NIS2 and the human factor

NIS2 and the human factor: your first line of defence against cyber attacks.

When it comes to cyber security, the focus is often on technology, such as modern tools for identity management, automation and threat detection. The NIS2 directive sets strict requirements for liability and uniform security standards and emphasises the importance of holistic security strategies. Despite all the technological advances, people remain the crucial line of defence against cyber attacks. Studies show that over 80 per cent of all attacks are made possible by the misuse of identities or privileged accounts. This shows that it is not enough to rely on technology to increase a company's resilience - processes and, above all, people must be optimally empowered.

In order to increase the resilience of companies, it is not just a matter of technology - processes must be optimised and employees must be given targeted support. In this article, we highlight the key factors for NIS2 compliance in terms of identity security, cyber hygiene and awareness as well as protection against social engineering.

Identity security: protecting privileged accounts.

Privileged accounts are at the centre of most cyber attacks - they offer hackers direct access to sensitive data and systems. Strong identity security is therefore essential. This is where Privileged Access Management (PAM) and Identity Governance Administration (IGA) play a central role.

Security: the need-to-know principle ensures that only the authorisations required for day-to-day work are assigned. This limits the extent of a possible attack.
Efficiency: The automation and standardisation of authorisation processes reduces the workload - saving time and costs. This is a decisive advantage, especially in times of a shortage of skilled labour.
Compliance: Compliance with the NIS2 directive and ISO 27001 is supported centrally by providing effective authentication and access control mechanisms.

Cyber hygiene and awareness: structured processes, sensitised employees.

Solid cyber hygiene forms the basis for secure IT systems. However, even the best technical measures are only effective if employees are aware of the risks and actively contribute to security. This is why organisational routines and technical measures must be interlinked in order to establish a sustainable security culture.

Important elements of cyber hygiene:

Technical routines: regular password changes, multi-factor authentication and consistent patch management minimise security vulnerabilities.

Regular recertifications: Authorisations should be checked at fixed intervals - approximately every three to six months - and adjusted if necessary.

Log management: Complete logging helps to recognise suspicious activities at an early stage and respond to them quickly.

Cyber-Hygiene – User Re-Certification.

Awareness programmes for employees:

In order to raise security awareness in the long term, sensitisation measures should go beyond traditional training and be refreshed on a regular basis. Gamification, realistic simulations such as phishing tests and continuous, proactive communication help to better understand threats. The aim is not just to protect employees, but to make them active participants in the security strategy.

Social engineering: understanding the psychology of attacks.

Attackers use psychological manipulation to persuade employees to disclose sensitive information. This so-called social engineering exploits human weaknesses and interpersonal dynamics to gain unauthorised access to IT systems.

Common social engineering techniques:

Authority: Attackers pretend to be high-ranking individuals or IT experts in order to create trust or intimidate employees.
Scarcity: Time pressure is built up to force impulsive decisions.
Sympathy: Trust is built up through targeted expressions of sympathy in order to obtain information.

Social Engineering.

The psychology behind the attacks - The ‘Cialdini Principles’ (extract).

How to protect yourself:

By regularly sensitising and training employees to explain psychological attack patterns. With review mechanisms, such as the dual control principle for sensitive decisions. Tests and simulations to prepare employees for realistic scenarios.

Conclusion: People are the strongest line of defence.

NIS2 requires companies to take both technical and organisational measures. However, without the active involvement of employees, any strategy remains incomplete and not truly effective. By relying on a combination of state-of-the-art technology, clear processes and a strong security culture, you can make your organisation fit for the challenges of the future.

Now is the perfect time to rethink your security strategy. Take the opportunity to strengthen your first line of defence - your employees.

Would you like to delve deeper into the topic of NIS2? Our video series on the NIS2 directive highlights further aspects and provides practical tips for implementation. Discover it now and start your journey to NIS2 compliance!