35% of organizations believe the NIS Directive expectations are unclear

The European Union Agency for Cybersecurity (ENISA) released a report on information security spending for network and information services (NIS) under the NIS Directive, the first EU-wide legislation on cybersecurity.

NIS Directive expectations

The report is based on a survey of 251 organizations of operators of essential services and digital service providers from France, Germany, Italy, Spain and Poland. Eighty-two percent of those surveyed reported the NIS Directive had a positive effect on their information security.

NIS Directive implementation

The report provides input to the European Commission’s review of the NIS Directive on the 16th of December, four years after the Directive entered into force and two years after the transposition into national law.

Challenges remain after the implementation of the Directive – the lack of clarity of the NIS Directive expectations after transposition into national law was a common issue. More than 35% of organizations surveyed believe the NIS Directive expectations are unclear.

Twenty-two percent of respondents listed limited support from national authorities as one of their top challenges when implementing the Directive.

Cybersecurity investments: EU vs. US

When comparing organizations from the EU to organizations from the United States, the study shows that EU organizations allocate on average 41% less to information security than their US counterparts.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “This data indicates that the NIS Directive has been a great tool to drive investments, but recognises that certain gaps still exist, and a clearer strategic framework and more elaborated approach is needed. The review of the NIS Directive is timely and can therefore address these challenges — building a stronger network and information security framework.”

Key findings

  • The average budget for NIS Directive implementation projects is approximately €175k, with 42.7% of affected organizations allocating between €100k and €250k. Slightly less than 50% of surveyed organizations had to hire additional security matter experts.
  • Surveyed organizations prioritised the following security domains: Governance, Risk & Compliance and Network Security.
  • When implementing the NIS Directive, 64% of surveyed organizations procured security incident & event log collection solutions, as well as security awareness & training services.
  • “Unclear expectations” (35%) and “Limited support from the national authority” (22%) are among the top challenges faced by surveyed organizations when implementing the NIS Directive.
  • 81% of the surveyed organizations have established a mechanism to report information security incidents to their national authority.
  • 43% of surveyed organizations experienced information security incidents with a direct financial impact to up to €500k, while 15% experienced incidents with over half a million euro.

Guide: Security measures for IoT product development

The European Union Agency for Cybersecurity (ENISA) released its Guidelines for Securing the IoT, which covers the entire IoT supply chain – hardware, software and services.

guide security iot

Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties.

As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.

“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT,” said Juhan Lepassaar, Executive Director, ENISA.

In the context of the development of the guidelines, ENISA has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.

As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices.

These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.

ENISA looking for talented cybersecurity professionals

ENISA seeks to recruit a number of talented professionals from a wide range of backgrounds, to reinforce its capacity to shape Europe’s cybersecurity future. Work opportunities at ENISA are open to nationals of the 27 European Union Member States.

ENISA recruitment

Deadline for applications: 24 April 2020 at 15:00 CET
Place of employment: Athens, Greece.

What candidates is ENISA looking for?

ENISA is looking for candidates that fit into one or more of the following profiles:

Profile A: Knowledge and experience in cybersecurity on a technical, operational or strategic level, acquired through relevant academic studies, research and/or professional experience as a manager, expert, analyst, officer or IT specialist in private or public sector.

Profile B: Sectorial ICT technical or ICT policy knowledge and experience, and proven professional understanding of cybersecurity issues in one or more sectors or policy fields (e.g. transport, energy, telecommunications, financial services, utilities, health, digital services, emerging technologies etc.) or in the digital economy and society, acquired through relevant academic studies, research and/or professional experience as ICT manager, ICT expert or ICT policy officer in the private or public sector.

Profile C: Strong background in economics, law, journalism, communication, social sciences, EU public sector, etc. with a relevant link to cybersecurity resulting in a proven insight and proven understanding and interest into cybersecurity, acquired through relevant academic studies, research and/or professional experience in EU or national private or public sector.

ENISA publishes procurement guidelines for cybersecurity in hospitals

The EU Agency for Cybersecurity (ENISA) published a cybersecurity procurement guide for hospitals.

cybersecurity procurement hospitals

The hospital is a vast ecosystem comprised of an entire network of devices, equipment and systems that often require connection to external systems, making monitoring and control a very hard task to do. This is due to the high sensitivity of medical data and the potential vulnerability the sector is faced with, cybersecurity has to be applied every step of the way to ensure patient data privacy and the availability and resilience of healthcare services at the same time.

A cybersecurity procurement guide for hospitals

The Procurement Guidelines for Cybersecurity in Hospitals published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment.

This new report outlines good practices and recommendations for including cybersecurity as a provision in the procurement process in hospitals. Initially the report presents the set of hospital assets and the most prominent cybersecurity threats linked to them.

After categorising the procurement process in three steps, namely “Plan, Source and Manage”, it identifies the cybersecurity requirements associated with each step. To make this even easier, the guide provides suggestions for evidence on how the requirements can be fulfilled by the provider.

The EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, stated:

“Protecting patients and ensuring the resilience of our hospitals are a key part of the Agency’s work to make Europe’s health sector cyber secure”

Who can use the guide?

This report is addressed to healthcare professionals occupying technical positions in hospitals, i.e. Chief-level executives: CIO , CISO, CTO, IT teams as well as procurement officers in healthcare organisations.

It may be of interest to manufacturers of medical devices that provide products to hospitals (medical devices, clinical information systems, networking equipment, cloud services, etc.). When these manufacturers offer services or products, they will know the security requirements that the hospital expects them to fulfil and they can provide evidence to prove it.

The current landscape for supporting innovation in cybersecurity in the EU

Innovation in cybersecurity is a key enabler to facilitate progress in the NIS industry, boost employment in the cybersecurity sector and growth of EU GDP. ENISA published a report that analyses the current landscape for supporting innovation in cybersecurity in the EU.

cybersecurity innovation eu

The study presents good practices and challenges from the Member States whilst trying to execute innovation as a strategic priority of their National Cyber Security Strategies (NCCS).

“The CSA, the NIS Directive and the GDPR incentivised innovation in relevant areas of cybersecurity and data protection. To encounter current and emerging cybersecurity risks and threats, EU Member States need to strengthen and adjust their national capabilities by developing innovative solutions and objectives under their NCSS,” said Juhan Lepassaar, Executive Director of ENISA.

Different approaches to innovation

Member States follow different approaches to support innovation in the context of National Cyber Security Strategies. In some cases, Member States promote the creation of new skills and capabilities around digital competences.

In other cases, they create networks of stakeholders giving them a mandate on innovation. These networks are either government driven, such as INCIBE, the National Cybersecurity Agency in Spain or industry driven, such as Cyber Ireland. Innovation activities are also driven by national institutions and research centres such as NASK Poland.

Governments should align with industry needs

There is difficulty for governments to understand the needs of the industry, as well as to develop expertise in dealing with Public Private Partnerships.

To align with industry needs and identify opportunities for adopting or commercialising research outcomes, Member States need to involve industry directly in research and innovation activities.

Sector specific innovation priorities are needed

Dedicated funding mechanisms and initiatives often focus on varied research and innovative objectives rather than being specific on cybersecurity. Supporting and developing sector specific innovation priorities is important for coordinating alternative funding mechanisms and develop a sectorial approach to innovation in cybersecurity.

It is necessary to take into account different cybersecurity needs across sectors and develop sector specific innovation priorities both at National and EU level.

Lengthy procurement processes

Lengthy procurement processes prevent SMEs and innovative companies such as start-ups to offer their services to the public sectors. Supporting adequate level of funding and providing economic incentives such as tax incentives may accelerate the adoption of new technologies, products and services.

The Swedish Innovation Agency allocates a large amount of funds for innovation in cybersecurity.

Geographical clusters support innovation

Geographical clusters are important mechanisms that support innovation. There are several initiative that bring people together, such as the Brussels initiative on Cybersecurity Innovation.

How to enhance trust for users

Promoting EU level certification of services/products would enhance trust for users within the EU and provide a stamp of approval for international markets.

Exploring the proper use of pseudonymisation related to personal data

In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organizations across Europe.

pseudonymisation personal data

Pseudonymisation and personal data challenges

The ENISA “Pseudonymisation techniques and best practices” report, amongst other, especially discusses the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery.

It also builds on specific use cases for the pseudonymisation of certain types of identifiers (IP address, email addresses, complex data sets).

pseudonymisation personal data

There is no easy solution

One of the main outcomes of the report is that there is no single easy solution to pseudonymisation that works for all approaches in all possible scenarios.

On the contrary, it requires a high level of competence in order to apply a robust pseudonymisation process, possibly reducing the threat of discrimination or re-identification attacks, while maintaining the degree of utility necessary for the processing of pseudonymised data.

Insight into NIS Directive sectoral incident response capabilities

An analysis of current operational incident response (IR) set-up within the NIS Directive sectors has been released by ENISA. The NIS Directive and incident response The EU’s NIS Directive (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure by bolstering capacities, cooperation and risk management practices across the Member … More

The post Insight into NIS Directive sectoral incident response capabilities appeared first on Help Net Security.

Port cybersecurity: Safeguarding operations against cyber attacks

Port stakeholders are facing more and more cybersecurity challenges with the emergence of new threats, regulations and increased digitalization. Major incidents such as ransomware attacks targeting ports had a considerable impact on the economy. As such, ports must address cybersecurity as a top priority in order to ensure their safety, security, compliance and commercial competitiveness, while unlocking the full capabilities of their digital transformation. In light of increasing digital transformation of port ecosystems, the ENISA … More

The post Port cybersecurity: Safeguarding operations against cyber attacks appeared first on Help Net Security.

Smart car security: Good practices to improve car safety

The automotive industry is undergoing an evolution towards connected and autonomous vehicles. Increasingly smart cars include added features that enhance users’ experience or improve smart car security. However, if not properly secured, such features can also be leveraged by hackers, and lead to cyberattacks that can result in vehicle immobilization, road accidents, financial losses, disclosure of sensitive data and even endanger road users’ safety. Previous attacks on smart cars helped raise automotive industry awareness of … More

The post Smart car security: Good practices to improve car safety appeared first on Help Net Security.

Create secure IoT products: Enable security by design

Good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime have been introduced in a report by ENISA. The number of IoT devices is rising constantly with an expected 25 billion IoT devices to be in use by 2021 according to a Gartner study. Notorious examples of IoT attacks such as Stuxnet and Mirai have led to growing concerns about the security measures … More

The post Create secure IoT products: Enable security by design appeared first on Help Net Security.