May 2018 is a big month for cyber security and data protection. But although the soon-to-be-enforced EU General Data Protection Regulation (GDPR) is grabbing most of the headlines, organisations should be equally concerned about the Directive on security of network and information systems (NIS Directive), which must be transposed into EU member states’ national laws by 9 May this year.
According to a World Economic Forum (WEF) report, the issue that the NIS Directive tackles – cyber attacks and digital welfare – is currently the sixth biggest threat facing humanity. We should be more concerned about this than the food crisis, the spread of infectious diseases, the collapse of an ecosystem and large-scale involuntary migration, the WEF says.
Why are we in so much danger?
You probably heard about the two major cyber attacks of 2017: WannaCry and NotPetya. But as damaging as they were, the bigger issue is the ‘death by a thousand cuts’ variety of attack. The WEF’s report found that 350 million malware variants were unleashed in 2016, and predicts that malware could infect more than 8.4 billion Internet of Things (IoT) devices by 2020.
That’s about the total number of IoT devices currently in use globally, according to a Gartner report. That number is expected to jump to 20.4 billion by 2020, meaning more than one in four devices is at risk.
Accounting for all devices, the global cost of malware will be $8 trillion (about £5.7 trillion), according to a study cited by the WEF. Ransomware, the malware strain responsible for WannaCry and NotPetya, will be a major factor. However, the biggest cost isn’t the result of paying the ransom (which organisations should never do), but the loss of business while the affected organisation’s systems are crippled. For example, Merck, FedEx and Maersk each reported offsets to their bottom line of over $300 million (£215 million) as a result of NotPetya.
Cyber attacks can also have indirect financial costs. WannaCry affected the NHS, railway providers and energy suppliers, among other sectors, causing untold damage. Chain reactions such as these could become more common in the future, the WEF warns, and organisations don’t currently have an effective way of stopping them.
The report states: “Humanity has become remarkably adept at understanding how to mitigate conventional risks that can be relatively easily isolated and managed with standard risk management approaches. But we are much less competent when it comes to dealing with complex risks in the interconnected systems that underpin our world, such as organizations, economies, societies and the environment.”
It adds: “When risk cascades through a complex system, the danger is not of incremental damage but of ‘runaway collapse’ or an abrupt transition to a new, suboptimal status quo.”
How the NIS Directive helps
The NIS Directive mandates that EU member states improve the way they cooperate regarding cyber attacks against critical sectors of the economy such as health, energy, banking and transportation. As such, organisations under the Directive’s scope need to:
- Take “appropriate technical and organisational measures” to secure their network and information systems;
- Consider the risks when developing systems;
- Take appropriate measures to prevent and minimise the effect of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
The Directive isolates two kinds of organisations – operators of essential services (OES) and digital service providers (DSPs) – and sets additional specific requirements for each of them.
As with the GDPR, the NIS Directive states that organisations that suffer a major breach must report it to the relevant supervisory authority within 72 hours of discovery.