Americas

  • United States

Asia

Oceania

Contributor

GDPR keeping you up? There’s another monster hiding under the bed…

Opinion
Feb 01, 20184 mins
Data and Information SecurityGovernmentPrivacy

There’s another deadline in May that needs to be paid attention to – the NIS Directive.

vulnerable gdpr breach security cyber attack
Credit: Thinkstock

Everyone in the security world is talking about the EU’s General Data Protection Regulation (GDPR), and rightly so. GDPR is almost in full force, supplanting the older (and some will argue, out of date) EU Data Protection Directive (DPD). I don’t think regular readers of security news need to be reminded of the severity of penalties that the EU can levy against negligent misuse and abuse of EU citizens’ data.

But there’s another deadline in May that needs to be paid heed. While GDPR primarily deals with data and how it is used, the NIS Directive is “the first piece of EU-wide legislation on cybersecurity.” The directive was adopted in July 2016 and the European Parliament gave EU Member States 21 months to adopt the directive into their respective state laws, and another half a year to identify the organizations, both public and private, that must adhere to the directive.

Earlier this week the UK announced how they plan to adopt the NIS Directive and some of the measures organizations must make to ensure compliance with the directive. The NIS Directive was designed to focus on key critical portions of Member States’ information technology infrastructures – sectors like public utilities, power generators, transportation providers, and organizations providing healthcare for the public – all the basic services a nation needs to operate today. The NIS Directive considers each of these sectors as “Operators of Essential Services,” or OESs.

While currently the NIS Directive only applies to the OESs, the UK’s National Cyber Security Centre (NCSC) recommends that everyone should pay the directive heed. It’s clear this new directive was pushed forward after the substantial impact many attacks have had in recent years on public infrastructure and essential utilities. WannaCry’s disproportionate impact on the networks of the National Health Service (NHS) is clearly not being forgotten by the NCSC.

The NCSC itself understands how complex and difficult it will be to prepare for any and all cyber-related eventualities, and because of this, the guidelines being provided are intentionally vague. In practice, this gives OESs significant freedom and latitude to design, build, and monitor their unique infrastructures in the ways they deem best. Will that be enough?

The top-level objectives of the directive are pretty straight forward:

Failure to comply can lead to fines as large as £17M ($24M USD). But the fines themselves seem to be a last resort for the UK after continued failure by OESs to improve and learn from incidents. It appears there is going to be a lot of assistance provided to organizations by Her Majesty’s government, which will be a boon for many organizations that may have fallen behind on cybersecurity obligations. Though, I find this method to be a double-edged sword. Being pragmatic in understanding that breaches and incidents are going to happen and allowing organizations the ability to learn and improve from them is great. Yet at the same time, the lack of sharp teeth ready to take a giant financial bite out of an organization may give some the false sense that punitive enforcement is just a paper tiger. I guess we shall see if it is enough.

The biggest take away for any organization, even if you aren’t an OES, is that we are entering a new period of regulatory enforcement of cybersecurity-related issues. This is likely just the beginning, and I would not bet against seeing more and more similar rules being adopted all over the globe as things like GDPR and the NIS Directive claim their first sets of penalties. Thankfully, if you’re already thinking about how to comply with GDPR, there will be a significant amount of overlap between the two obligations and in many cases, you will be able to kill two birds with one stone.

But just like GDPR, organizations are going to need to shine some very bright flashlights under the bed to coax out all the monsters hiding under there – before some sharp teeth decide to take a chomp or two.

Contributor

Richard Henderson is Global Security Strategist at Absolute, where he is responsible for trend-spotting, industry-watching and idea-creating. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground.

He is a researcher and regular presenter at conferences and events, and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. He is also a skilled electronics hacker: he was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S.

Richard can be found speaking at industry conferences including Gartner’s Security and Risk Summit; he also provides media commentary for publications ranging from Wired to CSO.

Richard also helped edit colleague and friend Tyson Macaulay’s latest book on IoT Security: RIoT Control: Understanding and Managing Risks and the Internet of Things. He is currently co-authoring a 2nd edition of Cybersecurity for Industrial Control Systems.

The opinions expressed in this blog are those of Richard Henderson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.