In his last two blogs, Brad Reinboldt, Senior Product Manager at NetAlly, looked at securing the network edge for NIS21, the European Union’s latest tech laws. NIS2 has a stringent cybersecurity focus and undesirable outcomes for non-compliance. Brad covers some common but regularly overlooked areas which if missed or ignored could leave you feeling like you’re in a real-life Mission Impossible storyline, except with no IMF team to help you out.
That said, channelling your own inner Ethan Hunt might not be a bad thing when it comes to the edge and NIS2. The fact is that both the threats, and the EU’s response, do share a lot of similarities to Mission Impossible: Dead Reckoning. With that in mind we thought it’s worth taking a higher-level view of why edge networks can be difficult to secure, and unpack why every organisation, not just those in the EU, should take notice of NIS2.
The need for NIS2
You could argue that the original Network and Information Security (NIS) Directive was already somewhat out of date when it became effective in 2018 – it only applied to limited types of organisations, it lacked specifics (for measures and reporting) and left implementation to individual member states. It also lacked the kind of teeth that GDPR had, which became effective the same year, and so didn’t provide much in the way real impetus for change.
Meanwhile the real-world was dealing with ever-growing incidents of ransomware, supply chain attacks and the growing sophistication of threat actors to a level previously seen only by nation states. Rogue nations also shifted from espionage and ‘mischief’ to capabilities that could affect national infrastructure. Then enter AI-powered threats, which are game changers at every level – from social engineering, to malicious coding, and a step-change in attack speed and sophistication. All this leaves EU Inc’s digital economy open to serious harm, lawsuits, compensation claims, and a trust problem for international trading partners.
We’re all aware that geo-politics is also a driver here, but is there really something like the evil AI-powered Entity in MI: Dead Reckoning about to wreak global havoc? Only the real-life Ethans and IMFs know that. Ask a cyber security professional though, and they might tell you the Entity is still fiction, but the bulk of them will admit that the inexorable rise of cyber incidents over the last year is being driven by AI2.
Why NIS2 matters even if you’re not an EU business
MI: Dead Reckoning brings together experts with unique skills to tackle a seemingly impossible mission against the Entity. Similarly, NIS2 is designed to create cooperation across EU member states, mandating unified policies, threat-sharing, and incident response, to secure the digital infrastructure of the world’s largest trading block. All well and good if you’re an EU business – but why bother even looking at NIS2 if you’re in the rest of the world?
Well, there are a few compelling reasons:
- If you trade in the EU, you must comply with its laws, which include NIS2
- If you trade with EU businesses, they will have a duty to ensure their suppliers will not put them in breach of the new laws, so you may find yourself having to comply with it to retain your EU customers
- Finally, if you don’t fit in the first two categories and your country doesn’t have this kind legislation, it’s still good practice to see what others are doing
If you don’t think EU laws are enforceable outside the EU, just open a web page and wait for – everyone’s favourite – the privacy popup about cookies. The main reason for these is EU laws (mainly GDPR) and it’s because non-compliance risks a fine based on a percentage of your global revenue, something that NIS2 also now mandates. That level of risk tends to make boardrooms take note and introduce mitigation measures.
The final thing to consider is that when laws like NIS2 are put in place, they aren’t there to set a ‘gold standard’ – they are the new baseline, the minimum you should be implementing. Not meeting that new baseline puts you more at risk.
“We’ll Burn That Bridge When We Come to It”
Now that I’ve explained a few of the main reasons why NIS2 is important, let’s discuss those issues that make security at the edge just that bit harder to deal with.
Firstly, there’s that Ethan Hunt quote I used above, as it’s relevant in a couple of ways here. Ethan said it because he had so many challenges, he couldn’t deal with them all at once (a position no security team wants to find themselves in) but burning a bridge – shutting down a network/connection – is also a valid security tactic. It can be done virtually and in advance with strategies such as zero trust, or if you discover an in-progress attack at your edge. Neither are perfect solutions, and in the case of data breach, isolation could be as much as 6 months too late3.
It’s also good here to think about Ethan on the attack. Just about every mission he’s on relies on exploiting a weakness in edge security to get him where he needs to be. Less-than-friendly attackers are just as likely to do the same thing because they know the edge, and edge networks, are difficult to secure. Sure, plenty of tried and tested security measures help, but despite this, a litany of issues persists due to:
- Too many devices and device types to manage
- Gaps remain between management systems and responsibilities
- Fast changing/transient environment
In his first NIS2 blog, Brad expands these areas to provide some more context of why they matter, and in his second NIS2 blog, he looks in more detail about the importance of discovery, and why typical approaches to it often miss the mark.
Ultimately, NIS2 has been flagged as ‘must do’ item in the EU for some time, and it’s likely that your preparation is either (notionally) complete or well under way for core systems, processes changes, and training. Ironically, 23 EU member states still hadn’t made NIS2 law at the time of writing, but that’s no reason to slow down as it’s likely that much of what’s left to do is in the ‘too hard’ pile and will take longer to deal with. And for many, that means edge networks.
Mission: Possible – Securing the Edge for NIS2
If you want to learn more about NIS2 and securing your edge networks while you’re waiting for Dead Reckoning Part 2 to be released (or just need to comply with NIS2), please join us for a panel session on February 19, 2025 which will feature insights and actionable advice from experts in this area. Register here.
If you can’t wait until February, the good news is that Brad’s blogs about securing your edge networks for NIS2 didn’t self-destruct after 5 seconds – visit our NIS2 resource page to access them and find out more now.
1: Network and Information Systems Directive 2
2: AI-Powered Cyber Attacks – The Alarming 85% Global Surge, Tech Business News Sept 2024
3: Cost of a Data Breach Report 2024, IBM/Ponemon Institute places the average time to discover a data breach at around 200 days, or 6.5 months
