National Cybersecurity System
Security of Key / Digital Services is “achieving an appropriate level of security of information systems used to provide services and to ensure incident handling” (quotation from Art. 3 of the Act).
Therefore, we must be aware of all the areas necessary to ensure security.
We can definitely say what cybersecurity is not:
- is not an implementation of the SIEM system,
- is not an establishment of a SOC / CSIRT,
- it is not the implementation of advanced security monitoring tools,
- is not establishing attack vectors and reaction procedures,
- it is not any single activity referred to so far in the literature on the implementation of the NIS Directive.
Unfortunately, very often the implementation of the NIS directive (and thus the Cyber Act) is understood as an effective implementation of the company’s Security Operations Center (SOC).
This is one of the threads of effective cybersecurity. Certainly, a new one in our country, as well as the fact that institutions and companies, often competing with each other, share information with trustworthy entities about dangerous incidents.
It will certainly take a long time just to convince all interested parties to show their weaknesses. Hence, it seems to us simplifying the topics contained in the Cybersecurity Act.
Meanwhile, the first paragraph of Chapter 3 of the Cyber Act specifies the obligations of operators of essential services as follows: “The operator of the key service implements a security management system in the information system used to provide the key service” [Art. 8 of the Act]. Then there is what is meant by that.
It is required: implementation of risk management principles, implementation of security appropriate and proportionate to the risk, incident management, use of secure means of communication, secure management of systems, monitoring of information on threats and vulnerabilities.
The scale and complexity of cyber attacks increases every year. This is confirmed by data from the Cybersecurity Barometer survey conducted by KPMG. In 2017, 82% of enterprises operating in Poland experienced at least one security incident. According to Cisco, 45% of cyber attacks in our country have caused losses of more than $ 100,000. Interestingly, most companies were optimistic about the maturity of their security measures, which may result from underestimating the risk.
The most common mistakes that expose businesses to cyber attacks include: too many cybersecurity systems, too few security specialists cybersecurity and too much freedom of employees, non-compliance with corporate cybersecurity rules and practices, no backups and disaster recovery policies , no access to archival cybersecurity data.
According to specialists in data protection, the occurrence of acts of cyberterrorism are closely related to employee mistakes, failure to implement adequate security and the use of technologies, including cloud technologies, without much reflection in the field of security. Therefore, it is worth developing procedures and considering what to do in the event of a cyber attack on the company, the processed data, the network as well as data protection strategies and organizational structures. In a crisis situation, a quick response is important, so it is advisable to design and implement early warning systems, taking into account the activity of all employees and departments. Cybersecurity is a multi-level process and it is worth taking into account appropriate risk management and raising awareness of all members of the organization in the same way.
There is no discussion of legal requirements. You must fulfill them. The project of implementing the requirements of the act on the national cybersecurity system perfectly addressed the roles, responsibilities and security processes in the Company. The developed documentation, risk assessment processes, audits and monitoring of IT / OT systems completed the tasks.
The biggest challenge with the act on the national cybersecurity system was the implementation of tools that could effectively monitor the security of both IT and OT infrastructure.
Everyone needs the right motivation to work. In meeting legal requirements in everyday work, it is probably the most important, and the specter of enigmatic penalties is not always enough. The implementation of an appropriate structure of roles and responsibilities allowed for the creation of a self-regulating management system that, with the help of intelligent team members, can solve the biggest problems.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?