Building An Identity-First Security Strategy

If 2022 taught us anything, it’s that no enterprise is too large or small to become a target of a cybercriminal. Yet, many businesses do not have adequate defences in place to sufficiently protect themselves. In the event of an attack, the casualties extend further than the targeted network. All individuals with data entrusted to that breached system are now at the mercy of the cybercriminal.

The severity of cyber threats is even more serious given the increase in state-backed cyber warfare last year as a result of geopolitical tensions.

Governments and citizens can no longer rely on enterprises – especially those supporting vital infrastructure – to decide if their cybersecurity strategy adequately protects sensitive data and information. Therefore, governments and regional organisations are asserting legal cybersecurity standards to increase overall protection. 

An example of lawmakers addressing this is the European Union’s NIS2 (Network and Information Security) Directive, which seeks to extend the reach of businesses legally required to improve their cybersecurity standards, to mitigate future data breaches. However, while a worthwhile mission, NIS2 overlooks the role of identity verification in secure data management.

The NIS2 Directive

Previously the European Union has attempted to impose stronger cybersecurity standards; last December the NIS Directive was enacted into legislation. This requires all essential business services to implement a Computer Security Incident Response Team (CSIRT) and a national NIS authority. It mandates that these businesses must notify relevant authorities of any serious incidents. A year on, legislators have raised the stakes and enacted modifications to the NIS, known as the NIS2 Directive.

So what exactly has changed? Effectively NIS2 will extend the qualifying parameters of organisations and sectors that are obliged to adopt increased levels of cybersecurity. The existing NIS Directive encompasses critical sectors such as health, finance, energy and transport, and NIS2 goes one step further and imposes cybersecurity standards on public and private services providers with access to critical infrastructure and personal data. This includes services such as digital communication and postal as well as social media platforms. NIS2 came into effect in December 2022, and member states have 21 months to implement the required standards. 

A promising feature of NIS2 is the voluntary peer-learning mechanism, whereby nations can enhance mutual trust by sharing cybersecurity best practices, ultimately strengthening regional security. Cybercriminals are nothing if not innovative, and organisations must treat cybersecurity as an evolutionary process, constantly changing and needing to be reviewed and updated in line with new emerging threats.

While the ambitions behind the proposed NIS2 are very promising, there are still many member states that do not adhere to the existing NIS Directive, let alone are ready for an extended version.

Strategising For Business Impact

Enterprises must now review the protection of their networks and systems to identify internal risks and vulnerabilities to ensure they are in line with the updated NIS2 standards. Once enterprises are satisfied that, at the minimum, their security meets the legislative baseline, they must also update internal procedures to reflect the next element of the NIS2 response. Like every great emergency service, there must be a response unit that, in the event of an attack, can assume control and manage the situation. For this reason, businesses need to ensure that in the event of a security incident, their procedures include plans to contact the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) within 24 hours of the attack.

As the legislative reach of the NIS2 now extends to smaller enterprises that may have limited experience and infrastructure in coordinating a cybersecurity strategy of this magnitude, the directive will likely lead to a rise in CISO roles in smaller-sized businesses. If an enterprise wants to truly adopt the components of the NIS2 and ensure greater security, it must invest internally in people, processes and technology. 

Towards An Identified Union

The NIS2, while a promising start in strengthening cybersecurity, fails to avoid the pitfalls of the existing NIS Directive. The clear aim of this updated version is to protect data and information of critical importance, however, it only manages to update security and increase the response to an attack. What the NIS2 does not include, is tackling the main threat behind data breaches - identity. 

Typically, an attacker will use identity to assume privileges given to the hacked user. Effectively protecting identities, both human and machine, is a top priority for enterprises.
 
Implementing identity-first security principles would consist of establishing frameworks such as Public Key Infrastructure (PKI)-based infrastructure. Implementing PKI digital certificates within critical infrastructure adds an encrypted layer that can verify and authenticate the identity of websites, networks and users attempting to access the system.

This would essentially act like a passport within a network system to determine that all employees accessing the network are genuine and secure. 

Identity-first security is not only about encryption. It also involves the evaluation and management of access to data within a system. This is where the human element of identity comes into play. Every employee has the potential to benefit or hinder the security of the entire system. Adopting identity-first security principles -  the process of securing identity management by reviewing and managing access points to sensitive data - is the only way businesses can be confident there are no vulnerabilities within their networks. When thinking about this in line with the NIS2 directive, employing identity-first security ensures a promising cybersecurity strategy for a future-proof union. 

Cybersecurity is now the responsibility of all and must be treated as such. A legislative development that legally mandates entities to improve their cybersecurity defences is a meaningful step towards securing the future.

While the main tenets of the NIS2 are strong, namely extending its reach to encompass the many players in the data network, it ultimately fails to go far enough to protect data and identity. Much like when strengthening a fortress, it is not enough to build a higher wall, one must also search to shore up weak points around the perimeter.

Tim Callan is  Chief Experience Officer at Sectigo

You Might Also Read:  

PAM, IAM, Or Both?:

____________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« For Sale: Data Stolen From Volvo 
Cyber Security Issues For The Mobile Industry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Pyramid Computer

Pyramid Computer

Pyramid Computer provides custom enterprise solutions for Industrial PC, Imaging, Network, Security, POS, Indoor Positioning and Automation.

Barracuda Networks

Barracuda Networks

Barracuda provides a range of solutions covering network security, data storage, protection and disaster recovery.

Picus Security

Picus Security

Huge gaps often exists between the "perceived"​ and "actual"​ IT security level of an organization. Picus Security continuously assesses security controls and reveals deficient ones before hackers do.

SAS Institute

SAS Institute

SAS is a leader in business analytics software and services providing solutions for a wide range of critical business areas including risk management, compliance and fraud prevention.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

Resilia

Resilia

RESILIA is a comprehensive portfolio of tools and training to help your organization achieve global best practice in cyber security.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

SAP National Security Services (NS2)

SAP National Security Services (NS2)

SAP NS2 are dedicated to delivering the best of SAP innovation, from cloud to predictive analytics; machine learning to data fusion.

Nubeva Technologies

Nubeva Technologies

Nubeva provide a breakthrough TLS Decrypt solution with Symmetric Key Intercept to gain the visibility needed to monitor and secure network traffic.

Evina

Evina

Evina offers the most advanced cybersecurity and fraud protection for mobile payment.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

Outseer

Outseer

Outseer is a leading technology company in the fight against payments fraud. Outseer reliably determines authentic customers from fraudulent behavior.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

CYTUR

CYTUR

CYTUR provide trusted and secured maritime cybersecurity solutions to keep ships safe, protecting them, their crews, cargo and all stakeholders from maritime cyber threats.

Geobridge

Geobridge

Geobridge was one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations.