Getting solutions to consumers meant focusing on speed to market, ease of use, and cheap prices.
But this led to a world where companies had little financial incentive to implement security and privacy by design. That’s why a lot of the solutions around today appear as if security was either an afterthought or never addressed at all.
The EU Cybersecurity Act comes into force
That also explains why we’re seeing more and more regulations specifically about security and privacy.
For the first time, the EU Cybersecurity Act will introduce an EU-wide cybersecurity certification framework for ICT products, services and processes. (Here’s a useful page which gives a very high-level summary of the Act. The full text is here.)
Standing on the shoulders of GDPR and Network Information System Directive
In many ways, the Act builds on GDPR and the Network and Information System Directive (NIS Directive).
The EU General Data Protection Regulation (GDPR) did a great job of making consumers aware of the value of their personal information and the importance of protecting it. At the same time, by making directors personally liable for non-compliance, the regulation pushed companies to ensuring any future solutions need to have privacy and security by design – from the conception of an idea.
The NIS Directive is focused on critical national infrastructure, which as you may know has a challenge dealing with legacy infrastructure. The guidelines were created to be general enough to cover a variety of industries when it first came out, and as each Member State is to design how they implement within their own country – further specifics are needed to address this legacy infrastructure effectively. For example, the UK National Cyber Security Centre created the Cyber Assessment Framework (CAF) to support the Directive’s implementation whilst it was still a Member State. This framework gives some important foundational controls to help providers of essential services to improve their security.
The benefit of the NIS Directive is that even if your organisation isn’t in scope, there are useful resources available you can reference for your own security posture, such as the CAF described above. Even if you don’t have to be compliant, you can use the research they produce, or measure your organisation’s security against a recognised baseline.
The benefits of ISO 27001
In the same way, independent standards like ISO27001’s popularity is a good indication to the value of these standards. They provide a recognised best practice to follow, and alignment with them provides confidence in the organisation’s processes. Whilst we have yet to know the certification requirements for the EU Cybersecurity Act, just as ISO27001 and GDPR overlap in certain areas of security and data protection, it could be that when it comes to gaining compliance with security and privacy regulations, organisations that have become certified to ISO27001 are already on the right path to align with the rigour and repeatable processes to their work.
ISO 27001 is an internationally recognised certification, across different industries and countries, including within the EU. Again, this benefit is the consistency and trust it brings. This avoids a situation where one organisation aligns with one standard, whilst another organisation follows a different standard and requires additional resources to verify mapping between. Creating a known, robust, and understood certification provides transparency.
Focusing on the right risks for you
When speaking with organisations who might be struggling with aligning their cybersecurity needs, I always recommend starting with a Cybersecurity Maturity Assessment. That is, looking at the inherent risk specific to that organisation, then running a risk assessment, in order to apply a risk-based approach. The benefit is, an organisation won’t spend an ever–increasing amount of money seemingly thrown at a problem, hoping it will go away, but instead proactively identify likely scenarios, threats, and attacks. This allows for budget alignment, continuous improvement, and a holistic view of the organisation.
The majority of cybersecurity incidents are opportunistic attacks. Malicious actors do their own sort of risk assessment, the risk of being caught against the value of return of investment (ROI). That is, most attacks are – financially motivated, how much work are the malicious actor(s) putting in, to then financially realise after. If company A meets the foundational cybersecurity needs, whereas company B has systems that are easy to exploit, unless specific to needing company A’s data, the attacker is likely to go after company B.
The Verizon Data Breach Investigations Report 2019 tells us that close to 80 per cent of attacks use stolen credentials in some form; even if the point of compromise did not involve stolen credentials. This massive statistic highlights the value of foundational controls, such as multifactor authentication and strong unique passwords.
Putting a priority on the right risks
By using recognised security frameworks, such as ISO 27001, and/or working through a security assessment, organisations can be supported in identifying gaps in their infrastructure and address them in order of priority. They can use the findings to build a robust roadmap (since security is a journey and not a destination) that incorporates the variety of challenges and needs of their infrastructure.
Frameworks, business certifications, and security assessments all work together to help raise the bar of cybersecurity across all industries. In doing so, they can reduce the number of opportunistic attacks – and that’s good for both businesses and consumers.
Join BH Consulting and Certification Europe on Thursday 26 March for “Cyber Governance 2020”. The two-hour morning conference will explore emerging issues in cyber governance for 2020 and tackle the challenge of compliance with international regulations. Admission is free but we are at full capacity due to very high demand. For more information, visit the event page here. If you would like to attend please email your details to [email protected] and we will put you on the limited reserve waiting list.