Intelligence assured

Today, there are many suppliers of different information security solutions. But do you know how future-proof the solution you choose to invest in actually is? Who is responsible if your solution is hacked in a few years?

Weaknesses are exploited by hackers

Recently, Cisco, a major provider of various IT solutions, agreed to pay a large sum in fines for having sold a video surveillance software that they knew contained a critical vulnerability. According to the indictment, Cisco continued to sell the software for four years, without addressing a major security vulnerability that a whistleblower warned them about as early as 2008.

Hospitals, airports, schools, and state governments were among the customers and Cisco is now forced to pay $ 8.6 million.

The weakness meant that hackers not only could spy on the video recordings, but they could also turn on or off surveillance cameras, remove recordings and even break into other connected physical security systems such as alarms or locks. All without being discovered. According to the indictment, the weakness was also easy to find and exploit.

Digital responsibility

The lawsuit against Cisco is the first in the United States where a company has been forced to pay for having marketed and sold products without adequate cybersecurity protection. The question this arises is: Who has the digital responsibility?

In order to take your digital responsibility, you need to work with information management and digital security in a proactive and sustainable way. This applies today to all companies and especially organisations that handle sensitive and or secret information. But of course, this also applies to businesses that sell different solutions to manage information security and for them it is also important to work with a longer commitment, future-proof solutions.

Future-proof security solutions

To ensure that the solutions you offer your customers are future-proof, you must watch out for published vulnerabilities that might affect the security of the solution. If something is discovered, the incident must be handled and measures that reduce or remove the risk should be developed. Therefore, to ensure that your information security solution is future-proof, it is important that you ensure that your supplier has a working method that means that they will continue to be digitally responsible. Do they provide security updates throughout the product life cycle? Is their product/solution future proof? These are important questions you need to ask your supplier.

Advenica offers cyber security solutions that meet the highest security requirements and our product development therefore differs from traditional development work in different ways. With us, future-proof is an important part of what we call "Product development with high assurance" and is something that is self-evident to us.

Feel free to contact us to hear more about how we can make your information security future proof.

If you want to read more about how our product development helps us take our digital responsibility, you can download our White Paper # 08 "High assurance product development".

You can also read more about how we look at digital responsibility here and in our White Paper # 05 "Digital responsibility - the only viable way forward".
 

The purpose of the NIS directive is for providers of essential services to work with risk-based security. This entails, among other things, requirements for both a reporting obligation for incidents as well as continuous work in a structured and methodical manner according to accepted standardized frameworks. Safety assessments and subsequent action plans must also be documented and monitored annually. How is this work progressing in your organisation? Have you started to work for compliance with all the requirements? 

The background and purpose of the NIS Directive

Digitisation not only enables business opportunities but also creates more attack vectors for business information and systems. In recent years, the number of cyberattacks have increased substantially, and behind them are not only criminals and hackers, but also state-supported actors who have great endurance and substantial resources.

In response to this development, the EU adopted the NIS Directive (The Security on Network of Information Systems) in 2016, a regulatory framework that translates into national legal requirements in all member states. The purpose of the directive is to establish a security standard in the digital world; a standard that protects the infrastructure that builds our society and our economy.

Which companies are affected by the NIS Directive?

The directive aims to select selected providers of essential services as well as certain providers of digital services to take security measures to deal with potential risks and incidents in their IT infrastructure. If your organisation provides essential services in the sectors of energy, transport, banking, financial market infrastructure, healthcare, water supply or digital infrastructure, then you are likely to be covered by the NIS directive and need to follow its rules.

Has your organisation started the work required by the NIS Directive?

The NIS Directive imposes several requirements on the organisations concerned, including the following:

• The organisation has an obligation to notify the supervisory authority that they are affected by the NIS regulation
• The organisation must continuously work structured and methodically with information security according to accepted standardized frameworks (ISO 27000 standard or equivalent)
• The organisation must take appropriate security measures
• The organisation shall document and annually follow up Security analyzes and subsequent action plans
• The organisation has a reporting obligation in the event of incidents

How is this work progressing in your organisation? Do you know how to go about conducting security assessments and choosing appropriate security measures?

We can help you comply with the NIS Directive

Advenica has a long experience with analyzing the security of solutions and products with the specific purpose of identifying the necessary countermeasures and measures to ensure stability. We can help you ensure that the data and critical information you own and manage is well protected.

When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority. A good way to do this is by using our risk and security analysis.

With the business in focus, this analysis gives you a comprehensive picture of digital business flows with the aim of realizing the value chain's potential and identifying opportunities for cost savings. This while ensuring protection against unauthorized access to systems and information, as well as law and regulatory compliance.

The analysis gives you an overview of cyber security in the company's business context. You get suggestions on approaches and priority areas to work on to reach full digital potential - today and tomorrow. In this way you can ensure that you comply with the requirements regarding security analyzes and security measures in the NIS Directive.

Interested in a risk and security analysis? Contact us here.