Scaling up Europe’s cybersecurity calls for a practical blueprint  – | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

European countries must seize this moment to collectively strengthen Europe’s cyber resilience – and October 2023, the European cyber month, must mark the start of this challenge, write Marie-Pierre de Baillencourt, Olivier Vallet and Gérôme Billois.

Marie-Pierre de Baillencourt is the director of thinktank Institut Montaigne; Olivier Vallet is the CEO of digital service company Docaposte; Gérôme Billois, is a cybersecurity partner at consultancy Wavestone.

Europe needs to quickly develop its cybersecurity. More and more critical entities and major economic players have measured the risks of cyberattacks and taken actions to increase their security.

However, smaller structures such as small to medium-sized businesses (SMEs), local authorities and healthcare establishments continue to be vulnerable, while lacking support and resources. 

Between 2015 and 2020, the annual cost of cybercrime to the global economy has doubled, reaching €5.5 trillion and SMEs are increasingly suffering the bulk of these damages.

Several sources have estimated that up to 50% of SMEs hit by a crippling cyber attack have had to file for bankruptcy after the destruction of their IT system and loss of their data.

With continued digitalisation and increasingly sophisticated and frequent attacks, including attacks utilising AI, matters could rapidly get worse. 

In response, Europe is readying itself to apply new requirements by summer 2024 for the most critical infrastructures, with the European Network and Information System Security 2 Directive (NIS2).

This is certainly an imperative in the current context, but it should not eclipse the need to address smaller, more vulnerable entities to help them implement the new requirements and successfully strengthen our collective cyber resilience. 

Smaller entities cannot manage new requirements on their own

The NIS2 directive will extend cyber security requirements tenfold, from a small number of critical enterprises to ten times as many businesses in a broad set of sectors.

This gives European countries the deadline of October 2024 to integrate the NIS2 directive into national law and start enforcing it. Many of the requirements make perfect sense, however, the challenge lies in their correct implementation.

Only then will these requirements truly go a long way and boost Europe’s cyber resilience. 

Yet medium-sized entities rarely make cybersecurity a priority, and when they do, the lack of visibility of what they need to do, the shortage of available skills, the lack of funding and the existence of a multitude of technical solutions all contribute to discouraging them from taking action.

Consequently, companies could easily find themselves faced with a large number of new obligations, in a domain that few people understand.

Worse, if regulators strictly apply NIS2’s measures, they could find themselves subject to fines of up to 2% of their yearly turnover.

Whereas large critical companies covered by the first NIS1 cyber regulation have whole teams tasked with their cybersecurity, some of the companies covered by NIS2 do not even have a chief information security officer (CISO) and much of their digital expertise may be outsourced to contractors.

This situation is aggravated by Europe’s critical shortage of cyber security experts, making it difficult for many smaller companies to recruit necessary talent even if they have the means to do so. 

Finding the right balance collectively

The next 12 months will therefore be key in the construction of Europe’s digital resilience and European governments must rise to the challenge. Ahead of NIS2 coming into force in each of their domestic legislation, European governments must focus on identifying measures that will help their companies to actually meet these cybersecurity requirements in practice.

This entails closely listening to the needs, constraints and practical recommendations of a whole host of actors – the companies concerned by NIS2 but also industry bodies, regulators, think tanks and trade unions.

These insights will help national legislators to find the right balance between efficiently adapting the European NIS2 directive to their country’s specificities when transposing it into national law on the one hand, and maintaining global coherence at the European level on the other. 

But new rules will likely not be enough, however well adapted.

Governments must also build a set of tools and support mechanisms to help their companies implement these requirements as they come into force. These tools can then be extended beyond companies covered by NIS2, to all their suppliers and SMEs more broadly. 

Scaling cybersecurity for everyone with a more localised ecosystem

Building trusted local ecosystems of cyber professionals that companies can turn to will be key to Europe’s cybersecurity strategy.

In France, national cyber bodies have created a directory of qualified cyber professionals that companies can look up in their area and have funded the creation of regional Computer Security Incident Response Teams.

In Luxemburg, has managed to federate the country’s cyber professionals and make their expertise and resources accessible in a centralised space. 

When recruiting a cyber specialist is not an option, companies should be encouraged to nominate a “cybersecurity advisor” among their staff, such as the company’s head of finance or legal department.

Cyber experts themselves can be pooled between companies within the most suited existing local structures (such as Regional Computer Security Incident Response Teams (CSIRT), IT providers or industry bodies), sharing their time and expertise across multiple companies at once. 

Most importantly, governments can provide guidance on what can be done by companies of varying sizes and industries.

This could simply be target checklists and “cybersecurity badges” corresponding to levels of cybersecurity. A small online retailer might opt for a lower “bronze” level of security, whereas a company providing software to a large defence contractor will opt for a higher “gold” level.

It calls for an educated choice, ranging from NIS2 requirements for regulated actors, to more accessible, voluntary measures for less critical companies.

Through these target checklists, governments can encourage companies to consider cybersecurity as a strategic issue and suggest simple, actionable measures, relying on a local ecosystem of existing providers.

The UK’s Cyber Essentials programme and Belgium’s Cyberfundamentals scheme serve as useful examples. 

European countries must therefore seize this moment to build European cyber resilience, from the largest and most critical actors to the smallest of SMEs.

This extends far beyond the companies covered by NIS2, to all their suppliers and SMEs more broadly.

European countries must also seize this moment to sensitize their social and economic actors while collectively strengthening Europe’s cyber resilience.

October 2023, the European cyber month, must mark the start of this challenge.


Click Here For The Original Source.

National Cyber Security