SMEs that are suppliers to large organizations must also be NIS2 compliant.
The NIS2 regulations were created to increase the cyber resilience of large companies in key industries. Within those regulations, there are several aspects to consider, one of which is the supply chain. It is in that supply chain where the SME emerges and is suddenly inundated as a small business with NIS2-related questions. Are SMEs aware of the regulations and how complex is it for them?
ITdaily brings five experts around the table to talk about the challenges of NIS2 for SMEs. We sit down with Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, Cyber Security Consultant at Eset, Driek Desmet, System Engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens and Yoran Dons, ICS Security Consultant at SoterICS.
Supply chain
“NIS2 is also alive and well among SMEs,” begins Desmet. “Many small companies come to us with questions about what NIS2 is, and what steps they need to take.” Ongena picks up on this, “It is alive and well among SMEs because supply chain security is one of the aspects within NIS2.”
In fact, SMEs are in the middle of that supply chain and consequently receive long questionnaires from their customers. They try to fill out the questionnaire as best they can, “but often they don’t always know exactly what to indicate,” Ongena says.
Uniformity
Small organizations that happen to supply an essential entity such as a hospital, for example, therefore find themselves in a high scope of NIS2, even if they are very small in scale. Dons stresses the importance of a unified approach to better guide SMEs through the NIS2 labyrinth. “For example, we could work with the same questionnaires, since companies have to meet the same controls at some level,” Dons says.
“That way, you could approach SMEs proactively with a unified approach. “For example, there are working groups within Agoria that recognize that problem and are also working on this,” he states. Ongena also sees solutions for SMEs, namely that they can get themselves certified. “Even for smaller companies, getting an ISO certificate or an NIS 2 label is a smart idea. When you can present that, it can save an SME a huge amount of money,” Ongena explains.
For smaller companies, obtaining ISO certification or an NIS 2 label is also a smart idea.
Alex Ongena, CEO and founder AXS Guard
A lot of SMEs face NIS2 through their large customers. In fact, the supply chain is full of small links. “At some point, almost everyone is going to have to deal with this. The supply chain can sometimes be very long,” Pauwelyn adds.
Part of evolution
Mukherjee looks at those friction points differently in terms of NIS2 compliance for SMEs. He sees this as part of evolution. “That’s just the purpose of regulation: to confront reality.”
Friction points on NIS2 compliance for SMEs are part of the evolution.
Ron Nath Mukherjee, Cyber Security Consultant at Eset
Moreover, he notes that as a result, his customers view cybersecurity less as a cost and more as an investment. “Awareness around cybersecurity really seems to be growing with this,” Mukherjee said. Pauwelyn agrees: “Companies do have to get on board or they will fall by the wayside.”
MDR in SMEs
Mukherjee asks himself how to generally remove the complexity in small organizations when it comes to cybersecurity. “For example, SMEs have more limited access toManaged Detection and Response (MDR) services such as SOC or SIEM, compared to larger companies.”
Lower budgets and limited knowledge play an important role. Ongena: “There is no point in installing different tools and alarms at SMEs if no one has the time or knowledge to work with them.”
A lot of security companies integrate standard components at customer sites, which require a lot of people to tune them correctly. “It has to be done the opposite way. We’ve created a product with enough features that can be applied uniquely to each customer. The streamlining, dashboards and SOC processes are the same at all customers which also keeps the price so low. That way, even small businesses can take advantage of a fully managed SOC,” Ongena said.
read also
XDR for SMEs: what is it and why do you need it?
Desmet also reaches out to solve the SOC problem for SMEs. “We have a Belgian-made MDR system, Bluehorn, designed specifically for SMEs. This still provides small businesses with a comprehensive security solution that connects all endpoints,” Desmet said.
Subsidize?
NIS2 brings new challenges for SMEs. As small businesses, they are stuck in the supply chain and thus forced to be NIS2-compliant as well. This often leaves them struggling and looking for answers. Meanwhile, the implications for SMEs are being recognized. There are several help lines or alternatives where they can still find their way to NIS2 compliance as a small business.
read also
Belgium pioneer in NIS2 regulation: why?
Around the table, moreover, several MDR alternatives tailored to SMEs are echoing, so that even small businesses can install a full managed SOC to increase their cyber resilience.
Mukherjee put a final fascinating question to the gentlemen: “Should the state distribute subsidies to SMEs and cities and towns so that they too can be compliant?” All participants agree with this proposition. “That’s a good idea. It’s basically money you put into your own economy,” Dons concludes.
This is the third editorial in a series of three on the theme of NIS2. Click on our theme page to see all the articles from the roundtable, the video and our partners.