“The malicious cyber campaign shows Russia’s continuous pattern of irresponsible behaviour in cyberspace,” chief diplomat Josep Borrell said in a statement on behalf of the EU, “by targeting democratic institutions, government entities and critical infrastructure providers across the European Union and beyond.” 

Reacting to the incidents, Nato called on Russia to respect “international obligations” and said it would “employ the necessary capabilities in order to deter, defend against and counter the full spectrum of cyber threats”.

Russian cybercrime group known as Wizard Spider hackers were identified as behind Ireland’s HSE ransomware attack in May 2021.

The healthcare industry is considered one of the most vulnerable sectors to cybercrime. Health systems, their interconnected business relationships, and their diverse workforce collect and store an abundant amount of sensitive and personally protected healthcare information data. Private patient information is worth a lot of money to attackers, who can sell it quickly — making the industry a growing target.

The Irish Government is pushing ahead with implementing the EU’s Network Information Security directive — NIS 2 —as a matter of urgency, which targets healthcare, manufacturing industry and digital providers. 

According to Ita O'Farrell, head of compliance at the National Cyber Security Centre (NCSC), the government body responsible for monitoring the implementation of the directive, the target date for the Dáil to approve the adoption of the EU directive is mid-October this year.

At a briefing to healthcare and industry executives last week, the NCSC compliance executive advised that NIS 2 is geared toward improving cyber resilience in the public and private sectors and across borders. To assist organisations she indicated that a self-assessment framework will be issued with implementation guidance. 

The NCSC advised that a cyberattack incident must be reported within 24 hours to their offices under the directive. 

A question was raised by some organisations that there may be significant costs in meeting the compliance standards. NCSC anticipated that some funding assistance may be available to help companies and manufacturers — especially smaller businesses that may not have the technical resources or financial means to fully implement the directive.

As cyberattackers continue to evolve their tactics and organisations become more digitised, regardless of the EU directive, it is becoming increasingly vital that businesses keep their cybersecurity in order.

The interconnected nature of many sectors — and businesses using the cloud — means a successful cyberattack on one company can lead to the data of other customers being exposed. These are known as supply chain attacks, a concept that various cybercriminals have exploited in recent years.

NIS 2 places a strong emphasis on risk management, requiring companies to identify their vulnerabilities and take steps to address them proactively. 

It also highlights the importance of supply chain security, meaning companies need to ensure that their suppliers also have good cybersecurity practices. 

However, there is no doubt that the directive will significantly impact Irish business, requiring extensive management effort and investment to achieve and maintain compliance.

The EU stresses that as the directive is uniformly applied across all EU countries, it ensures that the same rules are applicable everywhere within the internal market which helps to create a consistent and predictable environment for individuals and businesses, which may be of some comfort to business owners. NIS 2 follows on from NIS 1 which was implemented across high critical sectors such as banking and energy in 2016.

However, like it or lump it, technology leaders, companies and their boards of directors would do well to pay attention to this directive and recognise that cyber strategy is a business strategy and understanding cyber risk is part of good governance in the digital age.

It may also be the issue that keeps board directors awake at night, as the NIS 2 directive makes it clear that board directors are ultimately responsible for ensuring the Directive is fully implemented in their organisation, with extensive fines for non-compliance.