Preparing for NIS2: Why a Multi-Layered Cybersecurity Approach is Critical

As the cyber threat landscape continues to evolve, the sophistication and frequency of attacks are escalating at an alarming rate. This is particularly concerning for small to medium-sized businesses (SMBs), which are often perceived by cybercriminals as easy targets. With the upcoming enactment of the NIS2 Directive in October, organisations in Ireland and across the EU must reassess their cybersecurity strategies to ensure compliance. The NIS2 Directive, which builds upon the original NIS Directive, introduces stricter requirements for cybersecurity across critical sectors. This makes adopting a robust multi-layered approach to cybersecurity not just advisable but essential.

Understanding NIS2 and Its Impact on SMBs

The NIS2 Directive aims to enhance the overall level of cybersecurity within the EU by setting minimum standards for risk management, incident reporting, and supply chain security across all Member States. It applies to a wide range of critical sectors, including energy, transport, health, financial services, water supply, digital infrastructure, and public administration. These sectors are considered essential for the functioning of society and the economy, and therefore they are subject to stricter cybersecurity requirements under NIS2.

Non-compliance with the directive can result in significant penalties, including substantial fines and potential reputational damage. This underscores that cybersecurity is not merely an IT concern but a critical business imperative. The responsibility for compliance under NIS2 rests squarely on each organisation, regardless of size. This means that SMBs must also ensure their cybersecurity measures meet these new standards. With the directive set to be implemented across the EU October 17^th, businesses have a limited window to prepare and align their security strategies with the requirements of NIS2.

The Role of a Multi-Layered Approach

A multi-layered approach to cybersecurity is not only a best practice but also a strategic necessity in light of NIS2. This approach involves implementing several layers of security across your IT infrastructure, each designed to address different aspects of the cybersecurity landscape. The following sections highlight key areas that should be considered as part of any multi-layered cybersecurity strategy, whether your industry is directly impacted by NIS2 or not.

Key Focus Areas:

Network Security

Firewalls and VPNs: Protecting your network is foundational to NIS2 compliance. Firewalls and Virtual Private Networks (VPNs) serve as the first line of defence by controlling and monitoring traffic, ensuring that only authorised communications can occur.
Network Segmentation: This is a key requirement under NIS2, as it minimises the spread of threats across your network. Even if one segment is compromised, network segmentation ensures that the rest of your system remains secure.
Penetration Testing: Regular penetration testing is a proactive measure to identify vulnerabilities within your network before they can be exploited by attackers. Automated monthly penetration testing, as offered by IT.ie, helps ensure that your network security is consistently strong and aligns with the ongoing risk management requirements of NIS2.

Endpoint Security

Endpoint Protection: Ensuring that devices accessing your network are not compromised is critical. While NIS2 does not explicitly mention endpoint protection, it falls under the broader requirement for effective risk management measures.
Endpoint Detection and Response (EDR): EDR solutions provide real-time monitoring and response to threats at the endpoint level. This is crucial for detecting and mitigating incidents swiftly, aligning with NIS2’s emphasis on proactive threat management.
Mobile Device Management (MDM): MDM solutions secure mobile devices that access your network, ensuring that all potential entry points are protected.
Device Encryption: Encrypting data on endpoints ensures that even if a device is lost or stolen, the data remains protected. With Windows Pro enabled devices, this can be done via BitLocker.

Application Security

Web Application Firewalls (WAFs): Securing applications, particularly those handling sensitive data, is essential under NIS2. WAFs protect against vulnerabilities and ensure that your applications are resilient against attacks.
Patch Management: Regular updates and patch management are critical in closing security gaps, making it a direct requirement under NIS2 to protect against known vulnerabilities. Your MSP will likely carry out patch management via Microsoft Intune or a Remote Monitoring and Management (RMM) service.

Data Security

Cloud Backup and BCDR (Business Continuity and Disaster Recovery): NIS2 mandates robust data protection measures, including regular backups and disaster recovery plans, to ensure business continuity in the event of a cyber incident.
Data Encryption: Both at rest and in transit, encryption ensures that intercepted data cannot be read by unauthorised parties.

Human Security

Cyber Awareness Training: Ongoing training is essential in mitigating human error—a common cause of security breaches. Training helps staff recognise threats like phishing and understand their role in maintaining security, supporting the principles outlined in NIS2.
Phishing Simulation: Regular simulations reinforce training, helping employees stay vigilant and prepared for real-world scenarios.
Policy Management: Establishing and enforcing security policies ensures that all employees are aligned with your organisation’s security objectives, supporting NIS2’s focus on comprehensive risk management.

Incident Response

Incident Response Plan: NIS2 requires organisations to have a documented incident response plan. This plan should outline steps to swiftly address and mitigate the impact of any security incidents, ensuring that your organisation can recover quickly.
Third-Party Risk Management: Evaluating and managing the security posture of third-party vendors is crucial under NIS2. Partnering with an ISO 27001:2022 certified MSP like IT.ie can help ensure that your supply chain security is thoroughly assessed and managed, reducing your overall risk.

Guiding You to the NIS2 Directive

For those looking to explore the specific requirements of the NIS2 Directive in more detail, we recommend reviewing Articles 21 and 23, which cover the essential risk management measures and reporting obligations. Additionally, Recitals 77-85 provide context on the expected cybersecurity frameworks and the emphasis on maintaining a resilient posture across all critical sectors.

You should now conduct a thorough investigation to understand how the incident occurred and what measures can be put in place to prevent a recurrence. This could include strengthening security protocols, improving staff training, or upgrading security software.

Why Partnering with an ISO 27001:2022 Certified MSP Matters

Achieving NIS2 compliance can be complex, particularly for SMBs that may lack the internal resources to manage the extensive requirements. Partnering with an ISO 27001:2022 certified MSP like IT.ie offers significant advantages. While we provide the expertise, tools, and services necessary to implement and maintain a multi-layered cybersecurity strategy, the ultimate responsibility for achieving and maintaining NIS2 compliance rests with your organisation. Our role is to support you by offering solutions that align with the directive’s requirements, helping you to build a resilient security posture. However, it’s important to understand that compliance is a continuous process that requires your organisation’s commitment to regularly assess, update, and manage its cybersecurity measures in accordance with NIS2.

The journey a business takes in developing a coherent cybersecurity strategy is not achieved overnight. It evolves with the organisation. As we align with NIS2, we reinforce our commitment to not only safeguard our operations, but also to empower our clients and the business community at large.

Eamon Gallagher

Final Thoughts

As the cybersecurity landscape becomes increasingly complex, and with the NIS2 Directive coming into force, building a multi-layered and robust cybersecurity defence is essential for compliance and protecting your business from evolving threats. Cybersecurity is a continuous process, requiring ongoing monitoring, updates, and improvements. While the responsibility for compliance ultimately lies with your organisation, partnering with IT.ie can provide the expertise and solutions to help you strengthen your defences and achieve compliance with NIS2. Get in touch with us at hello@it.ie to see how we can support your cybersecurity journey.