IT security: quick wins for SMEs

The EU’s Network and Information Security (NIS2) directive aims to oblige member states to enhance their cybersecurity maturity by imposing a series of IT security requirements on organisations in critical sectors. NIS2 – an expansion of the existing NIS directive – will have to be transposed into Belgian law by the end of 2024.

Even if your company isn’t active in a critical sector, you will still be faced with NIS2, for instance through customers who are subject to the new directive. Moreover, most of the measures cover generally accepted security principles that every organisation should be implementing anyway.

We talked to Aubrey Beelen and Ruben Cools, respectively Product Manager and Solution Architect at BKM-Orange, the ICT integrator of Orange Belgium. They explain the importance of risk analysis and identify several quick wins in terms of IT security. 

A key element of good IT security is risk analysis. Are businesses aware of this?

Ruben: Not all companies think of performing a risk analysis, but the NIS2 directive’s emphasis should help raise awareness. The risks are different from one company to the next. What poses a severe threat to one business is not necessarily dangerous to another. That’s why it’s so important for businesses to take their responsibility and identify their own vulnerabilities. In our capacity as IT partner, we can provide support by proposing best practices and potential solutions for problem areas. But in the end, it’s up to the customer to decide which risks to tackle first based on risk level and what can be done within the margins of the available budget.

Are those problem areas and priorities always straightforward?

Aubrey: Not always, even though it’s important to fully expose the vulnerabilities in your company’s IT security. Especially with new customers, we don’t always have a proper insight into how they work, the structure of their network and the security measures they are already implementing. That’s why we often perform an assessment first and then draw up a report. This report includes general quick wins to improve their security, and it also allows us to give advice on which specific long-term investments may prove useful. 

What are the most interesting quick wins for SMEs in terms of IT security?

Aubrey: You can boost the overall security level of an SME in the short term by raising awareness. Most major cyber incidents are caused by human error. The more employees are aware of the importance of cybersecurity and their own role in the process, the more the risk of incidents is minimised.

Are there also technical solutions that can have a significant and immediate impact?

Ruben: Definitely. Three important technical solutions are multi-factor authentication, tools that implement the Zero Trust model, and monitoring applications.

Aubrey: Cyber incidents are often caused by leaked user accounts or passwords. Multi-factor authentication can considerably reduce the risk of misuse because in addition to a password, authentication requires a second component.

Ruben: Zero Trust solutions allow us to quickly and continuously verify whether the devices the users work with are safe. As soon as a device is infected with malware or no longer meets the required safety standards, all access to company information via that device is revoked. 

Aubrey: As for monitoring applications, they increase detection capability. When a cyberattack is launched, it’s important to detect it as early as possible. The faster you react, the more the damage can be limited or perhaps even prevented altogether.

But this is only possible when someone monitors these tools, right?

Aubrey: That’s right. Businesses that invest in the tools need someone to ensure permanent monitoring. For many SMEs, it’s not feasible to hire an employee who can spend all their time monitoring the security situation. However, these firms can call on IT partners who offer monitoring as a service. This is a fairly simple way of recruiting an extra pair of eyes to help monitor your security situation.

Do businesses know how to react in the event of a security incident?

Aubrey: Companies often have no idea what steps to take when faced with a security issue. As an IT partner, our significant experience with these matters enables us to take the burden from our customers. We do this by offering a framework that tells them what to do in the event of trouble and what we can do to help their company become operational again in the aftermath of an incident. This framework can also prepare them for the reporting obligation the NIS2 will introduce.

Should all businesses take the NIS2 directive into account?

Ruben: First of all, the NIS directive is intended to encourage companies in crucial sectors such as energy, banking and healthcare to implement certain security measures to protect their network and information systems. In addition, NIS2 also expands to other key sectors, as a result of which SMEs can also fall under the directive. But it’s really nothing new: the measures NIS2 requires are for the most part widely accepted security principles every organisation should already be implementing. Nevertheless, there are still those organisations that only start to think about cybersecurity after being confronted with an incident. I hope NIS2 gives these organisations the nudge they so desperately need