NIS2: postponed, but no less urgent!

When it was announced that the introduction of the European NIS2 directive was being postponed, a number of organizations may have breathed a sigh of relief. The pressure of 'suddenly' having to take security measures and also making this demonstrable seemed to temporarily diminish. This decision by the government is of course not a very good signal. The postponement of NIS2 can confirm organizations in the idea that taking the mandatory measures is less urgent.

Although we can follow this thought somewhere, it is certainly not the right one. Cyber risks remain, and cybercriminals don't pause their activities either. Cyber attacks are still the order of the day, whether they are attacks from a financial motive or (very currently) attacks by state actors to gather intelligence about our country, organizations or individuals. 

If you have never been affected as an organization, these attacks and their impact may seem far away. Yet you know that your organization can also be affected. And prevention is always better than cure. So why are some organizations postponing putting their security in order now? What are the causes of this? And what measures should you actually take?

Low sense of urgency: why is that?

In many organizations where no cyber incident has yet occurred, a sense of security can arise. After all, everything seems to be under control. In addition, some companies rely on their cyber insurance, assuming that they are well covered in the event of an incident. What is not always taken into account, however, is that insurers only pay out if the organization meets specific security requirements. Moreover, it is important to realize that digital security is not just about costs; The protection of crucial data and systems is essential for the continuity of the organization and the confidentiality of information from employees, patients, citizens and clients. The risk of data loss or theft can have far-reaching consequences that cannot be expressed in financial terms alone.

In boardrooms, cyber risks often do not (yet) receive the same attention as other strategic topics. Executives without technical knowledge may find it difficult to properly assess the risks and rely on the expertise of their CISOs and IT managers for their digital security. However, a shared understanding of the risks is crucial for an effective approach.

In addition, the focus within organizations is often on short-term goals, such as operational efficiency and profitability. Whether this is wise is a completely different topic and could be an interesting blog post. Unfortunately, this short-term focus makes investments in digital security seen as less urgent, especially when they don't seem to be delivering directly measurable returns.

In summary: Is there no immediate threat? And is the government now also postponing the entry into force of NIS2 regulations? Unfortunately, the sense of urgency for the reasons mentioned does not materialize. This is exactly what we must guard against together . 

Prioritizing cybersecurity? Take these 4 measures

As an organization, you don't want to put the cart before the horse. Despite the government's decision, it is wise to really get your digital security in order. What measures can you take to really include the boardrooms in the need for this?

1. Organize targeted workshops and training for directors

Are directors unfamiliar with the complexity of cyber risks? Then organize workshops and training courses that are tailored to their responsibilities. For example, focus on risk management instead of technical details.

2. Tabletop exercises and simulations

Nothing makes the impact of a cyberattack clearer than a simulation. Organize tabletop exercises in which you simulate realistic scenarios (such as a ransomware attack). In this way, all relevant actors understand and experience the risks.

3. Increase awareness at a strategic level

Make sure that digital security becomes a permanent topic on the strategic agenda. Show drivers what a cyberattack can cause, such as unwanted financial damage, reputational damage and same personal liability. This gives digital security more priority. 

4. Engage external experts

Have an external IT partner look over and give advice. Skilled consultants can help make digital security a strategic agenda item and determine targeted action points. A good IT partner also supports you in implementing the right measures.