Now that 2024 is about to end, let’s have a look at this year’s cybersecurity highlights. Changes in legislation like NIS 2 (both in countries and supranational bodies, like the EU) probably rank amongst the most important. All of these changes in legislation have been spurred by global cyber threats that can undermine a country’s democracy and financial stability.

Attackers are still using traditional attack vectors. However, the surge of new technologies like AI is giving rise to new threats (like deepfakes, commonly used in misinformation campaigns and financial scams).

Main cyberattacks in 2024

Looking back, this year has been marked by aggressive ransomware campaigns. Even the US elections have been hit by fake news that relied on famous deepfakes. The Olympic Games were also massively targeted. Information systems, governmental agencies, and sports, transport and telecommunication infrastructures suffered most attacks.

Spain has also been home to some serious attacks. Energy companies and big banks have struggled to prevent data exfiltration, whereas public institutions have faced DDoS attacks from Russian activists targeting critical sectors. Despite no official confirmation, the last case to hit the news has been an alleged data breach in the Spanish Tax Agency where Trinity hackers have demanded a ransom not to disclose taxpayer details.

These events show just how necessary it is to create new frameworks and regulations that give countries the tools to protect themselves against new geopolitical cyber threats that could destabilize them.  The US, for instance, has improved its national cybersecurity strategy and identified formulas to strengthen IoT, critical infrastructures, and government environments.

In Europe, we have the new NIS 2 Directive, whose deadline for transposition into national law expired in October 2024. However, some countries (including Spain) still have work to do. Even though the Directive is mandatory for Spanish companies, no national legal framework exists as yet. Nevertheless, it is important to act now and fulfill the requirements set forth in the Directive.

The NIS 2 Directive

The goal of the NIS 2 Directive is to build upon the original NIS Directive, expanding its scope and strengthening requirements to better address evolving cyber threats. Most frequently asked questions related to the Directive have to do with its scope of application. NIS 1 focused on companies that were critical to society. The new Directive covers large and medium-sized enterprises (be them public or private) that operate in critical and highly-critical sectors. We must therefore know whether our company falls in these categories.

There are some sectors in which NIS 2 is clearly applicable. For instance, in oil and power-related segments, but also in medical research centers and drug discovery and development institutions (including pharmaceuticals). Waste water and freshwater infrastructures, as well as banking and financial institutions, are also considered critical. Digital infrastructure sectors (including network providers and telecommunication services) have been a key addition. NIS 2 also covers security and ICT managed services provided to companies and public administrations (beyond national and regional governments).

The incorporation of postal and courier services, waste management, chemical production and distribution, research institutions, and the food sector is also worth noting. While we may not exactly fall under its scope, we furnish essential services to some of the aforementioned sectors as sole providers and, as such, we should also comply with NIS 2. The supply chain is key in these environments. Companies that fall under the Directive’s scope of application must implement cybersecurity-related risk management policies and fulfill any incident notification obligations approved (early warning system provided by CSiRT within the first 24 hours).

Besides implementing the NIS 2 Directive in the financial sector, specific regulations known as DORA have been agreed to. Their goal is to improve operational resilience and cybersecurity in the financial sector by January 2025. Financial entities must set requirements to address cybersecurity incidents, particularly when it comes to risks related to information and communication technologies. Their goal is to protect, detect, minimize, fix, and remedy incidents related to these technologies.

Why is it important to know whether we fall under the scope?

In a digital world that is becoming increasingly connected, threats are ever-growing. New regulations create a working framework that must be complied with to withstand any serious attacks launched. Many external stakeholders wish to make an impact on one or several sectors in a given country. These shareholders are not only geopolitical actors (like rogue states), but organizations that try to benefit from attacks that can economically cripple a particular industry.

It is important to ascertain whether we fall under the scope of application of the aforementioned regulations, since this will force us to set up corporate protocols and actions to identify an incident, assess its severity, and report it in due time and manner. On the other hand, resilience calls for the deployment of redundant platforms in the event of an attack and the implementation of any measures available to restore operations as soon as possible.

Fines vary depending on whether companies are critical or merely important. Within the GDPR sector, these fines represent a percentage of the total annual turnover.

Security technologies that can help us stop attacks are key. So are the ones that can help us identify the process executed by the attacker and the elements affected.

At Teldat, we help our customers by offering active security protections and advanced monitoring and response platforms (which can be key to minimize the impact of these attacks).

Sources:

https://es.weforum.org

https://www.channelpartner.es

https://www.incibe.es