Brussels is addressing cybersecurity. Who is affected and what needs to be done?
Tens or even hundreds of companies and institutions could face fines of up to 300 thousand euros.
Banks, insurance companies, mobile operators, energy providers, hospitals, private clinics and water suppliers had until the end of September to sign up to the Unified Cybersecurity Single Information System (Jednotný informačný systém kybernetickej bezpečnosti) operated by the Slovak National Security Authority (Národný bezpečnostný úrad).
This is enforced by the Act on Cyber Security that came into effect on the 1st April 2018. The NIS Directive (the EU directive on security of network and information systems), effective from the 10th May 2018, is incorporated into this law. “NIS should contribute to global cybersecurity. It introduces security requirements for key companies and institutions which hold databases containing sensitive information or provide key services for the operation of households, companies or the state,” says Pavol Draxler, security manager at Binary Confidence, a company which provides protection against cyberattacks.
Hundreds of companies and public institutions had half a year from the law’s introduction to register themselves into the Registry of Operators of Essential Services or the Registry of Digital Service Providers. Should they fail to do so, they face substantial fines from the Slovak NSA. In mid-October, the NSA urged those companies and institutions affected to send a completed registration form with the necessary attachments without further delay.
The registration form should be sent by all organisations that can answer yes to any of the following questions:
– Are you a bank or are you lending money?
– Are you a hospital, a private health centre or other health care provider?
– Are you a supplier of energy for businesses and households?
– Do you supply drinking water and is this your primary business activity?
– Are you a top-level domain registrar?
– Are you running a service that is an element of critical infrastructure?
Everyone who provides a service defined in Annex No. 1 of the Act on Cyber Security is required to register themselves into the Registry of Operators of Essential Services, and must research the potential impact of a cybersecurity incident on any of their provided services which are dependant on network and information systems (per Decree No. 164/2018). Any company that provides an online marketplace, an internet search engine or cloud services while employing at least 50 staff and having an annual turnover or total annual balance of over 10 million euros is required to register itself into the Registry of Digital Service Providers.
Registration is only the first step towards ensuring cybersecurity. Companies and institutions then have two years to take further measures to secure their IT systems and report cybersecurity incidents. “Those who fail to do so become easy targets for attackers or hacking groups. As a result, people may, for example, lose their water supply or medical records,” warns Pavol Draxler.
In many cases, it’s better to turn to experts in this field; much like GDPR, this is a relatively demanding process. “We can implement these measures using SOC – our security operations centre. Alongside cutting-edge technology for prevention, detection, analysis and then response to cyberthreats, our SOC is made up of a highly qualified team of experts,” explains Pavol Draxler of Binary Confidence.
Binary Confidence offers its clients the possibility of connecting their entire infrastructure to a single monitoring centre, where security is comprehensively ensured by a team of professionals. The service consists of connecting devices such as servers, routers, firewalls, IDS / IPS, SIEM and workstations and sending their logs to SOC. “In this centre, logs are evaluated by our SIEM system and security incidents addressed by our trained employees, with a focus on active security monitoring,” adds Pavol Draxler.
With access to logs from servers, network devices and LDP tools, the Binary Confidence SOC team can detect not only the presence of an attacker in the client’s network, but also cases where an attacker is still trying to hack into the client’s network. Monitoring also includes oversight of the entire IT environment, including for example the flow of data between employees.