5 Tips for ensuring your email security NIS 2 compliant

The EU’s aim behind the NIS 2 Directive is to boost organization’s overall levels of cybersecurity. At the moment, EU member states are working to translate the directive into national law. In Germany, this is being achieved through the “Law on Implementing NIS 2” (NIS2-Umsetzungsgesetz), which is expected to come into effect by March 2025. To achieve compliance, companies will have to seriously consider the quality of their email security regimes. After all, email is the gateway most often used in cyberattacks. Article 21 of the directive instructs companies to take “appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents”. In the five tips that follow, we take a look at what this means in the context of corporate email.

1. Take steps to augment your email safeguards

Most companies already have basic security measures in place to protect their email environments, including modern virus scanners and phishing filters to intercept harmful emails before they reach the recipient’s inbox. However, this only covers part of the threats. Cybercriminals are continually developing new varieties of malware, which signature-based security systems are unable to detect as long as there is no matching pattern available for checking it against. In addition, we are witnessing a rise in social engineering attacks such as CEO fraud, where victims are tricked into transferring high amounts of money or sharing sensitive data. These types of fraud make use of effectively faked emails, which conventional phishing filters struggle to detect. To minimize the risk from these increasingly sophisticated cyberattacks, companies require more advanced email protection. This includes, for instance, AI-assisted analyses that are able to indentify phony sender or domain addresses. Another important enhancement is time-of-click protection – a technology which checks all links contained within inbound emails and blocks the harmful ones before they are clicked. To detect novel malware, sandbox analysis is indispensable, as it examines emails with suspicious or unique attachments to expose potential threatening behavior that has never been seen before.

2. Encrypt your sensitive emails

Article 21, section 2d of the NIS 2 Directive calls for measures to safeguard the supply chain, which includes protecting all of the entities involved. In the context of email, this means: you need to secure all communication with suppliers, providers, and partners. This can be achieved via encryption. Section 2h of the NIS 2 Directive explicitly stipulates that security measures must include policies and procedures for using cryptography. In practice, however, the use of email encryption often fails because users find it too complicated and inconvenient. For this reason, companies require a solution which can encrypt outbound emails from directly within the email client with just one click – without needing any technical knowledge or encryption key management. This is made possible through a secure email gateway that supports all common cryptographic standards. In the event of a recipient not using encryption, the message can still be accessed by way of a secure webmail inbox.

3. Consider your emergency communication plans

Article 21, section 2c of the NIS 2 Directive requires measures to ensure business continuity, while section 2j stipulates the use of “secured emergency communication systems”. When it comes to email, this means you need a contingency plan in case a cyberattack puts your email infrastructure out of action. How can you ensure that your employees are still in a position to send and receive messages? After all, email is a business-critical process. In practice, email continuity management solutions have proven invaluable by keeping an external, independent, and secure webmail service ready for action behind the scenes. Should disaster strike, you can simply switch over to the emergency solution without delay. The email accounts have already been provisioned in advance and contain the previous 2 weeks’ emails as well as the users’ stored contacts.

4. Check emails which have already been delivered

Article 21, section 2b prescribes measures for responding to incidents. In this regard, you need to be in a position to detect and investigate cyberattacks quickly. Discovering the point of entry used to penetrate the network is therefore of crucial importance. How is it possible to quickly identify the recipients of malicious emails that have already been delivered? This is made possible by special patient zero detection technology, which already generates a digital fingerprint for each attachment as soon as an email is received. These digital fingerprints are stored in a database and continually checked against the latest knowledge base which includes the global malware research findings. If a potentially dangerous message is discovered in a user’s inbox, it can – depending on how the service has been configured – automatically be placed in quarantine or deleted outright.

5. Improve your forensics

Article 23 of the NIS 2 Directive defines strict reporting obligations. Impacted companies are required to notify the competent supervisory authority (or CSIRT) within 24 hours of any incident with significant impact. Within 72 hours of the event, the company then needs to provide a follow-up notification. Lastly, a final report including a detailed description of the incident needs to be submitted one month later. To fulfill these requirements, you need quick access to all relevant information. Therefore, it is crucial to gather and analyze security information from the email environment in an overarching security framework such as SIEM (Security Information and Event Management). The data should be made available via a secure interface in the form of events in real-time.

Conclusion

Making your email security NIS 2 compliant means more than simply checking inbound and outbound messages. Companies need to take a close look at their entire email infrastructure and develop policies and procedures for detecting threats and responding to cyberattacks. Detecting threats early and limiting damage contributes to the overall objective of improving the cybersecurity situation in Europe. Therefore, it is advisable for companies to opt for an integrated solution which combines all essential security functions in one platform and provides them on a modular basis. This allows companies to reduce management efforts and augment their existing security infrastructures in accordance with their own specific requirements.

About Retarus

Retarus is a global provider of APIs, gateways, and applications for messaging, email management, and the exchange of structured data for business processes – with top performance, security, and data protection, provided from the company's self-operated data centers around the globe. Founded in 1992 and headquartered in Munich, Germany, Retarus is owner-managed and proud of its innovation power. The company employs a staff of around 500 at 20 locations on four continents. Retarus' services are leveraged by the world's leading companies. The services are sold directly by Retarus or in close collaboration with selected partners. Analysts constantly commend Retarus' outstanding quality and reliability. More details: www.retarus.com