Home Technology How Log4j has primed organisations for the EC’s proposed cybersecurity recommendations 
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

How Log4j has primed organisations for the EC’s proposed cybersecurity recommendations 

by uma
Editorial & Advertiser disclosure
gawdo

 

By Carlos Morales, SVP, Solutions, Neustar Security Services

 

In March of this year, the European Commission proposed new cybersecurity and information security regulations aimed at protecting its institutions, bodies, offices and agencies. Specifically, the EC noted that the proposals were constructed “to bolster their resilience and response capacities against cyber threats and incidents, as well as to ensure a resilient, secure European Union public administration, amidst rising malicious cyber activities in the global landscape.”

The proposed cybersecurity rules come on the heels of the discovery of Log4j-related vulnerabilities in December 2021 — a serious security flaw that continues to occupy organisations of all stripes and in all corners of the world. Though alarming for its sheer ubiquity and entrenchment, the Log4j debacle has forced enterprises to pause and rethink their approaches to cybersecurity, a process that may well be helping these organisations be better positioned to adapt to the EC’s potentially stricter controls.

Why elements of the EC cybersecurity plan matter

With its proposed cybersecurity rules, the EC is recognizing that all EU institutions, bodies, agencies and offices are operating in a highly connected environment, and a single security gap can have far-reaching impacts. If adopted, the proposed rules would demand that all EU entities adhere to common standards, chief among them “a framework for governance, risk management and control in the area of cybersecurity,” “a baseline of measures addressing the identified risks,” a commitment to conducting maturity assessments at regular intervals, and a leadership-approved plan for improving cybersecurity.

Although the proposed rules are intended for EU administration, it is not farfetched to believe that the rules would reverberate throughout the bloc and demand wider adoption. EU entities, like other organisations, have not been immune to the increased pace of digitization or the competition for talent to keep abreast of both technological advancements and rapidly evolving cybersecurity threats. Companies contracting with EU entities could be held to the new, higher standards and subject to greater scrutiny overall. To maintain their status as third-party partners, they would likely need to demonstrate a comparable commitment to cybersecurity measures.

How Log4j is helping organisations improve cybersecurity

The EC is not alone in its concerns about attack surfaces expanding as interconnectivity increases and the risks posed to the public and critical systems. Organisations worldwide are concerned that they, and by extension their customers, have risk exposure due to increased integration with third-party providers. 

In a Neustar International Security Council (NISC) survey of global information technology professionals conducted in July, three quarters of respondents (76%) said they view supply chain risk as a top security priority for their organisation, while nearly as many (73%) feel their level of exposure is somewhat or very significant due to greater integration. 

Unearthing and patching Log4j vulnerabilities have proven to be time- and resource-intensive efforts, but organisations appear to be using the exposure as a teachable moment. According to the NISC survey, the Log4j vulnerability and other attacks have spurred 77% of organisations to increase the rigor of due diligence for their external managed service providers and partners. Additionally, nearly as many (74%) have witnessed their MSPs and partners responding in a similar vein, upping their own due diligence game. Additionally, respondents largely expressed confidence (72%) in the contingency plans their organisation has in place in the event a critical service provider experiences an attack that disrupts service and puts them at risk.

In the wake of Log4j, IT professionals are re-evaluating a host of security-related issues, from software supply chain security practices and software purchasing decisions to their existing vendor relationships. Under proposed EC rules, such review should become a routine and integral component of a robust cybersecurity program. 

In addition to considering practices and relationships, entities should also inventory their assets and their value — both to the enterprise and to bad actors — while developing a keen understanding of vulnerabilities. Accurately determining their current state can provide organisations with a baseline from which to operate and improve over time.

International governments responding to increasing threats

As all security professionals know, time is of the essence in cybersecurity-related matters. The ENISA Threat Landscape 2021 report notes that cybersecurity attacks increased in 2020 and 2021 across virtually all measures — vectors, numbers, sophistication, complexity and impacts. The adoption of hybrid work environments and the growing reliance on online and cloud-based solutions have only served to expand the attack surface, and there is little indication that this trend will reverse itself. Organisations should not delay in adopting stricter policies to protect themselves and their clientele. 

National and international governmental organisations, according to the ENISA report, have already taken proactive measures, increasing their efforts to disrupt and take action against bad actors. The proposed rules from the EC could help to bolster international governments’ arsenal in fighting cybercriminals as various entities — including critical third-party partners — work to adopt common standards and pursue the collaboration and coordination that is integral to overpowering cyber criminals. 

 

www.gawdo.com

You may also like