NIS2: How to secure remote access to sensitive data?

 
Discover in this article, how to secure remote access to sensitive data

55% of French people work in hybrid mode, switching between working in the office, telecommuting and business trips. Employees need remote access to their organisation's data to work efficiently. But accessing sensitive data remotely presents security risks.

Published on 27 December 2022 in the Official Journal of the European Union, the NIS2 Directive complements legislation already in effect to strengthen the security of sensitive data within organizations. What are the new obligations for companies, and what solutions should they adopt to secure remote access?

1. NIS2 Directive: A new framework for securing sensitive data

NIS2 applies to all organizations that meet at least one of these conditions:

Be present in two EU member statesHave more than 50 employeesGenerate revenue in excess of €10 millionOperate in an industry listed in Appendixes 1 and 2 of the Directive: healthcare, finance, transport, telecommunication, aerospace...Vendors, suppliers and service providers for the infrastructure of an organization subject to NIS2 are also concerned.

NIS2 extends the scope of the NIS1 Directive already in effect... while reinforcing legal obligations for companies in terms of securing sensitive data. Organizations subject to the regulations must:

Carry out a risk analysis and include cyber threats likely to impact their information systems (IS).
Implement IS and data protection measures at various levels:

• data encryption
• vulnerability management
• network security
• access control
• user management.

2. Prepare a plan to maintain business continuity in the event of an incident.

Train employees on IT risks, best practices for cyber hygiene and the organisation's security policy.
Report security incidents to ANSSI within 24 hours, as well as an impact assessment within 72 hours.

NIS2 should be officially implemented by October 2024. Organizations failing to meet the directive's requirements will face sanctions, with fines ranging from €7 million to €10 million, or 1.4% to 2% of total worldwide revenue.

3. Unsecured remote access: What are the risks for your organisation?

Unsecured remote access exposes your organization to a number of cyber risks. These include:

• Interception of sensitive data exchanges by a "man-in-the-middle" attack.
• Operating an unsecured network, such as public Wi-Fi, which can lead to data breaches.
• Phishing and president’s scams, which exploit the physical distance between employees to impersonate them and request fraudulent transactions.
• Unauthorized access to business data through an employee's device.
• Theft of a device containing sensitive data.
• Exploitation of application or software vulnerabilities on an endpoint used to access sensitive data.

All these threats can directly compromise the security of your organisation's sensitive data.

A data breach is not without consequences. Firstly, it entails costs associated with notifying victims, legal proceedings and incident remediation. The breached organization must then reinforce its protective measures. If the breach comes as a result of a non-compliance with GDPR or NIS2, legal fines may be imposed. Unfortunately, a data leak damages customer confidence and brand image. Many breached organizations lose customers and revenues following the disclosure of their sensitive data.

4. Best practices for securing remote access

A number of security features enhance the security of remote access, while complying with NIS2 requirements.

• Multi-factor authentication (MFA): verifies that the person attempting to connect to your organisation's systems is indeed an employee. Users must identify themselves not only with their login and password, but also with a second authentication via a hardware key, receipt of a code by SMS, or facial recognition. This prevents malicious connection attempts.
• Identity and Access Management (IAM): defines the authorizations of each user in order to protect the most sensitive data. IAM solutions help managing identities (creation, modification and deletion of user accounts) and adjust access and privileges according to the role of each individual (position held, partners, suppliers, etc.). Access to sensitive data is restricted to the smallest possible number of users.
• VPNs (Virtual Private Networks) to secure remote connections: ensure data encryption during remote exchanges. Even if intercepted, data remain completely unreadable. Also, a VPN protects data and the web in the event of a connection to an unsecured network, such as a public Wi-Fi.
• Employee training: employees working remotely need to understand cyber risks and best cyber hygiene practices, as well as internal policies. The aim of this training is to reduce the risk of human error and leave no opportunity for cyber criminals.

Exposure to cyber threats has increased with the generalization of telecommuting. Attackers exploit unsecured remote access to target sensitive corporate data. Compliance with the new NIS2 Directive, the adoption of appropriate security solutions and employee training are measures that need to be taken to secure remote access.