In this blog, CT’s Technical Director, Chris Barr, takes a closer look at how the EU Network and Informations Systems directive may impact businesses and the economy.
Proposed new legislation which aims to compel the providers of ‘essential services’ to beef up their cyber security should act as a timely reminder to all businesses of the importance of protecting their IT systems.
The Government has launched a consultation into the implementation of the EU’s new Network and Information Systems (NIS) directive, which is due to come into force in May 2018.
Under the proposals, providers of critical infrastructure – such as energy, health, transport, water and digital – could face fines of up to £17m, or four per cent of global turnover, if they fail to put into place safeguards to prevent cyber attacks or system failures.
A ‘lighter touch’ implementation of the rules will also affect providers of digital services such as search engines, cloud services and online marketplaces.
The suggested fines are aimed at preventing hackers from crippling networks, as happened earlier in the summer with NHS systems. Measures that will be looked at, will include monitoring threats and detecting attacks, good staff training, and having quick recovery systems in place.
NIS is separate from the General Data Protection Regulations (GDPR), which are aimed at protecting business data rather than services.
However, although the vast majority of businesses will be unaffected by NIS, CT says the consultation should serve as a timely reminder to all business about the importance of reviewing your cyber security.
Although many organisations look to invest in solutions for their immediate protection, the subsequent effect of a cyber attack on their customers is not always be considered.
For the UK’s ‘essential services’, an incident can have a far greater negative impact on the economy, which goes far beyond the cost suffered by the business that is supplying the service.
As a cloud services provider, we have seen companies go out of business following a security breach, which in turn put all their customers in a position of being unable to trade.
As NIS could also affect cloud service providers, and as more companies move to cloud-based solutions, I believe it’s essential that companies providing these services are required to meet security standards to ensure the protection of the customers that place so much faith in the services.
This is something we take extremely seriously at CT. Regardless of the level of service you choose, we pride ourselves on being able to tailor our services to your specific requirements to ensure your systems, networks and software are all backed-up, up-do-date and secure.
The key areas in which companies should look to implement protection to ensure the availability of services are:
Resilience – is your hardware clustered to ensure there is no single point of failure?
Disaster recovery – is there a plan in place that is regularly tested to allow services to be restored with minimal interruption?
Backup – does this fit with the 3-2-1 rule of best practice (to ensure no incident could simultaneously damage the production and backup data) and has it been recently tested?
External access – are all external entry points to the company network authenticated via a method of two factor authentication?
Intrusion Detection/Prevention Systems – modern firewalls have evolved beyond the traditional selective opening of ports to provide the facility to inspect traffic passing through for suspicious activity, this can then trigger an alert (IDS) or block the traffic (IPS).
DDoS (Distributed Denial Of Service) – does your connectivity or hosting provider provide a facility to mitigate DDoS traffic allowing your services to continue operating during an attack?
Websites and web-facing services – is a vulnerability scan carried out on a regular basis to ensure any vulnerabilities are identified and subsequently patched?
Internet access - employee access should be secured to mitigate the risk of malicious software originating outside the network from being introduced (such as a trojan) that could potentially allow external access to a hacker.
E-mail filtering – e-mail should be filtered to also mitigate the risk of malicious software originating outside the network from being introduced and to reduce the risk of staff inadvertently volunteering confidential information through phishing scams.
Anti-Virus – all endpoints should be protected with a AV package that is centrally managed to ensure all endpoints are running up to date definitions.
Patching – all servers and endpoints should be frequently patched to ensure protection against known security vulnerabilities.
Acceptable Use Policy – is one in place to identify the appropriate use of company IT equipment, this should also be enforced where possible through system permissions.
CT helps to ensure your business is protected by putting in place measures to address all of the above, but if you have any concerns, don't hesitate to speak with your dedicated account manager on 01246 266130.
Over the coming weeks, we will be continuing to run our popular series of webinars looking at the various aspects of cyber security and how you can ensure your business is protected, so keep checking back for details on future events.