6 minute read
Are you cyber resilient?
With the EU focusing on a raft of new cybersecurity regulations, Puneet Kukreja, Senior Partner and Head of Cyber Security at EY Ireland, believes that organisations will become more aware of the risks and threats and grow their monitoring and response capability to increase their resilience against cyber threats, in many that goes well beyond just ticking the compliance boxes.
Organisations spend a lot of time coming up with policies, ensuring that they are appropriately governed and they have a positive compliance posture. However, “compliance is not equal to security,” he warns.
“Compliance is not equal to actually having the tools and technologies in place, with operating processes implemented that make your organisation secure and resilient.”
Moreover, it’s not just businesses that need to be resilient, it is society as a whole. An increase in cyber-attacks during the Covid-19 pandemic shone a spotlight on the importance of protecting critical infrastructure for example, increasingly connected hospitals and medical devices. According to reports from the European Commission, the annual cost of data breaches is estimated to be at least €10 billion, and this figure jumps to at least €65 billion when it comes to the annual costs of malicious attempts to disrupt internet traffic.
Among agencies focused on cybersecurity within the EU are the EU Cybersecurity Agency (ENISA), the Computer Emergency Response Team for the EU institutions (CERTEU), and the European Cyber Crime Centre (EC3)/Europol. The European Defence Agency (EDA) is also extremely concerned with cyber resilience that is the ability to detect, withstand, and recover from any cyber-attack. According to the EDA, “Cyberspace is today recognised as the fifth domain of warfare, equally critical to military operations as land, sea, air, and space.”
A Brief History Of Cybersecurity In The Eu
Since the introduction of the rst Network and Information Systems Directive (NIS) in 2016, there has been a continuous focus on bolstering the strategy, framework, and regulations around cybersecurity within the EU. NIS 2 replaced the original Directive in December 2020.
e rst signi cant impact felt by the business community – and consumers – came with the General Data Protection Regulation (GDPR), which was introduced in 2016 and came into e ect in May 2018.
e June 2019 Cybersecurity Act strengthened the role of ENISA, the EU Agency for Cybersecurity, giving the agency a permanent mandate and more resources to try and keep up with the ever-moving cyber goalposts. en in 2020, the new EU Cybersecurity Strategy was adopted.
In May of last year, the European Council and the European Parliament reached a provisional agreement for the new legislative cybersecurity measures, calling for stronger risk and incident management and cooperation, and including a wider range of rules and regulations falling within its scope.
In September 2022, the European Commission published the Cyber Resilience Act, which is the rst ever EU-wide legislation mandating cybersecurity requirements for so ware and connected hardware throughout their entire lifecycle.
“It is about manufacturers improving their security products and enhancing the transparency when building those products, testing them and ensuring what is shipped is Secure By Design,” explains Kukreja.
“ e most critical pieces we need to be talking about are the NIS 2 Directive and the Critical Entities Resilience (CER) Directive,” he notes.
e NIS 2 Directive and the CER Directive entered into force on 16th January 2023. Member states of the EU have until 17th October 2024 to transport the Directive with the measures coming into e ect on 18th October. e new CER Directive replaces the European e sectors to be covered by the CER Directive include energy, transport, banking, nancial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. e Directive is a response to global events such as the acts of sabotage against the Nord Stream gas pipeline and the new risks brought by Russia’s aggression against Ukraine. Each EU Member State will be required to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for their own society and economy.
Critical Infrastructure Directive of 2008 and aims to strengthen the resilience of critical infrastructure and essential services—which are vital to the functioning of society and the economy—to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage.
Incident Response Planning
Make your business resilient against a cybersecurity breach
“Across small to medium businesses, in Europe, the US and Asia-Pacific, 97% of the cyber breaches happen through ransomware, stolen credentials, and basic web application attacks,” says Kukreja. His advice for businesses is to have an incident response plan incorporating the below principles:
• Focus on resilience and response capability.
• Ensure your hosting, endpoint and application environment is patched and misconfigurations remediated.
• Ensure you have continuous monitoring in place for critical services
• Make sure there are no misconfigurations.
• Ensure there is continuous training focusing on the risks of social engineering and phishing.
“The Cyber Resilience Act will be enforced by the CER and the NIS 2 Directives. There are commonalities in what needs to be covered off within these acts,” Kukreja suggests. “All of these acts and all of this legislation is really coming together to ensure that there is appropriate governance and appropriate preparedness, and should any event take place, that we can respond to it in time with the right level of control and in a standardised manner.”
Horizontal Security Requirements
The concept of a software bill of materials (SBOM) and hardware bill of materials (HBOM) are, says Kukreja, “two very critical areas that are being looked at in the US and Europe, and this is where horizontal cybersecurity requirements will come in.” devices, which are IoT devices, across multiple sectors, including energy, mining, manufacturing and health, connected to IT infrastructure. “That then creates that standard mix of information technology (IT) and operational technology (OT). Then how do you ensure that there is security, resilience, and the right level of control in both environments? And how do you make sure that a piece of ransomware that has impacted an organisation from the IT side does not spill over into the OT side and vice versa?” also understand the full lifecycle of how a hardware element has been manufactured.”
Because there are also software elements in hardware, it is at risk of being compromised and providing a backdoor into the broader organisation; this is why there is a call for the CE marking for hardware devices, which will be coming into effect in 2024.
Global Benchmarking
Having worked in cybersecurity at a high level all over the world, Kukreja has seen the best and worst of cybersecurity policies and implementation., “If you want to look at how processes need to work and what documentation should look like, Europe will have the guidance, governance and oversight requirements nailed down. But if you actually want to see how technology should be implemented, and what technical controls are required to be in place, then the Americas is where we need to look at, given their technology-first mindset However, I’m not saying it’s always the right approach as they often tend to be implementationrich, but documentation-poor.”
A SBOM is essentially an inventory list of all the ingredients that make up a software, and similarly for a HBOM. With the Cyber Resilience Act coming into force, Kukreja explains, it will force people to consider, “How do you ensure, like in software development, that the hardware lifecycle development of a product is appropriately managed with a defined framework of security controls, that is open, can be independently audited, and can be verified through all of the stages of its lifecycle?”
He continues, “It’s all about the openness of the security properties of a product that is being developed. That then puts the focus on the other side of cyber, which is the Internet of Things (IoT) and connected devices, which are prevalent not only in our critical infrastructure but across industry at large in every sector—banking, energy, critical infrastructure and others.”
He cites the example of connected
“The end user—a manager, a business user, a CFO or CEO—what they need to understand is that the requirements of cybersecurity, which were within their IT environment, as such, are now being expanded and extended into their OT environment,” Kukreja advises. “They need to ensure that the hardware and software products that are being developed, or that are being bought, follow a coherent cybersecurity framework. They need to ensure that the concept of Secure By Design, that already exists on the IT side, has now expanded, and extended into the development of hardware products.”
This is not just something that applies to the manufacturers of hardware, he underlines. “The consumers need to ensure that through appropriate procurement, governance, security, and the onboarding of technology equipment within their organisations, that they
In his experience, it is often the spend-constrained organisations of the Asia-Pacific region who have taken a best-of-both-worlds approach, and lead the way in melding best practice in both documentation and implementation to focus on what works and create a fit for purpose, fit for use model.
With new regulations coming down the line, he predicts there will be a huge increase in demand for expertise. “There is a known and recognised demand for cyber talent, not only in Ireland. Globally, organisations are finding it a challenge to fill roles across the cyber dimension, and with the onset of these regulations the demand for expertise is set to increase which will lead to more opportunities in this space.”
Kukreja’s advice now is to look for people with both compliance and implementation expertise. “If you only take on people who have generic knowledge across governance, risk and compliance, and are lacking the specialist skills required to address these…it will be a paper tiger with no teeth.”
