Richard Connolly, Regional Director for the UKI and the DACH (Germany, Austria and Switzerland) regions at Infinidat, explains how cyber resilience through NIS2 and DORA compliance can minimise the negative effects of a cyber security breach.
Just in the past few months, a series of very high-profile cyber attacks have highlighted the risks that every organisation is facing. For once, small, medium and large enterprises alike share a common threat and even the most well known brands are falling prey to hackers.
Over the last few years, as data has become more important as a strategic asset, the threat of cyber attacks has increased exponentially.
Digital transformation may have delivered many benefits to enterprises in terms of improved efficiency and productivity, but it has also created just as many cyber security challenges.
The threat of cyber attacks is increasing constantly and regulators in the EU, as well as other parts of the world, have now responded formally, with two new stringent European laws to protect consumers. Implementing a thorough cyber storage resilience programme will be an integral part of complying with these new regulations.
About the implementation of NIS2
These legal changes began with the Network and Information Systems (NIS) 1 Directive, which was designed to create a common framework for cyber security across the EU. In practice it was difficult to implement consistently in the different regions, which left some enterprises with security gaps and compromised IT system integrity.
NIS2 legislation, released in December 2022, was designed to put a stop to these issues, taking into consideration ongoing geopolitical instability and acknowledging that cyber attacks have become even more widespread.
The provisions of NIS2 will become mandatory by October 2024 and affect any entity with more than 250 employees and an annual turnover exceeding £43m, or an annual balance sheet exceeding £37m or both.
Some enterprises will have to comply with NIS2 regardless of company size, e.g. providers of public or publicly available electronic communications networks or for enterprises where service or product supply disruption could have significant implications on public health.
Pharmaceutical companies, food manufacturers, and energy providers are all universally impacted by NIS2.
These organisations will be required to introduce some key cyber resilience measures to protect themselves against cyber incidents. Fines for non-compliance can be as much as 2% of the organisation’s annual turnover, or £8.5m for enterprises offering essential services.
DORA’s introduction to the financial sector
Whilst NIS2 is designed as a cross industry measure to protect public services as a whole, other more specific regulations, for instance the EU’s DORA (Digital Operational Resilience Act) are being introduced for the financial sector.
DORA was introduced just before NIS2 and is designed to help financial enterprises prevent both cyber attacks and have the ability to recover quickly and effectively from them. This is the essence of cyber resilience, and it should be an absolutely critical part of every enterprise storage strategy.
Ensuring NIS2 and DORA are followed
There are some fundamental areas within enterprise storage to appreciate when ensuring your enterprise can comply with either NIS2 and DORA (or both).
Firstly, it’s important to secure both primary and secondary data storage to be fully cyber resilient. Most enterprises have accepted the importance of secondary data cyber resilience, but understanding the need for primary storage to be treated in the same way is less widespread.
When it comes to securing both primary and secondary enterprise storage, there are some other essential ingredients to building a strong storage cyber defence strategy.
Immutable snapshots provide the foundation layer for effective storage cyber security. They allow organisations to recover guaranteed, uncorrupted copies of their data, before the execution of any malware or ransomware code introduced by an attacker.
Immutable snapshots ensure the integrity of stored data because they prevent data copies from being altered or deleted. By using immutable snapshots, any organisation can be confident that they are meeting the compliance requirements of both NIS2 and DORA.
Logical air gapping adds a further layer of security and compliance, by creating a safe distance between the storage management and data layers. There are three types of air gapping. Local air gapping keeps the data on-premises, remote air gapping makes use of a remotely hosted system and hybrid air gapping combines the two.
Fenced forensic environments help speed up the recovery process by providing a secure area to perform a post-attack forensic analysis of the immutable snapshots. The purpose here is to carefully curate data candidates and find a known good copy.
The last thing you want to do after an attack is to start restoring infected data that has malware or ransomware infiltrated within it. Once forensic analysis is complete, it is safe to restore the copy to primary storage systems.
Cyber resilience can minimise the negative effects of a breach
As the NIS2 and DORA legislation acknowledges, whilst it may not be possible for an enterprise to completely prevent a cyber security breach, they can be fully prepared to minimise its negative effects. This is what cyber resilience does for an organisation and what is behind the clever design of these new regulations.
By implementing NIS2 and DORA, enterprises in any industry can be confident that the effects of a cyber attack will be diffused swiftly, with minimal disruption to ‘business as usual’.