As more than 80% of cyberattacks are caused by human failure, the NIS2 Directive states that "Cybersecurity risk-management measures should provide for systemic analysis, taking into account the human factor" (Article no. 78).
A company's level of exposure to human cyber risks depends on the extent and accumulation of the digital footprints of its managers and employees. The digital footprint is made up of the professional and personal data exposed on the Internet, from social networks to the darkweb, providing all the material necessary for cybercriminals to satisfy their targeted attack scenarios against managers and employees. This accumulation of digital footprints defines a company's human attack surface, which needs to be measured and reduced.
The more a company reduces its human attack surface, the less it exposes its ecosystem. The extension of the scope of NIS2 to smaller players in the economic fabric can be explained by the growing number of attacks against them, but also by the growing phenomenon of rebound attacks. The entities concerned by NIS2 are thus obliged to "ensure the security of their supply chain (article 21 of the Directive)", whether this involves their service providers or their suppliers (the supply chain). For every company that falls victim to a cyber attack, 150 others are at risk (ANOZR WAY ransomware barometer).
Equipping your company with a data leak alert solution is a serious asset when it comes to meeting the objectives of the Directive. Indeed, the sooner a data leak is detected, the quicker and more effective the company's response will be, not only to stop the intrusion, but also to notify the ANSSI, its partner companies and its customers (a two-stage declaration: an "early warning" within 24 hours of learning of the incident, followed by an "incident notification" within 72 hours - Article no. 102). Detecting these incidents is an essential prerequisite for notification, and it is essential to react very quickly before the leaked data is exploited, weakening not only the company but the entire supply chain. Equipping your company with a complete human risk management solution, including data leakage detection, will enable you to meet the objectives set by the Directive, and demonstrate that your company has complied with the obligation of means required by the text.
The entities concerned can strengthen their cybersecurity by integrating "artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems" (Article no. 89).