Rapid digital transformation has had a significant impact on companies in every industry, introducing new opportunities for enhanced collaboration, communication, and alignment. However, the evolution of the modern technology stack has also introduced new challenges and threats.
Cyberattacks are growing more sophisticated and commonplace. As companies rely more on unified communication (UC) tools to synergize distributed workforces and share data, these platforms are becoming a central target for criminals. Recognizing this issue, the European Union has taken action to help strengthen and protect the modern technology stack.
The NIS2 Directive sets forth a new range of obligations and standards intended to align cybersecurity best practices across sectors and countries. While adhering to these new regulations will be complex, it is also crucial to ensuring unified communications systems are defended against emerging threats.
Here’s how NIS2 will affect the UC industry.
What is the NIS2 Directive and What Does it Accomplish?
The NIS2 Directive is a cybersecurity solution which provides organisations with a list of measures to implement that build stronger cyber defences. Though it does not focus exclusively on UC, it does require companies to take a more comprehensive approach to developing a proactive cybersecurity culture, monitoring data security, and preparing for unforeseen incidents.
By Autumn 2024, companies in all industries will need to ensure they have implemented the new guidelines set forward by the NIS2 directive, to avoid significant fines (up to €10 million or 2% of global annual revenue for essential entities).
Adhering to these guidelines will require a comprehensive approach to implementing risk management practices, enhancing the security of supply chains, and following stringent guidelines for incident reporting. These measures will need to be considered with all forms of technology implemented into business practices, including UC tools.
The overall aim of this new initiative is to enhance security measures, protect network and information systems from increasing cyber threats, and improve business resilience. Though the implementation of the new standards will require a complete overhaul of security practices for many organizations, it will also help to enhance consumer trust, and minimize risk for modern teams.
The Impact of the NIS2 Directive on UC
Research from the European Union shows that Essential and Important entities do not always operate comprehensive security operations centers, leading to an increase in cyber threats. The NIS2 initiative will give national supervisory authorities more power to monitor and enforce compliance with “minimum security” standards linked to concepts like access control, system integrity, data protection, and incident detection and response.
“NIS2 isn’t just about compliance; it’s about setting a new standard in cybersecurity across the UC sector. Our expertise enables organizations to seamlessly adopt these regulations, turning potential challenges into opportunities for enhanced security and customer trust.” says Scott Allendevaux, Practice Lead at Allendevaux & Company.
In the UC landscape, this means both operators and companies will need to implement new strategies to avoid significant fines and disruption, such as:
Conducting More Comprehensive Risk Assessments
Internal audits will become increasingly crucial in the era of NIS2, requiring companies to examine everything from their quality management systems to their information security, and cloud privacy controls on a regular basis. After identifying the sub-sector or sector the organization belongs to, business leaders will need to follow more comprehensive guidelines for risk auditing.
These assessments will be necessary to ensure companies can effectively identify potential threats and vulnerabilities in their UC ecosystem, as well as the wider technology stack, including all systems integrated with a UC landscape. Comprehensive assessments will also help companies to prioritize risk mitigation efforts, based on their discoveries.
Implementing New Security Policies
Based on their internal assessments, entities in the UC landscape will need to implement comprehensive organizational and technical measures to mitigate risks. This could mean conducting comprehensive penetration testing initiatives and creating new policies for infrastructure configuration benchmarking and compliance.
It could also include vendors working more closely with security service providers, implementing solutions like data protection as a service to ensure ongoing compliance. Entities will need to define clear objectives, roles, and responsibilities for maintaining new strategies based on NIS2 guidelines. Additionally, companies will need to ensure they have clear strategies in place for system integrity and access controls, to reduce threats.
Updating Incident Response Plans
“Preparedness” is a core component of the NIS2 initiative, requiring all entities to have strategies in place for managing and implementing incident response plans. In the UC landscape, organizations will need to ensure they have strategies in place for detecting, reporting on, and mitigating cybersecurity incidents.
This process will also require businesses to implement training systems for incident response teams, ensuring employees are equipped to handle incidents effectively. New strategies will need to be implemented for regularly testing and updating incident response plans, using exercises and simulations to identify and mitigate weaknesses.
Protecting the Supply Chain
The comprehensive nature of the NIS2 initiative requires a greater focus on the threats that can emerge based on the complex supply chain of the Unified Communications landscape. Companies and vendors will need to constantly assess the cybersecurity risks associated with UC service providers, third-party integration developers, and networks.
Clear guidelines and contractual obligations will need to be established for suppliers to ensure they meet NIS2 standards. Additionally, businesses will need to establish metrics and KPIs they can use to regularly measure the effectiveness of both their own cybersecurity measures, and the strategies implemented by UC partners, providers, and integrators.
Ongoing Adaptation
To remain compliant with NIS2 standards, business leaders and entities will need to develop and implement comprehensive cybersecurity training programs for every employee, based on their unique roles and responsibilities. A robust approach to raising awareness about the importance of cybersecurity, and constantly updating training will be essential.
Additionally, organizations will need to regularly review and update their cybersecurity strategy as their UC landscape evolves, along with potential threats. Fostering a culture of continuous improvement, assessment, and development will help to mitigate ongoing risks.
The Evolution of Security in Unified Communications
Preserving exceptional cybersecurity measures has grown increasingly important for companies in recent years, as regulations and threats evolve. In the UC industry, adhering to the new regulations imposed by NIS2 this year will require entities to take a comprehensive approach to everything from business continuity and data protection to incident management.
“With the enforcement of the NIS2 Directive imminent, unified communications sectors must overhaul their cybersecurity frameworks. Our role is to ensure that businesses not only comply with these new standards, but also fortify their defences against evolving threats.”
- Scott Allendevaux, Practice Lead at Allendevaux & Company.
Working with a security company such as Allendevaux can give entities more control over their security strategy, with valuable services for cybersecurity, incident reporting, internal auditing, and even data protection as a service. Click here to view their NIS 2 Applicability Exercise.
