The NIS2 Directive is the EU-wide legislation on cybersecurity that came into force in 2023, following rules introduced in 2016 (NIS). NIS2 expanded the scope of sectors and entities who need to (legally) comply with the framework. The increased scope aimed to cover the “most” critical sectors, which are vital for the economy and society, though are heavily reliant on IT.

What and where is our most critical data or system(s)?

What monitoring coverage do we have of our infrastructure, people, data, and suppliers?

The simple fact(s) in cyber and information security is that there is NO right and wrong way to go about things. Yes there are frameworks / standards and guidance, which are good practices. BUT the right way for YOUR organisation may be totally different to that of another organisation. Yes you may have the same goal of strong security, but what does that ultimately mean?

Do you model Cyber Threats, depict likely attack scenarios via Attack Trees and provide those findings back in a succinct manner to those responsible for the risk(s)? Surely that’s for the proviso of large companies, with big budgets and oodles of staff? I hear you say… Perhaps, but any organisation large or small can start to model their Cyber Threats. Why?

If you have a CSP, MSSP, reseller or any other 3rd party that has access to your environment(s) and GDAP isn’t implemented, it’s likely they have the Global Administrator role by default. If your provider hasn’t contacted you about GDAP and/or implemented it already, you’d be right to question what else they haven’t done for you!?

If you’re not particular techy these acronyms may not mean much, but you can easily make checks, even if you can’t implement the fix! Read on….. One of KEEPs consultants recently assessed a client (CNI) where only 55% of their domains had the necessary SPF and DMARC configurations in place correctly. This mis-configuration allows attackers (at minimum) to easily email spoof and target your users. If you do nothing else this week, check the basics!