As the technological landscape continues to change, the security of company data and systems has become a key challenge for IT and cyber security managers. In view of the rise in threats and advances in digitalisation, companies need to be proactive in implementing security measures and carry out regular vulnerability scans, audits and assessments in order to actively review and optimise their own cyber security strategy. Performing a gap analysis can be a crucial and highly effective tool in this context. In this article, we will show you why this is the case and what this means for your corporate security in 2024.
Advances in digitalisation afford companies a plethora of attractive opportunities and open up vast economic potential. At the same time, new risks arise that companies need to confront quickly, consistently and efficiently.
2024 is in full swing and it is already becoming apparent that the cyber threat situation is getting worse, with ever-rising incidences of cyber attacks and «hacktivism». Now is the right time to take a close look at your company’s security practices, and a gap analysis can offer clear added value as you do so. If you are wondering whether and why you should also be considering this for your company, then read on!
The requirements for data protection and information security will continue to increase in 2024. Important legislative amendments affecting the critical infrastructures of electricity and gas supply and public transport are underway, including the binding implementation of minimum values.
The railways are no exception to the increasing importance of cyber security. The new regulations based on Art. 5c of the amended Swiss Ordinance on the Construction and Operation of Railways (EBV) will come into effect on July 2024. The amended EBV obliges railway companies to set up an information security management system (ISMS). That being so, the Swiss Federal Office of Transport has drawn up the directive known as the CySec-Rail Directive, defining seven minimum requirements for an ISMS and 29 measures that must be implemented. Periodic information security audits are required to verify compliance with the regulations.
By performing regular reviews of information security or audits, companies can implement the guidelines of the CySec-Rail Directive effectively. Regular audits provide information on the areas where information security needs to be improved, and this also requires suppliers and service providers to be taken into account. Identifying deviations, vulnerabilities and risks can help companies ensure that their cyber security strategy meets national standards and thus provides robust and effective protection against digital threats.
Supplier audit of the NOVA platform (audit of suppliers) for the users of the systems connected to NOVA and their users (NOVA users).
The Alliance SwissPass agreement (Ue500, section 4.2.4) requires the stipulations for cyber protection and data security to be complied with in the public transport sector. Security audits of the service providers are needed to verify compliance with these stipulations. Various measures of the ICT minimum standard (see V591 for details) need to be implemented.
The revised Swiss Electricity Supply Act (StromVV), which is expected to come into force in July 2024, is of particular importance for all electricity suppliers. The StromVV requires grid operators to implement different minimum requirements depending on the amount of electricity transported based on the protection level (A ≥ 450 GWh/year; B ≥ 112 GWh/year and < 450 GWh/year; C < 112 GWh/year). A transitional period of 24 months applies. Annual audits are to be carried out to verify the implementation status.
The amendment of the Swiss Ordinance on Safety Regulations for Piping Systems (RLSV; SR 746.12) aims to make the ICT minimum standard, with its different requirements in terms of the protection level, binding and is expected to come into force on 1 July 2025.
As is the case in the electricity sector, the revised ICT Minimum Standard for Gas Supply 2.0 (Chapter 5.2) creates three protection levels (A, B and C) based on two main criteria: the pressure of the network or system (bar) in conjunction with the length of the pipeline (km) and the amount of energy transported (GWh/year). Each protection level corresponds to a specific maturity level. Operators of gas systems (pipeline systems) with a pressure of more than 5 bar and a pipeline length of more than 15 kilometres are automatically allocated to protection level A. For other gas network operators, the average value of transported energy over the last five years is taken into account (A > 2,600 GWh/year; B > 400 GWh and ≤ 2,600 GWh/year; C ≤400 GWh/year).
The minimum requirements differ from the StromVV only in that the StromVV prescribes higher minimum values for protection level A.
Carrying out a gap analysis in the current year is not just an efficient and sensible measure to ensure compliance with standards. In fact, it is much more: it is a strategic mechanism to protect the future of your company. You can achieve a solid foundation for your company’s cyber security strategy by identifying security gaps and risks, adapting to new cyber threats and meeting compliance requirements. Investments in security are not only worthwhile financially, they also contribute to the long-term stability and reputation of the company.
A gap analysis will show you where things currently stand and provide full transparency. You will benefit from an overview of your current cyber security situation, a risk assessment, a strengths/weaknesses profile and specific recommendations for action and measures to take. The right time for a targeted minimization of risks in your cyber security is now!