07 November 2023

John Michael, CEO, iStorage

The path to data compliance is laid out clearly for the enterprise. The laws, rules and regulations surrounding the proper possession, organisation and storage of digital assets make organisations’ responsibilities clear. They explain the data that needs to be protected and outline the processes which can make that happen.

But every business is unique. Each has taken a different route through its digital transformation process, been derailed in a different way by the unique requirements of the pandemic and places its own internal requirements on data use and storage, making the path to data compliance a little less clear.

Meeting compliance goals is a true test of internal governance and organisational acumen. Compliance demands that the policies surrounding data storage are comprehensive and properly followed, and that businesses apply hardware solutions to ensure compromised devices do not lead to a data breach.

The new NIS 2 normal

The revised Network and Information Security Directive (NIS 2) is perhaps today’s largest compliance challenge. It expands the scope of the original NIS Directive to improve EU organisations’ level of cybersecurity risk management and increases their reporting obligations, while also allowing EU states the option to add additional certification requirements on hardware and software used in the enterprise. NIS 2 also extends its reach, applying its regulation to numerous new sectors and imposing a varying level of regulatory oversight dependent on whether a business is in a sector deemed to be ‘essential’ or ‘important.’

Though the UK government has announced that it will not implement NIS 2 directly, it has opted to strengthen the NIS regulations inherited from its time in the EU. This means that UK businesses must navigate a compliance path which is mindful of the complexities of NIS 2 when doing business with any EU state, must also meet the UK’s particular version of NIS regulations, and face significant fines if they do not build a hardware, software, and cultural base of security and compliance.

Securing data’s perimeter

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. NIS 2 specifically requires organisations to consider not only their own vulnerabilities, but those of their suppliers and service providers – including data storage providers. Cloud providers have been quick to promote their security credibility, yet the terms and conditions of many major cloud entities include a ‘limitations of liability’ clause which puts the responsibility for data security squarely on the shoulders of the cloud user.

In many cases, we also put that responsibility in the hands of employees, since the rise of hybrid working means sensitive data is now regularly carried outside of company walls. The truth is that away from the scrutiny of IT teams the data hygiene of remote employees can slip. They may be tempted to use personal devices for work purposes, negating the protections of certified hardware. They may work on unsecured networks, in places where onlookers could steal passwords or view sensitive data, or they may lose critical documents if an unencrypted device is lost or stolen. Employees must, therefore, be educated as to their role in ensuring compliance, and be given the tools and devices to help them play their part.

The importance of encryption

The demand of managing every one of these aspects makes compliance a herculean task for IT teams – and they may falter. To maximise protection, securely encrypting files both in transit and at rest must be a core tenet of any plan. Properly encrypted files protect against compliance failure if liability is passed down the chain in the case of a cloud storage breach. Secure remote storage – ideally USB drives which include on-device AES-XTS 256-bit encryption and secondary authentication – can protect both against brute force attacks and against individuals with insufficient or expired access rights. Making regular backups and trusting them to hardware which can absolutely keep them safe is imperative.

256-bit AES hardware encryption, put simply, cannot be broken. It is the only way to guarantee the integrity of data and prevent falling foul of the ever-tightening rules and regulations surrounding cybersecurity risks. Encryption does not replace due diligence – vendors must still be carefully selected on their security credentials, particularly given the potential for EU states to impose their own rules on hardware use – but when used properly it offers security by default and safer data.