Building An Identity-First Security Strategy

Uploaded on 2023-01-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

If 2022 taught us anything, it’s that no enterprise is too large or small to become a target of a cybercriminal. Yet, many businesses do not have adequate defences in place to sufficiently protect themselves. In the event of an attack, the casualties extend further than the targeted network. All individuals with data entrusted to that breached system are now at the mercy of the cybercriminal.

The severity of cyber threats is even more serious given the increase in state-backed cyber warfare last year as a result of geopolitical tensions.

Governments and citizens can no longer rely on enterprises – especially those supporting vital infrastructure – to decide if their cybersecurity strategy adequately protects sensitive data and information. Therefore, governments and regional organisations are asserting legal cybersecurity standards to increase overall protection. 

An example of lawmakers addressing this is the European Union’s NIS2 (Network and Information Security) Directive, which seeks to extend the reach of businesses legally required to improve their cybersecurity standards, to mitigate future data breaches. However, while a worthwhile mission, NIS2 overlooks the role of identity verification in secure data management.

The NIS2 Directive

Previously the European Union has attempted to impose stronger cybersecurity standards; last December the NIS Directive was enacted into legislation. This requires all essential business services to implement a Computer Security Incident Response Team (CSIRT) and a national NIS authority. It mandates that these businesses must notify relevant authorities of any serious incidents. A year on, legislators have raised the stakes and enacted modifications to the NIS, known as the NIS2 Directive.

So what exactly has changed? Effectively NIS2 will extend the qualifying parameters of organisations and sectors that are obliged to adopt increased levels of cybersecurity. The existing NIS Directive encompasses critical sectors such as health, finance, energy and transport, and NIS2 goes one step further and imposes cybersecurity standards on public and private services providers with access to critical infrastructure and personal data. This includes services such as digital communication and postal as well as social media platforms. NIS2 came into effect in December 2022, and member states have 21 months to implement the required standards. 

A promising feature of NIS2 is the voluntary peer-learning mechanism, whereby nations can enhance mutual trust by sharing cybersecurity best practices, ultimately strengthening regional security. Cybercriminals are nothing if not innovative, and organisations must treat cybersecurity as an evolutionary process, constantly changing and needing to be reviewed and updated in line with new emerging threats.

While the ambitions behind the proposed NIS2 are very promising, there are still many member states that do not adhere to the existing NIS Directive, let alone are ready for an extended version.

Strategising For Business Impact

Enterprises must now review the protection of their networks and systems to identify internal risks and vulnerabilities to ensure they are in line with the updated NIS2 standards. Once enterprises are satisfied that, at the minimum, their security meets the legislative baseline, they must also update internal procedures to reflect the next element of the NIS2 response. Like every great emergency service, there must be a response unit that, in the event of an attack, can assume control and manage the situation. For this reason, businesses need to ensure that in the event of a security incident, their procedures include plans to contact the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) within 24 hours of the attack.

As the legislative reach of the NIS2 now extends to smaller enterprises that may have limited experience and infrastructure in coordinating a cybersecurity strategy of this magnitude, the directive will likely lead to a rise in CISO roles in smaller-sized businesses. If an enterprise wants to truly adopt the components of the NIS2 and ensure greater security, it must invest internally in people, processes and technology. 

Towards An Identified Union

The NIS2, while a promising start in strengthening cybersecurity, fails to avoid the pitfalls of the existing NIS Directive. The clear aim of this updated version is to protect data and information of critical importance, however, it only manages to update security and increase the response to an attack. What the NIS2 does not include, is tackling the main threat behind data breaches - identity. 

Typically, an attacker will use identity to assume privileges given to the hacked user. Effectively protecting identities, both human and machine, is a top priority for enterprises.
 
Implementing identity-first security principles would consist of establishing frameworks such as Public Key Infrastructure (PKI)-based infrastructure. Implementing PKI digital certificates within critical infrastructure adds an encrypted layer that can verify and authenticate the identity of websites, networks and users attempting to access the system.

This would essentially act like a passport within a network system to determine that all employees accessing the network are genuine and secure. 

Identity-first security is not only about encryption. It also involves the evaluation and management of access to data within a system. This is where the human element of identity comes into play. Every employee has the potential to benefit or hinder the security of the entire system. Adopting identity-first security principles -  the process of securing identity management by reviewing and managing access points to sensitive data - is the only way businesses can be confident there are no vulnerabilities within their networks. When thinking about this in line with the NIS2 directive, employing identity-first security ensures a promising cybersecurity strategy for a future-proof union. 

Cybersecurity is now the responsibility of all and must be treated as such. A legislative development that legally mandates entities to improve their cybersecurity defences is a meaningful step towards securing the future.

While the main tenets of the NIS2 are strong, namely extending its reach to encompass the many players in the data network, it ultimately fails to go far enough to protect data and identity. Much like when strengthening a fortress, it is not enough to build a higher wall, one must also search to shore up weak points around the perimeter.

Tim Callan is  Chief Experience Officer at Sectigo

You Might Also Read:  

PAM, IAM, Or Both?:

____________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« For Sale: Data Stolen From Volvo 
Cyber Security Issues For The Mobile Industry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

Jetico

Jetico

Jetico provides pure & simple data protection software for all sensitive information throughout the lifecycle. Solutions include data encryption and secure data erasure.

CTR Secure Services

CTR Secure Services

CTR Secure Services provides a broad range of security consulting services from asset protection to cyber security.

exceet Secure Solutions

exceet Secure Solutions

exceet Secure Solutions is your experienced specialist for Internet of Things (IoT), Heath Telematics, electronic signatures and timestamps and IT security.

Epati Information Technologies

Epati Information Technologies

ePati Information Technologies is a specialist in information technology and cyber security.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

Cyberhaven

Cyberhaven

Cyberhaven provides rapid enablement for GDPR and CCPA compliance, streamlined data security and modern risk management.

XPO IT Services

XPO IT Services

XPO IT Services are dedicated to providing secure, high quality IT recycling and asset disposal services.

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

OmniCyber Security

OmniCyber Security

Omni is a cyber security firm specialising in Penetration Testing, Managed Security and Compliance.

Intrepid Solutions and Services

Intrepid Solutions and Services

Intrepid Solutions and Services provides technology solutions and professional services to key components of the intelligence and national security communities.

Netox

Netox

Netox is a comprehensive IT service provider that combines IT support services, IT solutions and specialist services; specializing in cybersecurity solutions.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

NetHope

NetHope

NetHope is a membership-based organization serving the international nonprofit humanitarian, development, and conservation sector through digital transformation.

Intertec Systems

Intertec Systems

Intertec Systems is an award-winning, global IT solutions and services provider that specializes in digital transformation, cybersecurity, sustainability, and cloud services.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.