The technological boom of the past few years has benefited organisations in countless ways, but according to Joel Aleburu, cyber security analyst at Smarttech247, organisations rely too much on technology – or, rather, they rely too much on it working properly.
Technology is being targeted by cyber criminals more than ever, but organisations have continued to push on with ways to connect networks without implementing sufficient safeguards to prevent attacks or respond in the event of a breach.
Aleburu focuses on the dangers of the ‘smart city’ – invoking cyber attacks such as those against San Francisco’s public transport system, Dallas’s tornado alarms and Kiev’s power grid – but public infrastructure is only one target. All organisations are at risk; cyber criminals often attack any known weakness rather than targeting specific companies, and, regardless, organisations could get caught up in an attack that initially hit somewhere else. For example, an attack on an electricity supplier would probably compromise any number of organisations’ business operations, and disruption to transport links could prevent thousands of people getting to their offices.
Don’t ignore threats
But it’s not only cyber attacks that organisations should be concerned about. There’s also the risk of internal errors, natural disasters, infrastructural damage and the possibility that technology will simply fail. For every disruption caused by malware or a denial of service attack, there’s the threat of an employee leaking information, a server being destroyed, an office having to be closed off due to a leak and a network randomly crashing.
It’s therefore not good enough to ignore the threat or rely on your ability to prevent incidents. Disaster can strike in any number of ways, and your luck will run out sooner or later. You need to be prepared for when that happens, and you can do that by adopting a cyber resilient approach to security.
Cyber resilience combines cyber security and business continuity management, helping organisations avoid an ‘all or nothing’ outlook to information security. It enables them to defend against disruptions but also put in place measures to make sure they survive and recover should their defences not be enough.
For many organisations, cyber resilience will soon become a necessity, as it helps meet a major requirement of the Network and Information Systems Regulations (NIS Regulations).
The NIS Regulations mandate that operators of essential services (OES) and digital service providers (DSPs) in the EU improve the way they handle cyber security incidents. This includes the need to:
- Take “appropriate technical and organisational measures” to secure their network and information systems;
- Consider the risks when developing systems;
- Take appropriate measures to prevent and minimise the effect of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
The Regulations took effect on 9 May 2018, but the UK government has until 9 November 2018 to confirm which OES the law applies to. In a report released earlier this month, it estimated that at least 432 such organisations will be affected.
Want to learn more?
You can find out about the NIS Regulations and how cyber resilience can help by reading our NIS Regulations compliance guide. This free green paper covers:
- The NIS Directive’s requirements and the UK government’s implementation approach;
- The proposed assurance regime;
- Which organisations are in scope;
- The proposed security requirements for compliance; and
- How you can implement a compliance programme to meet the NIS Regulations’ requirements.
You might also be interested in our NIS Regulations infographic, which breaks down the key information into bite-sized chunks and is an ideal reference tool.