Organisations should take a “human-first approach” to preparing for the Directive on security of network and information systems (NIS Directive), the new law designed to help ensure that essential services remain operational, says the co-founder and chief technology officer of Cofense.
The Irish government is yet to transpose the NIS Directive into law, however, judging by the consultation document which they have published, it seems they will be taking a similar approach to the NIS Directive as the UK government who have already transposed this into law have taken.
Aaron Higbee said: “The majority of cyberattacks don’t rely on sophisticated malware or technical vulnerabilities, but rather the psychology and behaviour of people.” He warns that people’s curiosity, habits and misplaced trust have enabled social engineering to thrive, and that organisations’ biggest priority needs to be staff training. He added that the ‘human-first approach’ isn’t just about employee awareness, but also changing their behaviour. “Employees are smart and perfectly capable of adapting to new behaviours,” he said. “The ability to learn an automatic, subconscious response permeates and facilitate our lives. Our behaviour towards cyber threats ought to be no different.
“Phishing is the number one attack vector today because it works by manipulating the trust we place in our emotions, especially curiosity, fear and urgency.”
What does the NIS Directive say?
The European Commission’s guidance for the NIS Directive highlights the need for staff training, so it’s certainly something that needs to be addressed.
However, it’s important to understand that technological and organisational measures work together. Even when you consider a socially engineered attack such as phishing, staff awareness training will help employees detect malicious emails, but organisations should also implement policies to help them respond appropriately, as well as spam filters and other controls to prevent them being bombarded by scams.
This advice applies to most threats that organisations face. For instance, staff should be taught about the dangers of misplacing sensitive data, but organisations should also have policies in place for safely handling information and all confidential data in transit should be encrypted.
It’s essential that organisations strike the right balance between technological and organisational defences, as the penalties for a breach of the Regulations are severe. Member states set their thresholds for fines.
Any disciplinary action will almost certainly have a big effect on most organisations, and the reputational damage of a breach could linger for months or years.
Solutions for NIS Directive compliance
You can learn more about the NIS Regulations by reading our free compliance guide. It provides further information on the Directive’s requirements, which organisations are within the scope of the NIS Regulation, the proposed security requirements and how you can implement them.