NIS Regulations: Adopt a “human-first approach” to compliance

Organisations should take a “human-first approach” to preparing for the Directive on security of network and information systems (NIS Directive), the new law designed to help ensure that essential services remain operational, says the co-founder and chief technology officer of Cofense.

The UK government has transposed the NIS Directive into national law, the official title of this law will be The Network and Information Systems Regulations 2018 (NIS Regulations) as of 10 May 2018.

Aaron Higbee said: “The majority of cyberattacks don’t rely on sophisticated malware or technical vulnerabilities, but rather the psychology and behaviour of people.” He warns that people’s curiosity, habits and misplaced trust have enabled social engineering to thrive, and that organisations’ biggest priority needs to be staff training.

He added that the ‘human-first approach’ isn’t just about employee awareness, but also changing their behaviour. “Employees are smart and perfectly capable of adapting to new behaviours,” he said. “The ability to learn an automatic, subconscious response permeates and facilitates our lives. Our behaviour towards cyber threats ought to be no different.

“Phishing is the number one attack vector today because it works by manipulating the trust we place in our emotions, especially curiosity, fear and urgency.”

What does the NIS Regulations say?

Both the UK government’s 14 high-level security principles for the NIS Regulations and the European Commission’s guidance highlight the need for staff training, so it’s certainly something that needs to be addressed.

However, it’s important to understand that technological and organisational measures work together. Even when you consider a socially engineered attack such as phishing, staff awareness training will help employees detect malicious emails, but organisations should also implement policies to help them respond appropriately, as well as spam filters and other controls to prevent them being bombarded by scams.

This advice applies to most threats that organisations face. For instance, staff should be taught about the dangers of misplacing sensitive data, but organisations should also have policies in place for safely handling information and all confidential data in transit should be encrypted.

It’s essential that organisations strike the right balance between technological and organisational defences, as the penalties for a breach of the Regulations are severe. Member states set their thresholds for fines, and in the UK, the maximum penalty is £17 million – although fines of that magnitude will likely only be handed out for flagrant or repeat offences. The UK government has also said that fines will only be issued if other disciplinary action isn’t appropriate.

Still, any disciplinary action will almost certainly have a big effect on most organisations, and the reputational damage of a breach could linger for months or years.

Start assessing your compliance needs

IT Governance’s NIS Regulations Gap Analysis will give you a clear picture of how your current cyber security arrangements match up with the requirements of the 14 principles.

To assess your compliance needs and gain a clear roadmap of the steps you need to take to become fully compliant, book the NIS Regulations Gap Analysis now >>