Following the launch of two EU directives on cybersecurity, CybergON has identified the best practices that companies should implement to prepare to implement the new regulations. According to Cybersecurity Ventures every 11 seconds a company is the victim of an IT attack and cyber crime in 2022 has registered a turnover of 21 billion dollars. To help companies become aware of business risks, increase awareness of IT threats and develop greater response and prevention capacity, the European Union has launched two new directives on information security. These are the DORA Regulation and the NIS 2 Directive.
The new obligations on cybersecurity and EU directives
The DORA Regulation (Digital Operational Resilience Act), relating to digital operational resilience for the financial sector, entered into force on 16 January 2023 and will become binding from 17 January 2025. From that moment, financial operators will have the obligation to report competent authorities with ICT-related major incidents, have in place an internal governance and control framework that oversees risk management to be effective and prudent. And again: carry out a series of periodic tests to identify weaknesses, deficiencies or gaps, to promptly implement corrective measures with an application proportionate to its size and risk profile. Finally, share information in a linear and transparent way.
The process of the NIS Directive2
The Directive on the security of network and information systems in the Union (NIS2 Directive) entered into force on 17 January 2023 and the transposition will only be effective from 18 October 2024. This allows for a planning margin of 21 months. From now on, those affected by a cyber incident will have to make a notification process to the competent authorities. The process includes: a pre-alarm within 24 hours of knowledge of the accident, a notification within 72 hours of knowledge of the accident which updates – if necessary – the pre-alarm information. Finally, a final report within one month of the transmission of the notification, the minimum content of which is detailed by the legislator.
Cybersecurity and EU directives
According to CybergON, the suggestion is to proceed in two directions. On the one hand, relying on a Security Operation Center (SOC) that is able to identify possible threats and vulnerabilities in your corporate network in a short time. On the other, investing in a continuous and adequate one training to employees. Given the complexity and specificity of the knowledge required in the cybersecurity field, many companies are unable to complete an IT security journey on their own. For this reason, relying on someone who is able to manage all the activities 24/7 proves to be an advantageous solution also from an economic point of view.
CybergON’s proposal
Against the background of this scenario, CybergON identifies three ways that, if performed continuously, are able to monitor the state of its infrastructure.
- The delivery of penetration tests: an authorized simulated cyber attack on a computer system or network.
- The assessment of the vulnerabilities present: the set of activities carried out in order to identify as many vulnerabilities as possible.
- The control of utilities.
Also, have a SOC taking responsibility for infrastructure monitoring helps identify any problems before they impact the infrastructure itself. Thus reducing the risks that a cyber incident could prove to be critical.
Rely on an effective service
Elisa Ballerio, Marketing Director of CybergON
Our advice is to create a skills map. And then to be supported by industry experts to fill the gaps that are inevitably present in each non-vertical cybersecurity reality. The cybercrime market is in continuous evolution with ever-changing attack modes. That’s why relying on an effective service is the real competitive advantage that allows you to keep up with the changes.
Cybersecurity and EU directives, best practices according to CybergON
The basis of a good defense strategy is always the training of its employees. In fact, human error continues to be one of the reasons main for which a cyber attack is successful. For this reason, training courses aimed at recognizing malicious emails and promoting behaviors that take IT security into consideration remain the key to limiting damage.
Elisa Ballerio, Marketing Director of CybergON
The training must be targeted for all active user groups in the company. Like CybergON, in fact, on the one hand we provide technical courses aimed at managing your own security service, and on the other courses for management.
Avoid individual interventions
The NIS 2 Directive and the DORA Regulation are the first step of a new long-term vision. The world of cybersecurity is constantly changing. For this reason, CybergON’s suggestion is to rely on a partner capable of bringing new technologies and new processes within the company, undertaking a path that must be seen from a perspective of continuity and not as a single and isolated intervention.