Good data security is critical to the continuity of an organization’s operations. New data security requirements, such as the NIS2 Directive, are putting additional pressure on companies to create sustainable practices to protect their IT environments. Cyber espionage, phishing and data leaks are becoming more common, and the increasingly popular AI is one of the fastest growing risks to corporate cybersecurity. Industrial supply chain and production OT (operational technology) networks require special attention to secure production in the face of various threats.
The damage caused by data breaches can range from exploiting small vulnerabilities to massive data leaks. The cybersecurity-related NIS 2 Directive that enters into force in 2024 will bring new requirements especially for management – failures in data security practices can, lead to personal or criminal liability in the worst case.
Companies should operate under the assumption that all information is worth protecting and of interest to outsiders. Data breaches and ransom demands can cause significant financial costs, reputational damage, and even production disruptions. No technical solution, policy or process is a 100% guarantee against threats, but with industry best practices and recommendations, stakeholders can sleep well at night and management can avoid personal liability in the event of issues.
Server data security and its controlled management provide a solid foundation for protecting your IT environment. Just as buildings are maintained, each component of a server should be inspected regularly and follow a recommended maintenance program or annual schedule.
Server data security and cybersecurity – where to start?
There are many levels at which data security can be improved, from everyday policies and practices to advanced technical solutions and processes, but it all starts with a solid and secure foundation. Even simple measures can achieve a good baseline, and by taking care of these, management can demonstrate that they are meeting the basic requirements of the NIS2 Directive.
At a fundamental level, you should consider at least the following areas of server data security:
- An architecture that uses the data security onion model and network segmentation
- Network data security, protected by firewalls and traffic restrictions
- Security updates at all levels of the infrastructure, including physical devices and network services, the virtualization environment, operating systems, and applications
- Access control with access restriction and multi-factor authentication
- Offsite backup and disaster recovery planning
- Monitoring that shows if anything unusual is happening
- Data security management process to respond to vulnerabilities and alerts
- Training to ensure that all employees have a basic understanding of data security
Advanced tools to support server data security:
- Antivirus protection – especially if your organization has a file-based server or a web server from which files are downloaded
- Data security monitoring: (EDR/XDR/SIEM/SOAR/SOC). For example, the Microsoft Defender product family enables you to build a comprehensive monitoring system for your entire IT environment.
- Centralized log management to find and track incidents faster
- Additional backup security through regular testing of backups, immutable backups, and antivirus protection of backups.
- Additional network security such as DDOS and IDS/IPS
- Data security management processes: there is a process for responding to all incidents and alerts, manual reviews are also carried out regularly by an expert, the organization uses automated and configured remediation processes, and management processes are regularly monitored and developed.
- Regular training and testing of employees, including in more challenging situations
The protection of production OT networks requires a different approach
The requirements of the NIS2 Directive are particularly relevant to critical industries, and network designs in manufacturing must take into account the vulnerabilities of the OT network and the need for secure production design. The OT network should be completely separate from the rest of the factory networks and the office network. The network can be secured with network devices, network services, and network segmentation, but organizations should also have agreed-upon policies for managing the security of third-party OT hardware.
If production is running on old hardware or operating systems and software versions, security updates may not be possible. In this case, the data security of the server must be built specifically on the network solutions and the management processes that support them. In production, as in other network environments, the impact of subcontractors on data security and the security of third-party hardware and software must always be considered.
With the right preparation, the new Directives and requirements are much less of a nuisance. A trusted partner can also help you identify your needs and design effective data security policies to keep your business safe.
Read more:
An IT partner that keeps you and your production up to date
The NIS2 Directive tightens cybersecurity management – is your organization ready?
What you need to know in the manufacturing industry about the DevSecOps operating model Pick our four tips for your organization
