Beyond Compliance: Practical steps to NIS2 for Ultimate Cyber Resilience

Then, we will end with some effective implementation measures that you can leverage with the CIS controls. Muna: Before we dive in, I want to briefly share some housekeeping. This webinar is being recorded and will be made available to you within the next 24 hours. We have a great asset for you to leverage that’s available in the doc section of the webinar, and we will also send you an attachment with the recording link in the email we send out. I invite you to type your questions as Eddie goes through the presentation. We’d love to hear from you—any questions or comments. At the end of the webinar, as per our ritual, we will run a very short survey. It helps us improve and bring the topics that are top of mind for you. 

Muna: So without further ado, let’s officially introduce our speaker. Hi, Eddie. 

Eddie: Hi. 

Muna: Eddie, tell us about yourself. 

Eddie: I’d love to, really quickly. My name is Eddie Phillips. I am the Senior Channel Manager and one of our cybersecurity evangelists here at ThreatDown. I’m absolutely thrilled to be here today. My background is in security as a security analyst and a systems engineer on the enterprise side. I got out of the enterprise, started my own MSP way back in 2008, and ran that and another MSP where I was the CEO for around 14 years. I sold off my MSPs and joined what I affectionately call the dark side—the vendor side. So here I am today, and I use my position at ThreatDown to help teach MSPs, VARs, and IT professionals—whether they’re internal IT or consultants. It’s my absolute goal in life to help raise the bar, spread awareness, and build up our ability to defend our organizations from cybercrime. 

Muna: Amazing, Eddie. I think there’s always that added value of being on both sides. You’ve felt the pain firsthand, you understand the business need, and you also understand what it means in terms of business continuity in every sense. So it’s great that you can give us the view of both a business owner and a vendor. The floor is yours; let’s get this kicked off. 

Eddie: Fantastic. All right, I’ll start by sharing my screen. I think it should be okay. We’re loading up here. There we go, fantastic. Okay, awesome. Thanks, Muna. Everybody, welcome. This is going to be the most fun you’ve ever had talking about NIS2. I set the bar pretty low, I know. I know the challenges, I know what it’s like to wade through the details around compliance, whether it be a framework or a directive like this one. So we’re going to have some fun. I’m going to share a couple of stories, go into some details, and my ultimate goal for this webinar is to help you walk away with practical steps. That was something I always felt was challenging—when we dig into things like directives like NIS2 or different types of frameworks, it takes a lot of time investment to actually shake out where to start or how to begin that journey toward compliance.

Here’s what we’re going to do today: our agenda is to understand our IT challenges, why we’re doing this, and why there’s such a big push. We’ll prepare for the NIS2 directive and address some questions. Without further ado, I need to do one thing first, and that is a bit of a disclaimer. Today, what we’re talking about is not legal advice. I always need to stress that because of how NIS2 is evolving, changing, and how certain countries are interpreting and implementing it. You always need to check with the country that you are working through or with. So, just a bit of a disclaimer there—always make sure you verify what you’re putting into place before you move forward. 

Let’s start with this: what if I told you that your organization’s biggest vulnerability really has nothing to do with your technology but your lack of preparedness when it comes to new regulations? Just think about that for a second. In most cases, as IT and security professionals, we see things like ransomware and data exfiltration as the biggest vulnerabilities that we need to protect against. But let’s be really honest—when government gets involved, when you start to look at things like different initiatives, compliance, and directives, it does become a risk for the organization because now suddenly you need to comply with those because there are some very real consequences for not having those in place. That suddenly becomes another risk, another impact to the business, and so we have to consider that, especially when the requirement to have this in place is so serious. 

By the time we are done, I promise you, you’re going to have some next steps written down. You’re going to have a very clear start to your roadmap to becoming NIS2 compliant and having those first steps around that directive. Let’s go back a bit. IT and IT security have come a long way. Fifteen years ago, this is really what IT and IT security looked like: we had firewalls, which were really just glorified routers, backups, remote access, and antivirus in the days where you had to know what the virus was before you could actually defend against it. There was that gap time where someone released a new virus, and it took enough people getting impacted and taking notice before antivirus companies would begin to develop and modify their signatures in order to recognize those new viruses. Haven’t we come a long way today with integrating machine learning and protecting against zero days? Lastly, projects and tickets. The reason I bring this up is that I know it’s a real challenge when we, as IT security professionals, begin to talk to the decision-makers. A lot of decision-makers in your organization or your client or whoever you’re dealing with when it comes to NIS2, if they have an antiquated idea of what the IT challenges are, it’s going to be a bit rough. What does it look like today? It’s gotten very complex very quickly. I came up with this slide off the top of my head, and I know I could come up with two more just as full as this one. Over time, we’ve seen the complexities come out because of the new threat actors. Cybercrime, infiltration, and vulnerabilities have become a multi-billion dollar industry for threat actors, whether it be white-collar crime or state-sponsored. The challenges today have erupted into such a magnitude that we now start to see things like the NIS2 directive. We start to see hints around regulation when it comes to different organizations and the way that IT and IT security are done. You can hardly blame them for moving in this direction when you see what’s happening day in and day out. Eddie: That was the past. I already introduced myself, so I’ll skim over this really quickly. Let’s talk about defensible answers. What are defensible answers? Defensible answers ensure that when you begin your journey, when you put controls in place, you are able to defend them. What do I mean by defend them? Let me go off on a tangent and share a quick story with you. I don’t know how many of you watching are parents, but I’m a parent. My wife and I raised my daughter; she’s older now, but raising teenagers is always a challenge. They’re not kids anymore, but they’re not quite adults, and sometimes you tell a teenager something, and you don’t understand the logic that goes on in their head. It’s a challenge. 

I remember one time, I asked my daughter, “Honey, can you please do the dishes? I have to run some errands.” I went out, ran my errands, and came back. The dishes weren’t done. I asked, “Honey, what happened? I asked you to do the dishes.” She said, “Dad, I went to do the dishes, but I couldn’t find the dishwashing soap.” I opened the cupboard, moved a dish towel, and there was the dishwashing soap. Is that a defensible answer? Not really. She obviously didn’t put the effort in to get the job done. 

Now, imagine if this happened differently. You ask your teenager to do the dishes, you go out, run your errands, and come back. The dishes aren’t done. You ask, “Honey, what happened?” They say, “Dad, I know how hard you work and I wanted to get the dishes done. I went to the sink, but I couldn’t find the dishwashing soap. I opened the cabinet, moved everything, and still couldn’t find it. I thought maybe it was in the laundry room, so I went there, but it wasn’t there either. I called Grandma, but she was out too. I called a friend with a driver’s license; they’re picking me up in 20 minutes to go to the store and get the dishwashing soap.” It’s a bit of a different feeling, right? The end result is the same—the dishes aren’t done—but did that kid have a defensible answer? Did they go the extra mile to achieve that goal? Eddie: Do you have defensible answers? Do you have a mindset of defensible answers when it comes to implementing the NIS2 directive? We’re going to talk about defensible answers and setting you up for success. The reality is that it’s not if you get impacted by a cybersecurity event, it’s when and how bad. A part of this, too, is the reporting aspect. If you get to that point where you have to report, you need to have a defensible answer to make sure what you’ve put in place is effective, or at least to the point where you’ve made that extra effort and can defend what you’ve put in place. 

Let’s get into it—preparing for the NIS2 directive.

There’s no way, obviously, most of you who have taken a look at this, there’s no way I could address the entire directive in a short 30 or 45-minute webinar. So we’re going to be focusing on specific areas. The intro to NIS2 quickly reveals that it applies to a wide range of organizations. We need to be careful when working with organizations impacted by NIS2. It includes critical sectors like energy, transportation, and healthcare, but it also covers digital services. This means that even the peripherals that support core businesses are under the NIS2 directive.

When it comes to reporting requirements, reporting significant cyber incidents to the national authority is going to be a necessity. This means you need to be prepared to communicate those incidents when they happen. Having the proper documentation and logging in place is crucial. Assessing cybersecurity is big, and this is where today’s webinar will shine a light on how to be effective and assess your proper cybersecurity measures.

There’s one thing I believe and know from my own personal experience. Back in 2014, when I purchased and merged my MSP with another MSP, one of our biggest clients was hit by ransomware. It was devastating. There was an emotional and financial impact, not only on us but obviously on the company that got ransomware. There was an impact on their staff and their clients. It set me and my MSP back on our heels, and we looked at what we were doing wrong. We discovered that our security was subjective—it was based on my knowledge, my experience, and that of my team. We didn’t have a well-rounded, objective roadmap when it came to security. That’s where things like the NIS2 directive excel—they help you think outside the areas you might normally consider when it comes to security and protecting your organization.

So what are the expectations? First off, managing security risks is a big thing. Protecting against cyberattacks, detecting cybersecurity events, and having the tools to understand what’s going on in your network are crucial. You need the ability to see what’s traversing across your networks, cloud infrastructure, and internal workstations. It’s all about understanding your own environments and being able to detect what’s going on. At the end of the day, we want to minimize impacts. It’s not if you get hit, it’s when and how bad. Making efforts to minimize those impacts is absolutely key. 

Today, specifically, we are going to focus a lot on Article 21. There are a total of 46 articles to guide you through NIS2, and we will touch briefly on some of the others. The main focus is around cybersecurity risk management measures—how to get started and what exactly you need to put in place. If you’re anything like me, when it comes to frameworks and directives, you look for the facts and hard answers to your questions. What do I need to do? Then, you plan it, get it done, and check it off. It can be challenging to do this when you dig into these directives, so that’s what we’ll address now. 

Let me share an example. Article 21 says: “Member states shall ensure that essential and important entities take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations, for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.” Wow, that is the biggest run-on sentence I have probably ever read. When you read things like that, it becomes a challenge to decipher exactly what you need. You essentially need to read this section by section to understand it. So, let’s break it down a little bit. 

What are the barriers to implementing cybersecurity within NIS2? Broad definitions and terms like “significant incidents” are open to interpretation. For example, a significant incident could be the loss of a laptop. Is that significant? Maybe, depending on your organization. If you have local encryption on your laptop and are 100% cloud-based, losing it is inconvenient but not catastrophic. However, if your CEO forgets his laptop on a plane, with no local encryption and intellectual property stored locally, that’s a big deal. Sector variability means different sectors interpret requirements unevenly. What’s important to healthcare may not be important to law or other sectors. Ambiguous compliance means organizations decide what counts as adequate measures of controls. Is your security objective or subjective? Over-reporting risks can lead to excessive reporting due to fear of non-compliance.

This is where CIS controls come in. Muna, do we have a poll about CIS controls? 

Muna: We do. Let me see how I can open that. 

Eddie: No problem. The poll is: Who has used or heard of CIS controls? 

Muna: I think it says, “Are you using CIS controls today?” It should be there. I hope they can see it. I did open it. 

Eddie: Very good. While you’re filling out that poll, we’ll check it in just a second. I’ll go to the next slide and talk a little bit about CIS controls—what it is, where it came from, and what it means. 

CIS controls are a framework. There are many frameworks out there, like NIST CSF and others. I’m particularly fond of CIS controls, and I’ll share why. CIS controls consist of 18 different controls and 64 different safeguards contained under those controls. I know what you’re thinking: “Eddie, I’m trying to wade through NIS2, and now you want me to learn a framework with 64 safeguards?” Here’s what I like about CIS controls—they break down their safeguards into three groups: IG1, IG2, and IG3. IG1 stands for Implementation Group 1, which is your basic cyber hygiene. This is where you get started and begin to understand the first steps you need to take. 

Muna: So, basically, the poll came up. I’m sorry, Eddie, there is an issue here putting it live, but I see that most of our audience has said no, but about 20% have said yes. The majority have said they’re not using CIS controls today. 

Eddie: All right, I’m glad I went through the intro on it. That’s where we sit with CIS controls—a very high level. It is worth digging into, and I’m going to show you how it draws the lines between NIS2 and CIS controls. 

What are the practical steps? We’re going to step into the ideal way a security analyst or cybersecurity professional should begin to implement controls. Let’s set aside NIS2 and frameworks for a moment. If you’ve taken any certifications or spent a lot of time implementing cybersecurity controls, you typically understand that the first step is identifying your risks and understanding your assets. You can’t protect what you don’t know you have. Understanding the assets your organization has and evaluating the risks that can expose those assets is typically where you start. 

The ideal process flow begins with identifying risks. NIS2 says you need to identify your risks and look at your assets—what’s important to your company. Then, identify the risks for those assets, figure out a risk treatment, and see how those lead into CIS controls. 

Let’s do an example. Let’s say you’re identifying assets and risks inside your organization. You identify customer data and intellectual property as key assets. These are the building blocks of how you offer your product or service. One of the biggest threats is ransomware. Ransomware is a recognized threat when it comes to theft and data loss.

Muna: There’s a question here: Has the UCF performed a mapping of the NIS2 controls to the common control set yet? Eddie: Not that I’m aware of. My focus is on cybersecurity controls around Article 21. I’ll take that question back to our resources and see if we can provide more information. 

Perfect. Thank you, Andrew, for that question. If we don’t have any more questions, I want to remind everyone that we will share the recording of this webinar. You can share it with others within your organization. We will follow up on any questions that were asked here. 

If you are using Atera today, we invite you to check out what we have to offer in conjunction with ThreatDown. Eddie, thank you so much for your time today and the insights you shared. 

Eddie: I was absolutely honored to be here. I hope everyone got some value out of it. I’m open to discussing or answering any questions around NIS2, cybersecurity, or CIS controls. You can find me on LinkedIn and feel free to reach out. 

Muna: Thank you, Eddie. For those of you who are Atera customers, please visit our App Center Marketplace. You can see all of our connectivity and integrations with ThreatDown that you can trial out of the box for 14 days. Not all SKUs are open for a 14-day trial, but definitely most of the basics are. 

I don’t see any more questions coming through, which is a good sign—it means the information was clear and straightforward. Thank you all for attending today’s webinar. We look forward to seeing you in our next session. Have a great day! 

Eddie: Thank you, everyone. Take care. 

Muna: Goodbye. 

Eddie: Goodbye.