Cybersecurity requirements and good practice according to the European and Polish regulations

​Recently introduced EU legal acts such as the GDPR (General Data Protection Regulation) or the NIS (Network and Information Systems) Directive or the Polish Cybersecurity Act require for their correct and complete implementation not only legal knowledge, but also a great deal of technical expertise. For this reason, since the beginning of this year Rödl & Partner has expanded its service portfolio to include new auditing and advisory services in the field of IT systems and application security.

General remarks

The implementation of important EU legal acts in Poland, such as last year's GDPR and the newly enacted act on the national security system, which is the response to the NIS directive, require increased concern for the security of information systems. In particular, the law on the national cybersecurity system of July 5, 2018 is a breakthrough law act. This universally binding law is intended to ensure security in the IT area "at the national level, including the uninterrupted provision of key services and digital services, by achieving an appropriate level of security of information systems for the provision of these services and providing incident support". It is also connected directly with the necessity of regular technical audits to verify, among others effectiveness of the data security measures applied.

So, it is necessary (in case of some businesses) and highly recommended to conduct audits verifying the readiness of companies to implement, for example, the requirements of GDPR or Cybersecurity law.
In order to fulfill the legal requirements it is necessary to audit its own systems, applications, IT infrastructure through penetration tests and social engineering tests. Each of these audits is a good practice in implementing the data security policy in a company and is directly recommended by GDPR or the ISO 27001 standard. It is also an absolute basis for conducting risk analysis for data in a company, because it can be used to determine the real level of threats to which data is exposed in the company's IT systems. However, the tests should go much further, including physical security of the area, building and data processing zones, alarm and monitoring systems, access control systems, server room security and data archives. Of course, the security procedures in force are also checked, including the configuration of workstations, user rights and their awareness of the risks associated with the responsibility for the security of corporate data. Such technical audits can also be an excellent reinforcement of other services provided so far by Rödl & Partner, such as legal audits or due diligence. They also complement the duties of the Data Protection Officer and should be regularly performed in every company.

Security audits and penetration tests

IT infrastructure security audits may be conducted partly remotely and partly at the customer's premises. As part of such audits, susceptibility to external hacker attacks and the possibility of unauthorized access to data within the company network, e.g. by malware or an employee acting to the detriment of the company, are verified. As part of the audit activities, the risk of eavesdropping on unencrypted data in the network traffic inside the company or sent via web applications is also tested. Specialized tests of applications will allow to check whether they do not contain programming or configuration errors that would generate a risk for the data processed in them. A special case are penetration tests, which allow not only to indicate the potential risks of IT systems or applications, but also to verify the level of real threat to data by simulating a real hacker attack or malware.

Social engineering tests

On the other hand, as part of social engineering tests, employees' behaviors and reactions to situations that reflect real attempts to obtain access data to IT systems or obtain direct access to data by hackers impersonating trustworthy people are verified. While modern security systems become a barrier that is too time-consuming for a hacker, humans still remain the weakest link in the data protection chain. Most often, real attacks are targeted directly at employees, who are reached by means of e-mails containing false links or attachments, the opening of which results in revealing access data or installing malware in the IT system. Therefore, the most effective way to defend against these attacks is to educate employees through controlled phishing attempts. At the same time, we do our tests not only remotely via e-mail, but also in direct contact, e.g. by letting outsiders attempt to enter the company's premises and gain access to protected areas.

Security of new technologies

We, as Rödl & Partner, have established a new business unit, where we may offer technical support in the planning and implementation of the aforesaid activities required, for instance, under the GDPR, NIS Directive, Polish Cybersecurity Law or under the recommendations of the financial supervision authorities, as well as new technological solutions, such as blockchain or smart contracts. Because new solutions require new, dynamically changing legal regulations, we also want to provide our consulting services in this field. By promoting the implementation of new technologies, we also train our legal and advisory departments so that they can help clients effectively adapt their implementations to different jurisdictions. Our competence center is located in Poland, but we invite you to use our services also in other countries and for all Rödl & Partner clients worldwide.