Federico Botti, Vice President, Security and Resilience Practice of Kyndryl Italiahighlights 5 ways to prepare for the new cyber resilience rules.
As digitalization advances, ensuring the resilience of critical systems and infrastructures becomes essential to maintaining continuity of operations and protecting against breaches and disruptions.
Countries around the world have taken the lead in standardizing and codifying safer practices for managing cyber threats to businesses, developing cybersecurity laws and regulations to mitigate risks. Among these, the member states of the European Union have established the DORA Regulation (Digital Operational Resilience Act) and the NIS 2 (Network Information Security Directive), while the United States has implemented the new SEC (Security and Exchange Commission) rules.
The common goal is to implement data management protocols and an overall security posture that allow businesses to move forward while limiting the reach of cybercriminals.
In recent months, however, the debate has focused on the timing of the entry into force of new cybersecurity regulations, without looking at their real impact on companies.
The SECfor example, requires that information must be provided on cybersecurity incidents, on the management of related risks and on the governance measures adopted.
Similarly, the DORA makes the management of all financial institutions operating within theUE directly responsible for the risk management and operational resilience strategy for ICT. In practice, this will require C-levels to take on greater responsibility for overseeing cybersecurity risks, including ensuring compliance with technical requirements and compliance with DORA policies itself.
Furthermore, Canada, the United Kingdom and Australia also plan to implement similar regulatory frameworks to Europe and the United States.
What can companies do in view of the new regulations coming into force?
In this context, there are some practices that help you anticipate cyber threats, so you can quickly protect yourself and restore critical IT environments:
1. Create awareness at management level and involve different levels of the company from the beginning
The new regulations on cybersecurity require the commitment of the entire company: for this reason it is necessary to avoid so-called “silos” within the organization. Today, in fact, cybersecurity is not a problem for a few, but concerns everyone, from leaders to employees.
2. Establish minimum business requirements
The minimum requirements indicate those business services that are fundamental to support operations and achieve objectives. Cyber defense and cyber resilience must therefore start right here.
3. Inventory your IT assets and determine risk
Companies with large and complex IT assets need to know what resources they have at their disposal, as well as knowing what measures are needed to protect them and how likely they are to suffer an attempted attack. In other words, it is necessary to identify and protect each company’s weak point.
4. Develop a crisis management plan and conduct exercises
This is the time to plan ahead and prepare to handle any situation, even the inevitable: when it comes to cyberattacks, it’s not a question of “if”, but “when” they will occur.
5. Move to a “Zero Trust” framework and regularly update cyber resilience strategies
Bad actors (whether acting as large organizations or as individuals) are innovative and intelligent: companies must be ready to counter them, without taking anything for granted.
Cybersecurity and IT resilience are an issue that concerns everyone, especially in light of the new regulations introduced by the European Union and the United States which, in the event of an attack, reputational and business damage they could also add significant sanctions for companies: it is therefore essential that governments and organizations adopt a proactive approach to anticipate, prevent and restore systems in the event of malicious cyber events.