December 22, 2023
by Simon C. Melander / December 22, 2023
Cyber threats are becoming more frequent and sophisticated, and it is imperative to take proactive measures to safeguard against them.
Organizations should invest heavily in robust digital security measures, especially for services and infrastructure that are critical to the public.
This is why the European Union (EU) enacted the NIS2 directive - to establish core cybersecurity standards across sectors.
“NIS” stands for network and information system. Passed by the EU Parliament, the full title is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)."
The NIS2 directive requires organizations in critical sectors to take appropriate measures to mitigate cyber risks. Password managers effectively improve cybersecurity and ensure compliance with other relevant frameworks, like ISO/IEC 27001 and ISAE 3402.
This article explains how password managers can enhance cybersecurity and help organizations meet the password security requirements of the NIS2 directive and other relevant frameworks.
The latest State of Cybersecurity 2023 report by ISACA reveals a worrying trend - only 11% of organizations are seeing a decrease in cyber attacks. Even more concerning, 38% of respondents saw increased attacks, while 31% saw no change.
Looking at these worrying statistics sheds light on why NIS2 compliance is all the more critical now.
While NIS2 directives represent the first truly comprehensive legal directive on cybersecurity in the European Union, baby steps towards this measure have been taken since as early as 2013 when the first cybersecurity strategy was adopted.
In 2016, the Directive on Security of Network and Information Systems across the EU was adopted and came to be called the NIS directive. With cyber threats rapidly evolving, the EU cybersecurity strategy for 2020-2025 exposed the fault of the NIS directive and sought to transform how critical entities were protected.
All these steps culminated in the development of NIS2 (the old directive is now referred to as NIS1), with the original proposal setting forth three major objectives:
The NIS2 directive finally came into force in January 2023, and EU member states are expected to adopt the required measures as national law in their respective countries within 21 months. With a target date of 17 October 2024, state parliaments have less than one year to pass the requirements as law.
An estimated 160,000 companies in up to 15 sectors are covered. This is a significant improvement to NIS1, which applied to only seven sectors.
Source: NIS2 Directive
Some sectors covered by the NIS2 directive include energy, health, transport, finance, food, manufacturing, etc. What is common to all these entities is that they handle essential services and critical infrastructure.
Source: NIS2 Directive
The key cybersecurity measures required by NIS2 are divided into four overarching areas and 10 baseline security measures. The baseline measures include access management, multi-factor authentication, encryption, cybersecurity training, risk assessments, etc.
However, the most critical mandates cover the following areas:
Failing to meet these obligations might attract fines of up to a whopping €10 million or 2% of global annual revenue, depending on whether the organization belongs to an essential or important sector. Other possible penalties include criminal sanctions and so on.
ISO/IEC 27001, or simply ISO 27001, focuses on information security management systems (ISMS). It was most recently updated in 2022 with eleven new controls, including threat intelligence, cloud information security, physical security, secure coding, web filtering, etc.
Source: ISO
According to the documentation, “conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company.” It is designed as a holistic approach to information security.
The key information security principles of ISO/IEC 27001 are also known as the CIA triad and are the following:
The International Standard on Assurance Engagements (ISAE) 3402 is not necessarily an information security standard, but its principles are applicable. ISAE 3402 applies to service organizations that provide a service to user entities that are likely to be relevant to user entities’ internal control as it relates to financial reporting.
Prescribed Service Organization Control (SOC) reports built on ISAE 3402 principles emphasize control assurance, a critical component in securing digital environments. This heightened focus on internal controls within service organizations ultimately benefits user entities, as they can rely on the service provider's robust controls to enhance the security of their own data.
ISAE reports are of two types. Type 1 reports cover internal implementation, documentation, review, and ongoing maintenance. The type 2 report then reviews the documentation and verifies that adequate controls have been implemented.
Source: BFMT Group
To be clear, ISO/IEC 27001 and ISAE 3402 are not substitutes for the NIS2 directive, and organizations should ensure that they meet the requirements and obligations of the NIS2 directive and any other applicable laws and regulations.
As cyber threats advance, password managers have emerged as not just tools of convenience but as strategic assets that play a pivotal role in security. Password managers must meet the stringent requirements of modern compliance frameworks, including those already discussed in this article: NIS2, ISO/IEC 27001, and ISAE 3402.
With the new NIS2 regulations, secure authentication is more important than ever. And this is where password managers can help.
The best managers make it easy to implement multi-factor authentication (MFA) and encryption. They also have features to detect suspicious activity across your accounts and send alerts about potential security incidents, such as unauthorized logins and data breaches.
A password manager should tick all the relevant boxes when implementing a solid ISMS. For instance, your password manager should be able to automatically check passwords that meet complexity requirements, enforce regular password changes, restrict sharing, and provide detailed auditing trails and reports.
It should also enable seamless password synchronization across devices while keeping everything encrypted and backed up. These features match the core principles and best practices of the ISO/IEC 2700 standard.
In the context of ISAE 3402, password managers play a dual role. Firstly, they are the gatekeepers for access to systems and data via strong password policies and MFA. Second, password managers reduce risk by eliminating weak and reused passwords across accounts.
Features like automatic password generation, encrypted storage, and access monitoring create a far more secure environment. Meeting ISAE 3402 standards also requires thoroughly documenting controls around encryption, access policies, activity logs, and incident response.
Password managers use enterprise-grade encryption methods like AES-256 bit to cryptographically scramble password databases and render the data unreadable without the appropriate decryption key. Managers can enforce verification through biometrics, security keys, one-time codes, push notifications to approved devices, and so on for multifactor authentication. All these measures are about tightening the layers of security to improve the organization's overall cyber resilience.
Complying with the NIS2 directive and other modern compliance frameworks is a legal obligation and a strategic advantage for organizations that want to improve their cybersecurity posture and reputation. By using password managers as part of their security strategy, organizations can enjoy the following benefits:
Password managers excel in automating the laborious aspects of credential management. One of the major burdens for many enterprises is manually handling password hygiene across the organization.
Strong passwords can be automatically generated, stored, rotated, and encrypted with a password manager to reduce the manual burden.
The human element is often the weakest link in cybersecurity, with weak or reused passwords posing significant risks. And in many cases, non-IT employees don’t know better or sometimes don’t care enough.
Using a password manager is an efficient way to enforce good password habits across the board. Employees will no longer use and reuse simple passwords or forget unique complex ones.
To comply with NIS2’s incident reporting requirements (one of the four critical mandates), organizations need visibility into password risks, compliance gaps, and security breaches.
Password manager dashboards provide real-time data on password hygiene, MFA adoption, suspicious logins, phishing attacks, etc. This gives the IT team the security insights they need for continuous compliance monitoring.
Implementing the NIS2’s access management controls like MFA and password policies can get expensive at scale using other solutions. But password managers consolidate these capabilities into a scalable solution with relatively low licensing costs.
Regarding the security value delivered, password managers provide a more favorable ROI on password security than other solutions.
The success of any cybersecurity measures hinges on user adoption. So, creators of password managers have a huge incentive to design platforms with user-friendliness in mind to ensure seamless integration into existing workflows.
For IT, open APIs and SSO integrations allow password managers to plug into existing workflows and systems seamlessly, reducing deployment friction.
While directly addressing NIS2 password requirements, password manager capabilities also significantly reduce attack surface beyond just compliance.
This strengthens the overall security against credential theft, social engineering, and lateral movement within compromised networks.
Password managers are especially valuable for small and medium enterprises looking to comply with NIS2 on a budget. SMEs often don't have large organizations' dedicated security resources or budgets. But password managers provide a scalable way to implement strong access controls across their workforce without breaking the bank.
The automated password hygiene features remove a considerable burden on understaffed IT teams at SMEs. A centralized password vault means employees can securely share credentials as needed, rather than risky practices like reusing passwords or storing them in spreadsheets.
The dashboards also provide visibility into password risks and compliance gaps across the business - invaluable insight for SMEs that lack dedicated security analytics.
In addition, password managers easily adapt as the business grows and changes. New employees can be onboarded instantly, while departing ones are promptly deactivated. The modular pricing also allows SMEs to scale security as their workforce expands steadily. And integrations with existing software mean no major disruptions.
Large enterprises have more complex password management needs, but modern password managers are still beneficial when meeting NIS2 compliance.
With many employees, remote workers, and third-party access, large companies struggle to maintain visibility and control over credentials across their sprawl. However, a centralized password manager provides the consolidation, automation, and analytics required to properly govern passwords at scale.
Features like SSO and APIs integrate the password manager into existing workflows across departments and workforce segments. Admin roles allow coordination of policies and permissions across business units and teams. Auditing provides accountability over credential access.
For remote and mobile workers, password manager apps enable secure password usage from anywhere while still keeping sensitive credentials encrypted.
Amidst the undeniable advantages of integrating password managers into NIS2 compliance strategies, it is crucial to acknowledge and address the challenges and considerations that may arise.
Password managers directly address core access management and security measures mandated by NIS2 and frameworks like ISO/IEC 27001 and ISAE 3402.
By centralizing credential storage, automating password hygiene, enabling multifactor authentication, and providing visibility into risks, password managers allow organizations to tackle password vulnerabilities cost-effectively at scale. Both large enterprises and SMEs stand to benefit greatly from this.
To achieve true resilience, though, password security must be supplemented with comprehensive awareness training, endpoint protection, access controls, data encryption, backup solutions, and other layers of defense. Organizations should take a risk-based approach to identify and address their weaknesses through defense in depth.
In light of the rising threats and imminent NIS2 deadlines, the time for organizations to evaluate their password practices and cybersecurity posture is now. Implementing a password manager solution tailored to your environment and workforce is a simple yet high-impact step that organizations should strongly consider as part of their path to compliance and security excellence.
Numbers don't lie – discover the important facts related to online security. Act now and leverage these insightful password statistics to protect your digital world.
Simon C. Melander is a thought leader in cybersecurity, password management, NIS2, and access security. As the Chief Marketing Officer of Uniqkey.eu, a business-only access management platform, he oversees the marketing strategy for the company. He has helped multiple European tech startups successfully scale up their growth and expand into new markets.
Long-distance communication has quickly become integral to business operations in recent...
An alert I often get when I’m signing up for a new account is “your password isn’t strong...
It’s likely been a very long time since you’ve evaluated your user authentication solutions.
An alert I often get when I’m signing up for a new account is “your password isn’t strong...
Long-distance communication has quickly become integral to business operations in recent...