Cybersecurity and new legislation

Cybersecurity is no longer (and in fact never has been) owned only by large corporations, government organizations and security forces. All users of information systems and computing in general are at risk. Thousands of attacks take place every year, causing damage in the tens to hundreds of millions of crowns.

Security Threats

Enterprise IT security is a key factor in protecting the confidentiality, integrity and availability of information in an organisation. Security threats such as hacker attacks, phishing, malware and social engineering can have devastating effects on business systems and processes, which can lead not only to the aforementioned financial loss, but also very often to loss of reputation and can have legal consequences.

In the Czech Republic, cyber security is dealt with by the Cyber Security Act no. 181/2014 Coll. (ZKB) and Decree No. 82/218 Coll. These binding documents correspond with the European Directive NIS (Directive on Security of Network and Information Systems) of 2016 and concern operators of basic services and providers of digital services such as healthcare, public administration, digital infrastructure, energy, financial market infrastructure, etc. This scope has proven to be insufficient and the overall cybersecurity requirements need to be updated.

Late last year, a new NIS2 standard was issued at the European level, which will be introduced in the Czech Republic in mid-2024 in the form of an amendment to the CCL. The new NIS2 standard is, in general, a logical continuation of the already applied NIS Directive and responds to the need to ensure a sufficient level of cybersecurity for a significantly expanded range of obliged entities.

In particular, the new Directive aims to:

• ensure a sufficient level of cyber security for businesses and institutions operating in the EU,
• balance the differences in resilience between Member States and sectors,
• establish a single strategy for Member States against the most significant threats and attacks,
• enable a common response to potential crises,
• substantially expand the range of institutions that will have to comply with it.

During 2023 and the first half of 2024, public and private sector firms have time to prepare to meet the new obligations. Specifically, it is estimated that the number of mandatory organisations will rise from the current few hundred to between six and seven thousand. However, it is strongly recommended to be very concerned with cyber security at the corporate level even if the organisation in question does not fall under NIS2 and to use the new law as a guideline for implementing corporate security measures. An annotated version of the forthcoming ZKB can be found here:

https://osveta.nukib.cz/pluginfile.php/82878/mod_resource/content/1/1a_Zakon-o-kyberneticke-bezpecnosti.pdf

The NIS2 guideline in Czech translation can be found here:

https://eur-lex.europa.eu/legal-content/CS/TXT/ PDF/?uri=CELEX:32022L2555&from=CS

The OR-CZ company is currently in the final stage of preparation for certification according to the ZKB and Decree 82/2018 Coll., i.e. according to the original NIS guideline. In the process of implementing the requirements of the ZKB, we have gained considerable knowledge and experience in the implementation of cybersecurity. Our company is also a provider of a range of security tools and technologies such as firewalls, antivirus, backups, security surveillance, ethical hacking. We therefore welcome the new directive and stand ready to provide our customers with full support to implement the latest security standards and effective security practices to minimize the risk of attacks and protect their critical information and operations.

The NIS2 directive sets out a number of requirements for manufacturing companies in various industries, digital service providers, research organizations and critical infrastructure operators. Some of the most important required measures include:

1. Network security: Organisations will need to ensure that their networks and information systems are protected against unauthorised access, attack and misuse. This includes implementing security measures such as firewalls, anti-virus programs, encryption and more.
2. Identification and Authentication: Organizations will need to implement identification and authentication mechanisms for users, devices and applications. This includes two-factor authentication, passwords with high levels of complexity, and more.
3. Data Security: Organizations will need to ensure that sensitive data is protected against unauthorized access, misuse, and loss. This includes the use of encryption, data backup and other security measures.
4. Continuous monitoring: organisations will need to conduct regular monitoring of their information systems and networks to quickly identify and respond to security incidents.
5. Planning and regular testing: organisations will need to have a plan for managing security risks and regularly test their security measures.
6. Security Incident Reporting: Organizations will need to notify the relevant authorities of security incidents that may impact the protection of critical infrastructure or digital services.

OR-CZ can assist in implementing NIS2 and ensuring the security of your IT:

1. Establishing Strong Passwords: The use of strong and unique 8 passwords for all users, including administrators, is a key element of enterprise IT security.
2. Introduce multi-factor authentication: Multi-factor authentication requires users to prove their identity (beyond passwords) using several different methods, such as PINs, biometric information, security tokens, and other pre-determined information.
3. Use corporate antivirus software: Antivirus software helps protect a computer network from virus attacks and other security threats.
4. Data encryption: Data encryption is an important part of protecting data files from unauthorized access.
5. Network security: Network security measures such as firewalls, VPNs and others help protect the computer network from unauthorized access and attacks.
6. Regular software updates: Regular software updates are important to eliminate vulnerabilities and ensure that corporate IT is secure.
7. Network monitoring: Network monitoring helps detect potential security threats and helps the IT department respond to them quickly.
8. Access Restriction and Logging: Restricting access allows you to grant users access to only those resources they need to do their jobs and centrally log all access and requests.
9. Data Backup Maintenance: Maintaining data backups helps restore data after a malware attack or other damage.
10. Remote Access: Remote access gives users access to the network and files from anywhere in the world. It is important to ensure that remote access is secure.
11. Establishing the Zero Trust principle.

The last point is critical because in a nutshell it says: Everyone is the enemy and therefore:

• every source is a threat,
• every communication is potentially dangerous,
• no one is allowed to go anywhere and if they do, there must be a clear justification as to why and what they will be doing there,
• there must be records of everything,
• there are no side or unauthorized paths, every access must be authorized.

The Zero Trust Principle reflects the fact that 80-90% of all cyber security incidents are caused by so-called authorized users. Zero Trust can be thought of as a security model that focuses on ensuring that no user, device or application believes that they are automatically trusted to access any part of a network or system. This means that every user, device and application must be authenticated and authorized before they are allowed access anywhere, and this access must be logged. Zero Trust assumes that every part of the network, every server, station or application can be compromised and focuses on minimizing risk and protecting each element of the network individually.

The Zero Trust concept emphasizes the identity and authentication of the user or device, not where they are or how they connect to the network. For this reason, Zero Trust is often referred to as an "identity-centric" approach.

Organizations should adopt Zero Trust as one of the security models to meet NIS2 requirements and minimize the number of people who have access to sensitive information and systems, and should establish protocols for detecting and responding to security incidents.

The US National Institute of Standards (NIST) Zero Trust principles can be used as a starting point in building this concept, and the application of these principles has and should result in a computing environment with significant resilience against most types of attacks. The principles according to NIST are typically cited as the following seven:

1. All data sources and computing services are considered resources.
2. All communications are secured regardless of network location.
3. Access to individual organizational resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy, including observable client, application/service, and requesting asset identity state, and may include other behavioral and environmental attributes.
5. The organization monitors and measures the integrity and security posture of all owned and associated assets.
6. All authentication and authorization of resources is dynamic and strictly enforced before access is granted.
7. The organization collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Implementation of these principles, as noted, varies widely and there is no product that provides it comprehensively. Microsoft, for example, sees migration to the cloud as a key step to ensure Zero Trust.

At OR-CZ, we build on perfect mapping of all sources and determination of the level of risk in order to eliminate the indicated unacceptable values if possible.

In practice, we design and use proven and recommended solutions that we are ready to implement with our customers. However, it certainly cannot be a static issue. On the contrary, the principles of zero trust must be constantly updated and adapted to new realities. Recent developments include the Internet of Things, artificial intelligence, high decryption performance of graphics cards and other realities