You may have missed it, but the European Union’s Network and Information System Directive (NIS) came in to force in the United Kingdom in May this year – the same month that the EU’s General Data Protection Regulation (GDPR) was imposed.
GDPR generated a massive amount of media coverage, because it directly effects so many organisations, of all sizes, and individuals, who were instructed to read and respond to countless privacy policy emails. By comparison NIS directly concerns organisations in the UK that are operators of essential services (OESs) and their supply chains, and as a result has not attracted anywhere near as much attention.
While it may have slipped under the radar for most people it is arguably more important than GDPR, and those organisations who neglect the four core principles – outlined below – do so at their peril. The central aim of NIS is to firm up the continent’s cyber defences by ensuring the critical infrastructure of the revenant EU member states is at least at a certain base level. Hence, this applies to those organisations operating in the water, energy, transport, health and digital infrastructure sectors.
NIS directly concerns organisations in the UK that are operators of essential services (OESs) and their supply chains
Each of the 21 EU member states that have implemented NIS have appointed a single point of contact for cyber security – in the UK it is the National Cyber Security Centre (NCSC) – and if there are any major incidents they can communicate with one another to combat the issue together.
The NCSC is the technical authority on cyber security in the UK, and will support OESs and competent authorities (CAs) – the relevant authorities in water, energy, and so on – with advice and guidance. At Gemserv we will be working with OESs and CAs to tailor the NCSC’s generic guidance if necessary.
An attack on critical infrastructure is a very real threat; as recently as April the NCSC warned of Russia’s malicious cyber activity. To give you an example of what might be possible, the first known successful cyber attack on a power grid happened in December 2015 when hackers compromised information systems of three energy organisations in Ukraine, leaving almost a quarter of million people without electricity.
Imagine if hospitals suddenly lost power, halting urgent medical procedures, or automated bridges and gates were deactivated so that food and fuel cannot be distributed. It would quickly lead to chaos, which is why NIS is so crucial now – both to prevent breaches and aid speedier reactions when incidents occur.
Improving cyber security is essential, and – much like with GDPR – it seems organisations are driven by the stick rather than the carrot. Perhaps that is largely because many c-suiters are still unsure how best to approach this new digital frontier. However, the fact is early adopters who shore up their cyber defences are gaining a significant competitive advantage over their competitors.
The penalties for being negligence regarding to NIS are colossal: the maximum fine is £17 million, or 4 per cent of turnover, whichever is greater. That is enough to sink most businesses.
The figures are similar for GDPR, though it goes up to £20 million. And there is a possibility that an extremely neglectful organisation could, in theory, face double fines.
The financial damage may not even be the most harmful, though, with it being trumped by the cost of a tattered reputation. If your customers, who are savvier about their digital security than ever – thanks largely to GDPR and the recent Facebook-Cambridge Analytica scandal – turn against you then that is coming to impact upon your bottom line. People are becoming wiser about which organisations don’t take cyber attacks seriously, and they don’t want to trust them, no matter how much those businesses advertise.
NIS is not a witch hunt designed cripple organisations, though. But the fact remains that if an OES that falls under the NIS Directive is seen to be negligent about implementing the four key principles – namely: managing security risk; defending systems against cyber attacks; detecting cyber security events; and minimising the impact of cyber security incidents – and does not have a satisfactory businesses continuity plan, then they will be hit hard.
NIS is not a witch hunt designed cripple organisations
Gemserv is ideally placed to help your organisation overcome the challenges presented by NIS and, moreover, gain a march on market rivals. We are a professional services company with expertise in enabling the energy transformation data revolution. We have a long history in dealing with information security governance and data in general, and can provide unique insights, business continuity plans, and much more.
Gemserv is in prime position to offer an end-to-end process and support business leaders so that their organisations can surpass the NIS regulation requirements and, further, make the most of their data and secure their supply chains. If the advice provided is implemented and continuously improved then you can be assured that if the worst happens, and there is a breach, then you and your customers are going to benefit because they, as well as your digital assets, are adequately protected.
We are still in the early stages of NIS being implemented, but there are signs that many organisations need to go through a great deal of maturation. Some of our clients are at the initial scoping stage, identifying whether they are affected by NIS or not. The next level, if they qualify as an OES, will involve many conversations with their relevant CA. The CAs are looking for constant improvement, and are unlikely to be forgiving if an organisation is not striving to reach the minimum standard in cyber defence.
At Gemserv we believe a mindset shift about cyber security is required, and if it is moved up the list of priorities quickly – as it should be – then it can be a genuine game changer. NIS, therefore, should be viewed by progressive business leaders as a huge boon rather than a regulatory chore. By keeping up to speed in terms of combating cyber attacks, which are becoming increasingly sophisticated, it will offer you and your customers greater peace of mind.
Learn more about how to protect your business at the NIS Regulation Breakfast Briefing
Three practical steps to prepare for NIS
SCOPE IT OUT
To start with, business leaders must determine whether or not the new Network and Information System Directive (NIS) concerns their organisation. If the business is an operator in one of thewater, energy, transport, health or digital infrastructure sectors, then the chances are it might – though it is not straightforward, because there are “thresholds”. This “scoping” is where an organisation such as Gemserv can assist. “First of all you have to work out if you are one of the organisations identified in the legislation,” says Jennie Cleal, senior information security consultant at Gemserv. “It’s all about learning what your thresholds are, defining which people, technology and processes are in scope for that.”
ANALYSE NIS
Once you have completed the scoping phase, and have discovered that your organisation does indeed come under NIS, Ms Cleal says the next step is the “whole business impact analysis piece”. She continues: “We work with business owners to break down things to a granular level and talk them through the processes from start to finish. Here you have to consider all aspects that might cause the organisation to fail in its service. A detailed risk assessment – considering the supply chain, too – is essential.”
TAKE CONTROL
The third and final practical step involves “implementing controls for that risk assessment”, advises Ms Cleal. “You especially want to make sure that those controls you are implementing are what the cyber-assessment framework is looking for. For instance, you have to address all the finite details around monitoring, which is what the regulation is looking for.” She continues: “Every organisation will want different aspects of help, but it is critical to work out what is within your control. Ask yourself: ‘Are my suppliers the single point of failure?’ What is your plan if they are breached?” Finally, for suppliers of operators of essential services (OESs), Ms Cleal warns: “If you are not already on the route to making sure that you have an information security management system that is performing for you, and you are not there with your business continuity plan, if you want to keep that OES business then you should be considering doing something now.”
Learn more about how to protect your business at the NIS Regulation Breakfast Briefing
