Building An Identity-First Security Strategy

If 2022 taught us anything, it’s that no enterprise is too large or small to become a target of a cybercriminal. Yet, many businesses do not have adequate defences in place to sufficiently protect themselves. In the event of an attack, the casualties extend further than the targeted network. All individuals with data entrusted to that breached system are now at the mercy of the cybercriminal.

The severity of cyber threats is even more serious given the increase in state-backed cyber warfare last year as a result of geopolitical tensions.

Governments and citizens can no longer rely on enterprises – especially those supporting vital infrastructure – to decide if their cybersecurity strategy adequately protects sensitive data and information. Therefore, governments and regional organisations are asserting legal cybersecurity standards to increase overall protection. 

An example of lawmakers addressing this is the European Union’s NIS2 (Network and Information Security) Directive, which seeks to extend the reach of businesses legally required to improve their cybersecurity standards, to mitigate future data breaches. However, while a worthwhile mission, NIS2 overlooks the role of identity verification in secure data management.

The NIS2 Directive

Previously the European Union has attempted to impose stronger cybersecurity standards; last December the NIS Directive was enacted into legislation. This requires all essential business services to implement a Computer Security Incident Response Team (CSIRT) and a national NIS authority. It mandates that these businesses must notify relevant authorities of any serious incidents. A year on, legislators have raised the stakes and enacted modifications to the NIS, known as the NIS2 Directive.

So what exactly has changed? Effectively NIS2 will extend the qualifying parameters of organisations and sectors that are obliged to adopt increased levels of cybersecurity. The existing NIS Directive encompasses critical sectors such as health, finance, energy and transport, and NIS2 goes one step further and imposes cybersecurity standards on public and private services providers with access to critical infrastructure and personal data. This includes services such as digital communication and postal as well as social media platforms. NIS2 came into effect in December 2022, and member states have 21 months to implement the required standards. 

A promising feature of NIS2 is the voluntary peer-learning mechanism, whereby nations can enhance mutual trust by sharing cybersecurity best practices, ultimately strengthening regional security. Cybercriminals are nothing if not innovative, and organisations must treat cybersecurity as an evolutionary process, constantly changing and needing to be reviewed and updated in line with new emerging threats.

While the ambitions behind the proposed NIS2 are very promising, there are still many member states that do not adhere to the existing NIS Directive, let alone are ready for an extended version.

Strategising For Business Impact

Enterprises must now review the protection of their networks and systems to identify internal risks and vulnerabilities to ensure they are in line with the updated NIS2 standards. Once enterprises are satisfied that, at the minimum, their security meets the legislative baseline, they must also update internal procedures to reflect the next element of the NIS2 response. Like every great emergency service, there must be a response unit that, in the event of an attack, can assume control and manage the situation. For this reason, businesses need to ensure that in the event of a security incident, their procedures include plans to contact the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) within 24 hours of the attack.

As the legislative reach of the NIS2 now extends to smaller enterprises that may have limited experience and infrastructure in coordinating a cybersecurity strategy of this magnitude, the directive will likely lead to a rise in CISO roles in smaller-sized businesses. If an enterprise wants to truly adopt the components of the NIS2 and ensure greater security, it must invest internally in people, processes and technology. 

Towards An Identified Union

The NIS2, while a promising start in strengthening cybersecurity, fails to avoid the pitfalls of the existing NIS Directive. The clear aim of this updated version is to protect data and information of critical importance, however, it only manages to update security and increase the response to an attack. What the NIS2 does not include, is tackling the main threat behind data breaches - identity. 

Typically, an attacker will use identity to assume privileges given to the hacked user. Effectively protecting identities, both human and machine, is a top priority for enterprises.
 
Implementing identity-first security principles would consist of establishing frameworks such as Public Key Infrastructure (PKI)-based infrastructure. Implementing PKI digital certificates within critical infrastructure adds an encrypted layer that can verify and authenticate the identity of websites, networks and users attempting to access the system.

This would essentially act like a passport within a network system to determine that all employees accessing the network are genuine and secure. 

Identity-first security is not only about encryption. It also involves the evaluation and management of access to data within a system. This is where the human element of identity comes into play. Every employee has the potential to benefit or hinder the security of the entire system. Adopting identity-first security principles -  the process of securing identity management by reviewing and managing access points to sensitive data - is the only way businesses can be confident there are no vulnerabilities within their networks. When thinking about this in line with the NIS2 directive, employing identity-first security ensures a promising cybersecurity strategy for a future-proof union. 

Cybersecurity is now the responsibility of all and must be treated as such. A legislative development that legally mandates entities to improve their cybersecurity defences is a meaningful step towards securing the future.

While the main tenets of the NIS2 are strong, namely extending its reach to encompass the many players in the data network, it ultimately fails to go far enough to protect data and identity. Much like when strengthening a fortress, it is not enough to build a higher wall, one must also search to shore up weak points around the perimeter.

Tim Callan is  Chief Experience Officer at Sectigo

You Might Also Read:  

PAM, IAM, Or Both?:

____________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« For Sale: Data Stolen From Volvo 
Cyber Security Issues For The Mobile Industry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Feitian Technologies

Feitian Technologies

Feitian Technologies provides authentication and transaction security products for financial institutions, telecoms, government and leading business enterprises.

Voyager Networks

Voyager Networks

Voyager Networks is an IT solutions business with a focus on Enterprise Networks, Security and Collaborative Communications.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

ID Quantique (IDQ)

ID Quantique (IDQ)

ID Quantique is a world leader in quantum-safe crypto solutions, designed to protect data for the long-term future.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Agile Underwriting

Agile Underwriting

Agile, an underwriting agency, insurtech and Coverholder at Lloyd's, provides niche insurance products across Aviation, Marine & Cargo, Cyber and Financial Lines.

Turnkey Consulting

Turnkey Consulting

Turnkey Consulting is a leading provider of Integrated Risk Management (IRM), Identity Access Management (IAM), and Cyber and Application Security.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

BlueCat Networks

BlueCat Networks

BlueCat is the Adaptive DNS company. Our mission is to help the world’s largest organizations thrive on network complexity, from the edge to the core.

Beetles Cyber Security

Beetles Cyber Security

Beetles is a crowdsourced penetration testing platform designed to build a trusted, hacker-centric approach to protectan organization’s digital attack surface.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.

Alcatel-Lucent Enterprise (ALE)

Alcatel-Lucent Enterprise (ALE)

We are Alcatel-Lucent Enterprise. Our mission is to make everything connect with digital age networking, communications and cloud solutions.

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.