System security concept. Abstract robotic guard with cpu microchip shield and blue plate warning board message in hand. orange background
Cyber Security

Stay on the safe side when it comes to IT security with expert advice from TCH Support

When it comes to IT security, you can rely on the comprehensive and expert consulting services from TCH-Support. The Munich-based service provider has been advising companies on IT security, data protection and system administration for many years and offers customised solutions such as individual websites and online shops. Companies are currently facing a new challenge: NIS-2, the Network and Information System Security (NIS) Directive, which aims to establish a high common level of cyber security in the EU. NIS-2 has been in force at EU level since 2023. This directive must be transposed into national law by 17 October 2024. The NIS-2 directive specifies minimum standards, but the individual member states can also issue stricter regulations. In Germany, only certified information and communication technology (ICT) products and services may be used. We stay up to date so that we may advise you in all matters relating to the NIS 2 Implementation Act and you can enjoy the best possible protection against risks with regard to your data security and that of your customers. Below you will find detailed information about our portfolio in general and the NIS 2 directive in particular. Among other things, you will find out who NIS-2 affects, what specific requirements it places on you and your company and what fines you can avoid.

Contents:

Premium service - after all, it's about your company

At TCH-Support, customers enjoy a cybersecurity and data security service tailored to their specific needs. This premium service includes advice and support in all matters relating to IT, cybersecurity, digitalisation, data protection and system administration. On request, TCH-Support also offers training on customer specified priorities. Here, companies can rely on many years of experience as well as insider knowledge from various industries and organisations. The approach is always holistic, as every company and every organisation has very individual structures and should be viewed as a single organism. TCH-Support develops professional and unique digital strategies for visibility and success from a combination of several factors. TCH-Support has set itself the task of empowering its customers to streamline all their processes, to future-proof their strategy and to face change-related processes in good time. One such change is the NIS 2 directive, which is to be implemented in Germany this year.

A few words about the NIS 2 Directive

For the sake of topicality, let us briefly explain what the NIS2 directive is and to whom it applies. This directive is intended to regulate and standardise the cyber and information security of companies and institutions. EU member states must transpose the NIS-2 Directive into national law by October 17 2024. NIS-2 contains stricter requirements for cyber security in various areas. Companies and organisations must deal with the topics of cyber risk management, business continuity, control and monitoring and the handling of incidents. Due to NIS-2, the number of organisations that need to implement this directive increases as well. The topics of cyber security and cyber resilience will thus also be placed on the agendas of the majority of companies. Stricter liability rules for management teams are also included. The threat of higher sanctions increases the pressure to implement the new regulations. We are your competent partner for coping with the increased requirements and offer you customised solutions in every area, including, of course, in terms of NIS2.

Who should act now because NIS-2 affects them?

NIS-2 affects public and private organisations in 18 sectors with at least 50 employees or an annual turnover and an annual balance sheet of at least 10 million euros. In addition, there are other sectors that are affected regardless of their size, such as parts of the digital infrastructure, public administration, sole providers and KRITIS. Sectors with a high criticality include the following areas: - Energy - Transport - Banking - Financial market infrastructures - Healthcare - Drinking water - Waste water - Digital infrastructure - Management of ICT services (B2B) - Public administration - Aerospace Other critical sectors include: - Postal and courier services - Waste management - Production, manufacture and trade in chemical substances - Production, processing and distribution of food - Manufacturing/production of goods - Provider of digital services - Research

IT security - a broad field

IT security is a broad field and, just like the NIS2 directive, many areas are part of cyber security risk management. The aim of all IT security measures is to harden vulnerabilities in the IT infrastructure against threats as far as possible. The NIS2 directive is merely a response from the government to the increased number of cyber threats in recent years - many of our customers have already met these requirements thanks to our IT security consulting services. Below we show you some of the areas in which you can rely on our consulting services.

Risk analysis and security concepts for information systems

Creating concepts for risk analysis and security for information systems requires a structured and methodical approach. From taking stock of all information systems (important assets, data and resources) to assessing and analysing risks in terms of their probability of occurrence, impact and priority, to defining security objectives. Based on the security objectives, we develop security measures, policies and procedures that contain clear instructions. Finally, implementing and monitoring as well as increasing the security awareness of your employees, for example through training, is crucial.

Prevention, detection, and management of security incidents

The effective prevention, detection and management of security incidents requires continuous and coordinated collaboration between different departments and stakeholders within your company or organisation, which we would like to illustrate here. Preventing security incidents requires the implementation of security policies and procedures including, for example, access controls and password policies, the use of hardware such as firewalls and the updating and patch management of systems and software. To recognise security incidents, you need security monitoring systems for real-time monitoring of network activities, user activities and log files. Managing security incidents requires an incident response plan (IRP) with clear procedures and responsibilities, an IRP team, response capabilities (e.g., to quickly isolate affected systems, collect forensic evidence and fix security vulnerabilities) and comprehensive follow-up and assessment of the incident. With TCH-Support's security consulting solutions, you are in the best hands.

Business continuity (e.g., back-up management) and crisis management

Business continuity and cyber security crisis management aim to strengthen your organisation's resilience to cyber threats and ensure that you can maintain business continuity even in the most adverse circumstances such as disruptions or interruptions. This requires proactive planning, preparation and response to potential security incidents to minimise the impact and protect business operations. An example of this, would be back-up management, which is designed to prevent important data from being deleted after a cyber attack. In addition, business continuity comprises backing up critical systems, setting up redundant infrastructure, introducing disaster recovery plans and training employees. When it comes to crisis management, our security consulting services can help you create plans and procedures to quickly identify, respond to and manage cyber attacks, data breaches or other security-related incidents.

Security in the supply chain

When it comes to cyber security, always think about protecting your supply chain. Our security consulting can help you implement critical supply chain security measures to minimise the risk of cyber-attacks, data breaches and other security incidents and ensure the integrity, confidentiality and availability of your products and services. Examples include robust supplier management systems, including due diligence and supplier assessments prior to signing a contract, as well as regular reviews and audits during the contract period. Potential vulnerabilities and risks can also be identified in a risk assessment - including threats such as data loss, supply chain disruptions and cyber-attacks. Ask us about our cyber security solutions. We will be happy to support you.

Security in purchasing, development, and maintenance of IT systems

Creating cyber security when purchasing, developing and maintaining your IT systems also requires a comprehensive and proactive approach. Best practices include audits and due diligence when selecting suppliers and service providers, the inclusion of security requirements in contractual agreements and the evaluation of products and solutions, for example with regard to purchasing. When developing your IT systems, you should pay attention to a security-orientated design, conduct regular security assessments and penetration tests and provide your developers with targeted training in the latest security practices and technologies. Robust patch management, monitoring and incident response are ways to maintain your IT systems to maximise cyber security.

Evaluation and effectiveness of the measures

If you strive for cyber security, you also want to know whether your measures are effective. Here, too, we support you with our security consulting to the best of our knowledge and belief. Together, we can conduct security audits and reviews to ensure that your security measures comply with current best practices and standards. In the course of this, potential vulnerabilities or compliance violations can be identified. Penetration tests and vulnerability scans, monitoring of security results and incident response are also among the tools used to assess the measures. We also help you to regularly compare your cyber security measures with industry standards, best practices and peer organisations, enabling you to quickly determine how you compare to others and where you may still have room for improvement.

Cyber hygiene (e.g., updates) and training in cyber security

Cyber hygiene refers to practices and behaviours that ensure the security and integrity of computer systems, networks and data. Just as physical hygiene helps to keep our human organism healthy, cyber hygiene can be practised to minimise security risks and effectively protect against cyber attacks. We are also happy to train your employees in this area. Cyber hygiene topics include password management, software updates, data backup, phishing prevention, increased security awareness, device and network security, access control, risk management and more. Is this an issue for you right now? Then get in touch with us to maximise your security and protect yourself from potential threats.

Cryptography and, where applicable, encryption

Cryptography and, where applicable, encryption are effective methods for protecting sensitive data, ensuring the integrity of information, verifying the authenticity of users and systems and improving protection against eavesdropping attempts and data breaches. Cryptography can be used to verify the identity of users, devices and systems and thus ensure that they are legitimate. This is often done through the use of digital certificates, key pairs and authentication protocols. Cryptography and encryption are also a means of fulfilling compliance requirements and data protection regulations such as the General Data Protection Regulation (GDPR). Cryptography also serves to secure access controls, as it only allows authorised users to access data and systems. Do you have questions on this topic? Then please contact our security consulting team.

Personnel security, access control and asset management

Companies can also count on our advice and comprehensive service in the areas of personnel security, access control and asset management - all essential components of cyber security. Personnel security includes security practices and procedures that serve to control and monitor the behaviour and actions of employees with regard to IT security, for example through training and awareness-raising measures. In addition, there is the implementation of access rights and authorisations. Access control refers to methods and technologies for controlling and managing access to IT systems, applications and data. This minimises data leaks, data protection breaches and unauthorised access to systems and applications because only authorised users can access the relevant resources. Finally, asset management refers to the identification, classification and management of all IT resources and assets in the company or organisation (including hardware, software, data and infrastructure).

Example: Multi-factor authentication

Multi-factor authentication is one example of many that strengthen cyber security by better securing access to sensitive resources and reducing the likelihood of unauthorised access and data breaches. These are additional layers of security that make it more difficult for attackers to gain access, even if they have stolen credentials. But what is the difference? Multi-factor authentication requires users to authenticate themselves not only with a password or PIN, but also with at least one other factor (e.g., one-time password, fingerprint, biometric feature), significantly reducing the risk of unauthorised access. Continuous authentication monitors the user context and behaviour in real time and thus continuously checks whether the user is actually authorised. We are also happy to offer you our advice on cyber and information security requirements.

Secure voice, video, and text communication

When it comes to cyber security, make sure that your company has secure voice, video and text communication. The ways in which you can achieve this include using encrypted communication platforms, implementing secure authentication mechanisms, using secure networks, updating software and applications, monitoring and incident response, data protection and compliance, to name just a few generic terms. We are happy to offer you our advice and comprehensive services to make your company fit for all IT security challenges.

NIS2 Directive: What are the management’s responsibilities?

But what exactly does the legislator stipulate as responsibilities of the management of a company or organisation when it comes to implementing the new NIS 2 Directive? Firstly, they must monitor the implementation of cyber security measures and are liable for any breaches. Secondly, they must take part in appropriate training courses. To minimise the risk of a fine, we offer our customers training in all areas of cyber security and in particular with regard to the NIS 2 Directive.

... and what if significant security incidents should occur?

In the event of significant security incidents, the management of a company or organisation affected by the NIS 2 Directive is obliged to send an early warning to the competent authority within 24 hours of becoming aware of the incident, to submit a detailed report within three days and to submit a progress/final report after one month.

The pressure to act is constantly increasing - act now with TCH support

The prospect of fines increases the pressure on you as the managing director of your company or organisation to comply with the NIS 2 directive. At TCH-Support, we are on hand to provide our customers with advice and support on this and all other questions relating to your IT security. For the sake of completeness, we would like to briefly explain below what the legislator requires of so-called essential facilities and important facilities in terms of regulatory supervision and fines.

Regulatory supervision and fines: this applies to "essential facilities"

The "essential facilities" are subject to proactive supervision (regular security checks) and must expect fines of a maximum amount of at least 10 million euros or 2% of global turnover in the event of violations. Do not let it get that far and rely on our service when it comes to cyber security.

Regulatory supervision and fines: this applies to "important facilities"

"Important facilities" include large and medium-sized companies. They are subject to so-called reactive supervision following indications of breaches (i.e., targeted security checks). Fines for breaches are capped at a minimum of 7 million euros or 1.4% of global turnover. To prevent this from happening in the first place, contact our service consultants and raise your cyber security to an up-to-date NIS 2 guideline level.

We are TCH-Support – we already braved many storms in cyberspace

Together with TCH Support, you can bring your company or organisation up to NIS 2 standard in terms of cyber security and, thanks to professional advice, avoid all the pitfalls that the vastness of IT security requirements holds in store. We maximise information security and minimise risks - that is the standard to which we hold our comprehensive services. Are you interested in comprehensive, competent, and honest advice in these rough seas, even on highly specialised terrain?

Let's steer your ship back into calm waters together

Get in touch with us and benefit from our services. From data protection to complete solutions for the NIS 2 directive. Our customers have trusted our expertise for many years, especially in difficult waters, and we have brought every company ship into a safe harbour when the legislative storm was raging all around. Let us be your pilot and help you steer your boat into calm waters, long before a storm can hit you. The best time to set a new course is now!