This is a contributed piece by Greg Day, vice president and regional chief security officer, Europe, Middle East and Africa, Palo Alto Networks
As cyberattacks become increasingly high-profile and high-stakes, governments across the globe are taking action. The European Union (EU) is bringing in requirements to deal with modern-day digital threats, with provisions addressing cybersecurity in the Network and Information Security (NIS) Directive and as part of the General Data Protection Regulation (GDPR).
The NIS Directive requires operators of essential services and providers of digital services to adopt risk management practices and report major incidents, and demands ‘state of the art’ capabilities against cyber threats. The GDPR is a regulation designed to harmonise data protection laws across EU member states, and asks organisations to operate ‘with regard to’ state of the art technology. In both cases, the detail of what constitutes state of the art isn’t defined.
These requirements can be interpreted broadly and may present some challenges as organisations work to understand their status in relation to the new requirements, with the clock starting to tick on implementation timelines.
What is ‘state of the art’?
While the term ‘state of the art’ is rather open to interpretation, the regulation means that organisations must keep up with evolving technology and tools, as well as processes and policies. This is important given the rapid pace of evolution we see in the threat landscape and in how cyber adversaries operate – and therefore demonstrates the risks faced by organisations.
This is a clear example of how changes in legislation at an EU level are putting cybersecurity front and centre for European businesses. Many organisations will have to manage a new set of requirements in relation to the use of state of the art cybersecurity solutions to protect their data and those of their customers.
Where most of us only keep our cars for three or four years, organisations frequently rely on tools and practices that have been in place for as much as a decade even though the digital world is evolving faster than ever before. State of the art makes it clear that our cybersecurity capabilities need to keep pace with this changing landscape. State of the art might bring to mind shiny new security tools, complete with futuristic tech such as artificial intelligence (AI) and robotics. But in my mind, state of the art is a comprehensive, prevention-focused cybersecurity solution, operated by a collaborative team, and a workforce that shares accountability.
It’s a threefold approach:
3. Educating everyone in the business on their role in preventing successful cyberattacks.
The role of people in state of the art
Ensuring your company is compliant with the new legislation must become ‘business as usual’, ideally within the next two years. And for the best defence against the evolving threats of today, cybersecurity needs to be woven into the very core of business in order to help protect society in this digital age.
Many companies still rely solely on technology to avoid cyberattacks and while this is important, employee understanding and compliance should be considered too. Combining human and technological insights gives businesses a perspective that ultimately helps identify many more avenues that adversaries may use to gain access to an organisation and its data. By identifying weak points in the shield before anyone else, businesses can better secure themselves.
It’s essential that each employee understands his or her role in cybersecurity. Employees can unknowingly serve as a gateway for malicious activity by visiting an unreliable website, downloading a harmful file or falling victim to a phishing attack. Organisations should have policies in place to identify what behaviours are acceptable and unacceptable, and these should be clearly communicated and reinforced on a regular basis to all staff.
Failure to comply
If an organisation is faltering in its approach to cybersecurity, it’s often because they focus on the clean-up and remediation after a breach, rather than upfront prevention. While the loss or compromise of any data has repercussions, the provisions around state of the art cybersecurity in GDPR and the NIS Directive mean that where capabilities are currently lax, consequences could be higher.
The term ‘state of the art’ leaves room for interpretation and pleas of ignorance from companies not fully comprehending the requirements of GDPR and the NIS Directive. In addition to the impact on brands when notification forces incidents into the public domain, in the case of GDPR, organisations found to be non-compliant may face steep fines of up to €10M – €20M (2% – 4% of total worldwide annual turnover). This is also true for partners operating along the supply chain. If you handle the data of another company, you could be held accountable for a breach of that data, if it’s discovered your business was the entry point.
Take destiny into your own hands
Regulation is nailing down accountability in unprecedented ways, and responsibility is extending further than ever before. With the 1H 2018 deadlines for both pieces of legislation looming, there is still time to get ready but not to prevaricate. The new legislation is bigger than most of us, and there is still a need to understand state of the art and what it means for your organisation.
Preparation can – and must – be done now to ensure you can manage the requirements. The best way to do this is to adopt a prevention mind-set, thus addressing the issue head on, and mitigating the risk of both breaches and the resulting consequences in this new, state of the art world.