Relying on third-party IT and cybersecurity consultants will be critical in 2024 to ensure compliance with numerous new regulations. Rob Batters, director of managed and technical services at IT consulting firm Northdoor, offers his predictions for how professional services firms’ AI-powered solutions will help transform cybersecurity in 2024.
Achieving operational resiliency and compliance in 2023 will be a challenge, given the increasing complexity of IT processes, technology infrastructure, cybersecurity, talent and budget shortages, organizational silos, and ever-changing compliance regulations. are inherently challenging for organizations. We also learned that just because a regulation exists doesn’t mean an organization has the budget, technical expertise, or in-house knowledge to fully combat it.
To achieve operational resiliency and compliance, organizations must understand how all areas of their operations (technology, data, third parties, facilities, operations, and talent) impact the delivery of critical services. , we need to build a consistent set of cybersecurity resiliency and controls across these. region.
Issues impacting organizations in 2024
There is no doubt that in 2024, operational resiliency will be the same focus as GDPR was a few years ago. Digital Operational Resilience Method (DORA) and Network and Information Systems Directive 2022 (NIS2) are two different parts of European cybersecurity law that will impact organizations from 2024 onwards.
NIS2 focuses on supply chain security. The goal is to ensure that operators of essential services (e.g. energy, transport, healthcare, banking) and digital service providers (e.g. search engines and cloud services) implement appropriate and proportionate security measures. To notify authorities of serious incidents.
This Directive aims to improve the level of cybersecurity in the EU and ensure a common level of security for networks and information systems. NIS2 entered into force in January this year and has set a deadline for member states to translate the NIS2 Directive into applicable national law by October 2024. This deadline is critical for businesses, as non-compliance can have serious consequences, including: Financial penalties and reputational damage.
Under NIS2 Authorities in member states can impose large fines in case of non-compliance. For significant entities, fines of at least up to 10 million euros or 2% of his worldwide annual turnover may be imposed. Significant companies could be subject to fines of at least up to €7 million, or 1.4% of their annual global turnover.
Dora’s influence
The second law that aligns with NIS2 is DORA. Its main purpose is to strengthen the IT security of financial institutions such as banks, insurance companies, and investment companies. The EU considers this necessary due to the increasing vulnerability of information and communications technology (ICT)-related services to disruption and cyber-attacks.
DORA also ensures continuity of critical services to ensure that incidents like the 2018 TSB incident are not repeated. TSB paid his £48m to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) to compensate more than five million customers whose accounts were locked out due to IT migration, as well as He paid £33 million in compensation.
DORA addresses five topics aimed at strengthening the resilience of financial institutions. These are ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.
DORA will come into force at the beginning of 2023, and regulatory and technical standards will be developed by the European Supervisory Authority (ESA). The ESA will introduce this standard, with DORA requirements expected to be enforceable by early 2025 and all financial companies compliant by January 2025.
UK companies cannot avoid DORA or NIS2
The scope of DORA and NIS2 essentially provides services that are considered important for supply chains that support both the European financial sector (from a DORA perspective) and the EU’s essential and critical services (from an NIS2 perspective). It extends to all companies. This is regardless of whether the company or service is based within his EU. It is also very likely that DORA and NIS2 will become UK-specific legislation, so there is little point in waiting for this before complying.
Legacy systems can hinder compliance
As technology advances, support for older systems decreases as developers and manufacturers prioritize new systems, and patches and updates to legacy systems become increasingly scarce, if not present at all. A lack of continuous updates means that vulnerabilities in outdated software and hardware remain unresolved, making them prime targets for cyberattacks.
Additionally, as the employees maintaining legacy systems retire, younger employees are less likely to request or be provided training on legacy systems, creating a skills gap and further increasing cybersecurity risks. Modern cybersecurity tools often struggle to integrate with older systems. Legacy systems can lack the functionality needed to support advanced security measures, leaving gaps in your defense framework.
A typical compliance process (including security assessments, audits, consulting, and tool implementation) takes at least 12 months, so companies should start working now to ensure timely compliance.
Operational resiliency with automation and AI in 2024
According to IBM Security’s 2023 Cost of Data Breach Study, AI and automation are the most important factors in reducing identification time and remediation costs. The report found that UK organizations pay out an average of £3.4m for data breach incidents, but companies using AI and automation spend around £1.6m less. The IT environments managed by IT and security teams are becoming increasingly complex, and implementing and managing AI-powered automated solutions that provide 360-degree real-time visibility into the supply chain can have a significant impact on an organization’s ability to manage it. may give. Achieve operational resilience and compliance.
Relying on third-party IT and cybersecurity consultants will be key in 2024 to ensure compliance. This takes pressure off internal teams and closes skills gaps. A third-party IT consultant can look into the details of a regulation to see how much it affects your organization. You can then begin to define the scope of your project within the context of the risks you are likely to encounter as a business. Compliance with DORA and NIS2 regulations is critical, so third-party IT consultants can ensure that a multi-layered cybersecurity response is in place to reduce day-to-day operational risks.
There is no one-size-fits-all approach to becoming DORA and NIS2 compliant, but by relying on an IT consultant, organizations can ensure they have a clear operational resiliency and compliance strategy in place. If you start preparing now, you’ll be sure to stay ahead in 2024.
north door is an IT consultancy based in London. The company was recently ranked among the UK’s top consulting firms by Consultancy.uk, achieving a gold rating for data science.