Every single day, new ransomware attacks make global headlines. The CrowdStrike outage is a more recent example to show how one single mistake can lead to a catastrophic outcome. A breathtaking array of organizations have fallen victim to these aggressive invasions. They are increasingly falling victim to infection by software that encrypts and locks files until a ransom is paid for their return.
While pressures mount due to the general digitalisation of societies as an on-going process, as well as geopolitical complexities all companies face, it is now obvious that the biggest challenges from a cyber security POV are caused by the developments in the field of artificial intelligence (AI). In fact, the global security platform, SoSafe, argues that everything changed in 2023 with the launch of ChatGPT by OpenAI. AI was meant to reach 300 million users in 2024 (according to SoSafe).
By 2030, that figure is meant to double. Although AI offers a plethora of positive possibilities, it unfortunately also enhances the sophistication of malevolent uses.
To try and match this ever growing, dynamic threat for companies, the EU has adopted regulations that require stricter security measures. These measures apply pressure to companies to protect themselves. Small wonder, then, that pressed between regulation and threat, global end-user spending on security and risk management is expected to reach USD 215 billion in 2024, an increase of 14.3% compared to 2023.
What is NIS-2?
As of October 2024, the Network and Information Security Directive 2.0 (NIS-2), the EU’s new, mandatory cybersecurity directive, was implemented. It is of more wide-ranging application than DORA. Organizations in certain industries (financial services, energy, transport, and digital services sectors) must be seen to be taking appropriate cybersecurity measures. They also must instantly report significant incidents.
The goal of NIS-2 is to strengthen resilience against cyber-attacks, and to help improve responsiveness in the event of security incidents by setting clear requirements for risk management and incident reporting.
What is DORA?
DORA (Digital Operational Resilience Act) focuses solely on the financial sector. DORA aims to ensure resilience to cyber-attacks. It summarizes the guidelines of the European Banking Authority in a concise framework to improve cyber security in this particular sector. DORA is limited to financial institutions.
When must companies implement the requirements?
The NIS 2 Directive is in force from October 2024. The Digital Operational Resilience Act (DORA) is a regulation, i.e. a directly applicable European law, and will enter into force directly and unchanged in the member states in January 2025.
Vawlt’s cloud independence empowers organizations
It would be delusional to think that cyber-attacks can be 100% prevented. No new regulation introduced to the world will achieve this. As a result, it’s important that companies feel empowered that they can respond appropriately once an attack has taken place, and are able to minimize the damage in compliance with regulations. But how much cyber security is enough to comply with new requirements, and how can the cost be kept in control?
A bulwark always starts with simple basics
Being able to assess the danger, knowing what might come down the road of cyber risks is key. Planning ahead, making smart changes, putting strategies and processes into place and relying on powerful cyber-attack solutions is of utmost importance in order to improve protective barriers. IT-teams can proactively prepare for NIS-2 and DORA at an early stage. These considerations should include a strong strategy, state-of-the-art software solutions as well as the employment of a variety of tactics to increase the overall protection against ransomware attacks and other cyber threats.
Operational resilience – more than just a watchword
With data growing exponentially and cyber threats on the rise, today’s organizations must be able to keep delivering critical operations in the face of disruptive incidents. In order to ensure this, key measures need to be in place. The interplay between early identification as well as thorough assessment and management of risks, an agile crisis management and a forward thinking business continuity plan all help to ensure ‘business as usual’. At Vawlt, operational resilience measures are paired with a simplified configuration and an overall transparent cloud management.
Digging deeper: Vawlt’s cloud independence – the true path to maximum control
What can be learnt from disasters like the CrowdStrike outage, the Alibaba cloud fire, or the UniSuper incident is that all suppliers, including cloud giants, can fail. Cloud-managed geo-replication isn’t synonymous with comprehensive fault tolerance or resiliency. Why? Because geo-replication provides resiliency against events like natural disasters, but doesn’t safeguard against cloud-level incidents. This is why part of Vawlt’s approach is to encourage organizations that their measures to ensure independence, sovereignty, and business continuity are taken by themselves – completely independently of the guarantees provided by cloud service providers.
Vawlt proactively supports companies in taking advantage of the resources of the modern multi-cloud world. However, when it comes to independence and incident response, the company remains in the driving seat at all times.
Vawlt’s immutability and continuous snapshotting capabilities directly answer the ever-growing, dynamic ransomware challenge, no matter what kind of data, storage flavor, or underlying infrastructure. Moreover, IT decision-makers can define a retention policy for the files in each data volume. As a result, they can define a period when these files are still available for recovery, even if they’re deleted.
Vawlt also works highly cost-effectively: organizations don’t need to make disruptive changes to their overall infrastructures in order to increase their level of ransomware protection. Especially in sectors that deal with sensitive data, e.g., in financial institutions, data protection and compliance are major subjects. Vawlt ensures that all archived data is stored in a multi-cloud environment, ensuring data availability and no downtimes – even in the event of one of the clouds going offline.
Complying and enhancing – it needn’t be a headache!
In conclusion, this is clearly not the time for companies to complain about regulation overkill, even if it can be tiring to comply with a seemingly constant stream of new requirements that are linked to potential penalties. In the face of NIS-2 and DORA, IT decision-makers are best advised to go the extra mile. This means finding strong partners that can enhance their companies’ existing data security strategies as well as their measures for operational resilience in a multi-cloud environment, to raise standards of security and compliance across the board.