Cyber security regulations – what’s appropriate?

ATOM is frequently cited in European and UK regulations concerning information and systems cyber security.

These phrases seem simple to understand but interpreting them correctly in any given situation is the difference between meeting regulatory obligations for security or not. As well as this, correctly interpreting risk in context and adopting effective safeguards within that context is often the difference between preventing a security incident or suffering one. 

Generally speaking, the measures taken to protect systems, information and data should be proportionate to the nature of the circumstances and the risks posed to systems and data. Let’s take that apart a little:

1. Systems and data need to be understood in terms of their operational circumstances, thinking about things such as their use, volume, purpose, connections with other systems, processes and parties, and their operational criticality
2. Risks must be understood, for instance taking into account threats against a particular industry or organisation, common vulnerabilities associated with the nature of the processing (e.g. payment processing vulnerabilities using a combination of people, process and tech), and specific vulnerabilities associated with the hardware and software in use
3. This contextual awareness, typically generated through proper assessments coupled with consideration of topics such as cost of implementation and organisational risk appetite, are essential ingredients in determining which security measures are appropriate

From there, it’s a case of designing and implementing measures across people, processes and technologies to ensure the confidentiality, integrity and availability of data, information, and systems. 

All that considered, the ATOM phrasing starts to seem reasonably unhelpful, throwing the weight of obligation onto the organisation to interpret, with serious risk of getting it wrong. However, it must be understood that these regulations were written to last decades so introducing technical specifics may have been harmful to their longevity.

Times change, and what is an appropriate measure in 2024 can look very different to what would have been deemed appropriate in 2018 when GDPR and NIS took effect. Times and context will continue to change as new vulnerabilities are discovered, threat actors develop new tools, techniques and procedures to do harm, current-day technologies are phased out and lose support, and new technologies become commonplace.

A good example is in the field of cryptography. When quantum computing becomes widely operationally available, it is anticipated that all present-day forms of cryptographic control will break easily and no longer serve as a reliable safeguard.

When the ‘state of the art’ for attack and defence evolves constantly, it is no wonder that professional opinion over appropriate security measures also changes constantly. To keep abreast of what is necessary across the course of time, practitioners need not only be aware of the technical state of the art but also:

• The changing consensus of professional option (as enshrined in internationally recognised standards)
• Guidance from regulators and technical authorities
• Case law e.g. rulings that describe issues that regulators and technical authorities have investigated and consider to be failures, and the type of enforcement action they have taken to remediate those issues

While the standards of the day often change, the modalities in which safeguards can be designed, implemented and operated remain fairly constant. These include:

1. Policies, standards and procedures – these are the written commitment and instructions on how security risks and impacts will be responded to by an organisation. They represent the design of the control environment and, when designed well, can be facilitators for secure-by-design and secure-by-default processes and the factor underpinning seamless and effective protection and response measures
2. People – people will have a role in managing security risk for as long as they are involved in operational processes that use systems, data, and information. Incorporating people as a key line of defence, making them aware of the risks, and equipping them with the knowledge and tools to respond accordingly, is vital
3. Technology – the importance of technology controls in managing cyber-security risk cannot be overstated. This ranges from securely configuring native security modules within infrastructure devices such as web gateways and firewalls to designing security strategies such as Zero Trust and DevSecOps to deploying security tools that cover capabilities such as posture management, privileged access management, and endpoint detection and response

In 2023, the US National Institute for Standards and Technology (NIST) issued draft standards for three quantum-resistant algorithms. These are not yet ready for use by organisations, but nor is quantum computing. Likewise, at the time of writing, cyber criminals aren’t yet able to make use of quantum computing for the purpose of causing harm.

Yet all that is likely to change by 2035, when organisations and cyber threat actors are predicted to be taking quantum-advantage. By then, organisations will find that data and information protected to a 2024-level cryptographic standard will be essentially unprotected against quantum-enabled cyber threat actors. Quantum-resistant solutions must, therefore, be implemented well in advance. 

Cyber security-related regulations (those named, plus others) require organisations to take a proactive, risk-based approach to data protection and cyber security. The measures taken should be decided upon and implemented in a manner that is proportional to the risks posed and should be regularly reviewed and updated to take into account the threats and opportunities of the day. 

Evelyn Partners Cyber Advisory team is here to help you understand these issues and design and implement fit-for-purpose responses to security challenges, including those arising from regulatory requirements. Get in touch today for help improving your data protection and cyber security posture.

[1] - EU GDPR and UK GDPR use the term “appropriate technical and operational measures” (for security i.e. “the security principle”), UK NIS (2018) and EU NIS2 uses the term “appropriate and proportionate technical and organisational measures”, EU DORA uses a combination of terms including “appropriate” governance, budget,  strategies, policies, procedures, protocols and tools.