Cyber-attacks are even more present today than ever before. Hacking has become yet another criminal activity used by large organisations, and even by States, to obtain information illegally or to achieve their political goals. Widespread remote working adopted by businesses and brought about by the pandemic, is also now offering countless new opportunities for cyber criminals.
A remote worker automatically extends the network perimeter of its organisation, and makes it instantly less secure. The usual technical protective measures cannot be used, and there is a need to organise and create specific dedicated new network security structures and operations.
There are very few companies that organised their remote work networks and implemented their policies before the pandemic hit. These businesses are very much aware of the complexities inherent to managing such a disperse network, and accept the risk of its inevitable fragility. Here are some dynamic new strategies and legal considerations businesses should consider now and in the months to come:
Strict technical rules and specific digital tools can help, but the multiple aspects of an extended network are too complex and unpredictable to be easily and completely managed. Employees logging in from external remote locations tend to use a private or public gateway, so routers that are not protected can easily be accessed and personal devices can be turned into an entry point to any company system.
Social engineering and simple fishing or spying techniques are much easier to apply by hackers in public unprotected spaces, at home or in the public spaces where users are working, simply due to the freedom of access and absence of physical and technical barriers.
It is therefore essential to re-think the way company networks are organised but even more importantly how all relevant policies can be reshaped in order to take into consideration this new expanded way of working. And we are not talking about the mere network access policies, but of all the policies that concern data storage, data sharing, procurement and contractual relationships with customers and suppliers.
Organisations today are inevitably more complex than they were before the digital age. Trade secrets and essential confidential information are constantly at risk of being lost, stolen or accessed, confidential conversations or exchanges are easily accessible and visible to hackers, if not correctly managed.
A proper cyber security compliance programme must take into account all the policies and functions of an organisation and must be backed up and applied by all members of an organisation, including, most importantly, its management team.
It is no longer possible to delegate this essential company programme solely to the IT function. Cyber security must become one of the essential policies that is known, applied and respected by all members of an organisation.
• NIS Directive
Legislation is now in place, at least within the EU, to impose the adoption of strict and structured cyber security policies to certain types of organisations that are performing essential functions and operate in industries that are considered strategic or essential for the safety of a country.
The NIS Directive imposes a high level of compliance, asking specific group of essential services operators (“Operators of Essential Services” or “OES”) to adopt internal policies based on a structured security framework that allow for these entities to become resilient to cyberattacks and threats. These policies allow organisations to become prepared in all aspects of cyber security, putting in place plans to prevent and to react to an attack, reduce damages, manage immediate and effective responses, and to learn from the experience.
NIS Responsible Entities have been formed in each EU country and are asked to collect information on any cyber security event that occurs to OESs, in order to create an awareness of cyber security across the EU and help EU countries and companies to become resilient to these threats.
This new type of internal policy and organisational model is now in fact the new benchmark for cyber-security and can be adopted by any entity that is willing to become resilient to this risk. This is in order to better perform its business activity, reduce the cost of the consequence of an attack, increase its organisational value, be a supplier to Operators of Essential Services and to become more efficient.
The NIS Directive is the first piece of legislation introduced to regulate this area of risk, but many other laws have been introduced worldwide to address the same threat and require companies and public entities to be aware and prepared. We are all aware of the consequences that an un-governed data breach can have to any organisation, with all the damaging consequences concerning reputation, data usability and access, without forgetting the heavy sanctions imposed by the GDPR.
• Italy: Law 105/2019
In Italy, another law was recently adopted, Law 105/2019, to work in parallel with the NIS Directive, addressing the security of the networks used and implemented by operators of essential services and of essential functions (a definition that mirrors the one of the NIS directive but expands its reach).
In this case, not only must the interested entities adopt a proper cyber security internal organisational model (using the framework introduced by the NIS Directive) but also guarantee the safety of these networks by using pre-approved system and network components or asking for a specific and dedicated approval from a newly formed technical function under the control of the President of Ministry Office.
As this cyber security threat expands and becomes even more organised and present, the same happens on the legal and regulatory side, and all interested entities must now confront this business risk with stricter compliance measures.
New legislation is a source of solutions and offers a new de facto benchmark for correct and reliable compliance, but also requires an important internal organisational restructuring that must be prepared well in advance and include substantial strategic planning.