In this blog we’ll look at how MSPs and IT leaders can serve the rigorous demands of NIS2 while leading a culture of security by helping users see the benefits from improved security at the personal as well as corporate level. Our guest editor TISO Heather Roache from the Commissioners of Irish Lights tells us how she’s building her team’s security.
What’s the NIS2 regulation on training, and how does it impact MSPs & IT leaders?
In Ireland and across the EU NIS2 regulations for cyber security are here. Ireland’s national cyber security council (NCSC) has recently published first draft of requirements for Risk Management Measures.
The NIS2 framework is aligned to the Irish Cyber Fundamentals regulations shared with those developed in Belgium and used in the Netherlands also. The key differences to the UK’s Cyber Essentials are in the wider focus on the people in the organisation and directorate responsibility.
Organisations need a working Information Security Management System (ISMS) and, most importantly, to make that policy real as part of everyday processes and procedures for all their people, with director level oversight.
What’s the specific training requirement?
Training needs are covered in Risk Management Measure (RMM) 6
- Ensure cybersecurity training (training/awareness) is provided to foster personnel behaviours
- Provide an awareness raising programmes for all employees, regardless of their job function and including top management.
- Provide Cybersecurity training for specific information systems
Why and how should this be a culture more than a NIS2 compliance checklist?
People are at the core of these regulations because human risk is the source of over 80% of breaches. Those breaches are often via phishing, which often preys on personal vulnerabilities, enhanced by personal data. The impact can be as much on the person (including personal finances, data, devices, and reputation), as on the organisation (corporate finances, data, assets, and reputation).
The more cyber security is a good everyday habit applied to personal and corporate behaviour, the more likely it is to succeed as an extra layer of defence to a business. It starts with basics like password management – a lack of strong passwords sadly preceded the demise of this 158 year old business.
A culture also represents an organisational approach to risk that prepares for it, declares its responsibilities and manages it better. This means that it’s not enough to have a policy, to train, and hope. Phishing is organised on a massive scale so while everyone needs to be aware and prepared, only one person needs to be compromised for an attacker to succeed. Organisations need to prepare and rehearse worst case scenarios and work backwards through every step from policies and procedures to security behaviours and reporting.
Real world example: An IT leader realised late at night that they’d had a ransomware attack on their system. They were able disconnect the network, close off the system and stop the attack. They then recovered the data backup to the system. But it was already corrupted too. Backing up before notifying their insurer invalidated their insurance policy. They were left with no data, no policy. Cybercrime is always more than an IT issue.
No person is invulnerable
Far from the famed ‘Nigerian Prince’ emails of the past, contemporary phishing uses social data from the web, AI insights and copywriting to fool targets. For example, a fast-growing biotech business noted that new starters (vulnerable and keen to impress) were often targeted with a phish claiming to be from the CEO after a few days of joining using profile data from LinkedIn on where they work, their role, when they started, and who their new boss is.
Everyone needs to be able to speak up
The ability for people to report phishing, clicks, mistakes, is critical. Without that culture of open-ness to share concerns, risks don’t get reported. This has been a key message from Microsoft’s chief security adviser Sarah Armstrong Smith in her talks and book on cybercrime.
A standout example comes from the Commissioners of Irish Lights, where Heather Roache, Technology and Information Security Officer, has championed a culture-first approach.
Protecting people works best when personalised to the people you’re working with, discussing with staff who they will call or talk to about clicking on a fake bank link, or if you think your password, your logons, or your social profiles have been compromised is as important when you’re at home, as when you’re at work.
The organisation has been really welcoming and supportive of a strong cyber security culture and encourage staff to report all issues. This has helped everyone adopt strong cyber habits and mutually support each other.
Starting as organisations mean to go on
Ways in which Heather has built a cyber security culture start at the beginning, with the simple and the personal from day one.
- Assigning policies and training for the first date an employee starts in the office, to get them familiar with their locations in a non-emergency setting
- The priority for training is Phishing & social engineering, to protect them at work and online at home outside work hours, GDPR rights and responsibilities as both members of an organisation and as individuals.
- Creating a personal investment with the user by sharing good habits that everyone can see on their own devices, like knowing how to check web links – e.g. long touch on a mobile to hold and view.
- Avoiding jargon and make things as clear as possible.
- Creating moments to be accessible – e.g. informal lunches on cybercrime and what to do if you lose your phone or don’t update passwords. Or even just having a dedicated day in the office where others can come and ask questions, be it about security at work or in their personal lives.
A clear process that keeps users informed and supported
- A clear workflow for people who may be hacked – e.g. report it, the team will investigate and if needed provide an alternate laptop or login if yours needs to be quarantined etc.
- Reporting is encouraged, and no one is penalised for mistakes.
- The team take the users machine and analyse for any issues.
- Where required Data is reviewed and forensic confirmation awaited before the device is returned. This would be in the case of major security issues.
Supporting IT leaders
It’s a common factor in the IT and Cyber Security Industry in general, that the role is stressful, especially if people feel they are solely responsible for a particular aspect or consider themselves to be a single point of failure.
- IT and Cyber Security teams in general must be supported by greater transparency of process and risks. They can’t be expected to block or catch absolutely everything. It’s just not possible with the alert volume most companies and organisations experience.
- Careful planning of staff workload, transparency of risks and reporting, and support is required, from higher ups in all industries with an IT or security team. Burnout is a major risk industry wide and is responsible for a lot of analysts leaving the industry.
- As an organisation adopts cyber security as a collective behaviour it improves the wellbeing of the whole organisation, including the organisations reputation, consumer and partner trust, and the trust of the employees working there.
Conclusion: Building a culture of cyber security for NIS2
- Start with a clear ISMS, that cuts through the many jargons and acronyms.
- Ensure the policy is shared and discussed with organisation leaders in the Executive team – responsible directors, HR and Finance, as well as IT
- Make cyber training a part of new employee onboarding and regular training for all grades and levels of expertise
- Be open and supportive for the organisation’s security and risk
Building a security culture isn’t just about ticking NIS2 boxes — it’s about protecting people, data, and business resilience.
Lupasafe helps MSPs and IT leaders in Ireland and across the EU build NIS2-ready organisations and supply chains with full cyber risk reporting, phishing testing, training, and dark web scanning.
The Commissioners of Irish Lights is an independent entity and not a client of Lupasafe.
