By Carlos Morales, SVP, Solutions, Neustar Security Services
In March of this year, the European Commission proposed new cybersecurity and information security regulations aimed at protecting its institutions, bodies, offices and agencies. Specifically, the EC noted that the proposals were constructed “to bolster their resilience and response capacities against cyber threats and incidents, as well as to ensure a resilient, secure European Union public administration, amidst rising malicious cyber activities in the global landscape.”
The proposed cybersecurity rules come on the heels of the discovery of Log4j-related vulnerabilities in December 2021 — a serious security flaw that continues to occupy organisations of all stripes and in all corners of the world. Though alarming for its sheer ubiquity and entrenchment, the Log4j debacle has forced enterprises to pause and rethink their approaches to cybersecurity, a process that may well be helping these organisations be better positioned to adapt to the EC’s potentially stricter controls.
Why elements of the EC cybersecurity plan matter
With its proposed cybersecurity rules, the EC is recognizing that all EU institutions, bodies, agencies and offices are operating in a highly connected environment, and a single security gap can have far-reaching impacts. If adopted, the proposed rules would demand that all EU entities adhere to common standards, chief among them “a framework for governance, risk management and control in the area of cybersecurity,” “a baseline of measures addressing the identified risks,” a commitment to conducting maturity assessments at regular intervals, and a leadership-approved plan for improving cybersecurity.
Although the proposed rules are intended for EU administration, it is not farfetched to believe that the rules would reverberate throughout the bloc and demand wider adoption. EU entities, like other organisations, have not been immune to the increased pace of digitization or the competition for talent to keep abreast of both technological advancements and rapidly evolving cybersecurity threats. Companies contracting with EU entities could be held to the new, higher standards and subject to greater scrutiny overall. To maintain their status as third-party partners, they would likely need to demonstrate a comparable commitment to cybersecurity measures.
How Log4j is helping organisations improve cybersecurity
The EC is not alone in its concerns about attack surfaces expanding as interconnectivity increases and the risks posed to the public and critical systems. Organisations worldwide are concerned that they, and by extension their customers, have risk exposure due to increased integration with third-party providers.
In a Neustar International Security Council (NISC) survey of global information technology professionals conducted in July, three quarters of respondents (76%) said they view supply chain risk as a top security priority for their organisation, while nearly as many (73%) feel their level of exposure is somewhat or very significant due to greater integration.
Unearthing and patching Log4j vulnerabilities have proven to be time- and resource-intensive efforts, but organisations appear to be using the exposure as a teachable moment. According to the NISC survey, the Log4j vulnerability and other attacks have spurred 77% of organisations to increase the rigor of due diligence for their external managed service providers and partners. Additionally, nearly as many (74%) have witnessed their MSPs and partners responding in a similar vein, upping their own due diligence game. Additionally, respondents largely expressed confidence (72%) in the contingency plans their organisation has in place in the event a critical service provider experiences an attack that disrupts service and puts them at risk.
In the wake of Log4j, IT professionals are re-evaluating a host of security-related issues, from software supply chain security practices and software purchasing decisions to their existing vendor relationships. Under proposed EC rules, such review should become a routine and integral component of a robust cybersecurity program.
In addition to considering practices and relationships, entities should also inventory their assets and their value — both to the enterprise and to bad actors — while developing a keen understanding of vulnerabilities. Accurately determining their current state can provide organisations with a baseline from which to operate and improve over time.
International governments responding to increasing threats
As all security professionals know, time is of the essence in cybersecurity-related matters. The ENISA Threat Landscape 2021 report notes that cybersecurity attacks increased in 2020 and 2021 across virtually all measures — vectors, numbers, sophistication, complexity and impacts. The adoption of hybrid work environments and the growing reliance on online and cloud-based solutions have only served to expand the attack surface, and there is little indication that this trend will reverse itself. Organisations should not delay in adopting stricter policies to protect themselves and their clientele.
National and international governmental organisations, according to the ENISA report, have already taken proactive measures, increasing their efforts to disrupt and take action against bad actors. The proposed rules from the EC could help to bolster international governments’ arsenal in fighting cybercriminals as various entities — including critical third-party partners — work to adopt common standards and pursue the collaboration and coordination that is integral to overpowering cyber criminals.