More than three billion euros in fines have been imposed since the European Union’s General Data Protection Regulation (GDPR) came into force in 2018. Failures of cyber security led to over 300 cases in which inadequate security measures were penalised – with significant financial losses.1 In addition to the GDPR, companies must comply with other regulations – such as NIS2 or KRITIS – in which cyber security plays an important role.
How do companies manage to comply with all legal requirements and guidelines, such as NIS2? And how can they embed resilience into their value creation? Compliance is everyone’s business, whether you are a medium-sized company, a large corporation, or a public administration. For example, every company that processes personal data and information must comply with the GDPR – regardless of industry or size. Other examples include the TISAX guidelines in the automotive industry and the insurance supervisory requirements for IT (VAIT) issued by the German Federal Financial Supervisory Authority (BaFin) for the financial sector. There are also industry-independent regulations for operators of critical infrastructures. Examples are KRITIS in Germany and its European equivalent, NIS2, which came into force in the EU in January 2023. The EU Member States must transfer NIS2 into national law by October 2024. The goal: to ensure a uniform level of cyber protection across Europe to make life as difficult as possible for hackers.
Many compliance requirements are basically about companies needing to know what is happening in their digital infrastructure – especially in their networks and IT systems. They are often required to log all security events and retain the log data for a specific time. Companies must also ensure that their IT has not been infiltrated by malware – in other words, that everything is legally compliant and valid. The best way to meet these requirements is through special security technologies. This is where Managed Detection and Response (MDR), Security Information and Event Management (SIEM), and the Security Operations Center (SOC) come into their own. But what is behind these IT security solutions?
As part of our Managed Detection and Response services, we continuously monitor our clients’ digital infrastructure, including networks, systems, and endpoints, to identify potential cyber threats. We use SIEM and the SOC to detect and respond to suspicious activities and anomalies. The SIEM systems collect and analyse all data, while the SOC monitors, analyses, responds, and improves security in real time. At Telekom’s SOC in Bonn, for example, more than 200 security experts keep an eye on Telekom’s systems and those of its customers around the clock.
The benefits: by using SIEM, SOC, and MDR solutions, companies can not only better comply with the necessary regulations – such as the NIS2 Directive – but also make themselves more resilient. This is because the security solutions help them identify cyber risks at an early stage and initiate appropriate security measures. This is particularly important as the threat landscape is rapidly evolving. The situation is unlikely to ease in the future; companies and authorities will always attract cyber criminals, and they will find increasingly inventive ways to breach their defences. In the past, hackers were mainly interested in exposing organisations’ sensitive information to the public. Today, however, they are primarily interested in profiting. Cyber attacks are more lucrative than ever before. Ransomware attacks alone, in which hackers attack essential business systems and demand high ransoms, can earn millions of Bitcoins.
Compliance affects almost all companies and organisations. Therefore, when developing our services for Managed Detection and Response, SIEM, and the SOC, it was important for us to take into account as many requirements as possible. Scalability was one of the most critical functions. Some companies are still navigating their compliance requirements, such as the NIS Directive, and still need to think about the “how”. They often fall into a vicious circle: they don’t meet the regulatory requirements for cyber security to start with, while the number of regulatory requirements keeps growing. The more complex the tasks become, the more likely they are to fall into a state of immobilisation. Consequently, they postpone vital compliance actions indefinitely.
The solution is scalability: we start by implementing a small number of SIEM rules for our customers – to secure business-critical digital services and data and comply with regulatory requirements – and gradually create additional rules. True to the motto: start small and grow solidly over time.
Another area of our Managed Security Services is practical consulting. Companies or public administrations often need help to answer important questions related to compliance. What should or must be secured? Are all devices, users, processes, and information systems being considered and protected in the best possible way? How should cloud security be managed? What to do in the event of a security incident? Our experienced security experts provide comprehensive advice to those responsible concerning security issues and regulations such as NIS2, KRITIS, or GDPR. In the event of a cyber incident, they know exactly what to do and which security technologies or principles, such as zero trust, provide optimum protection for infrastructure and applications. This allows companies and public administrations to increase their level of security and face future cyber threats with confidence.
1 GDPR Report, Proxyrack, 2023
A Security Operations Center (SOC) is a team of IT security professionals that monitors an organisation’s (or client organisations’) entire IT infrastructure, 24/7/365, to detect cyber security events in real time and address them quickly and effectively. The security team also selects, operates, and maintains an organisation’s cyber security technologies and continually analyses threat data to identify ways to improve its security posture.
The Network and Information Security Directive (NIS2) is EU-wide legislation on cyber security. It entered into force on 16 January 2023 and replaces the previous NIS Directive. NIS2 aims to achieve a standard level of cyber security across the Member States by imposing stricter risk management and incident reporting requirements, broader coverage of sectors, and more hard-hitting penalties
NIS2 applies to companies, suppliers, and organisations that deliver essential services for the European economy and society, not only those in Member States. Qualifying thresholds apply – for example, important entities with over 50 employees or 10 million in annual revenue will be considered automatically.
ISO 27001 is an international standard for managing information security. T-Systems is certified in accordance with the standard.
SOC 1 is a report on controls relevant to a client’s internal control over financial reporting (ICFR). SOC 1 is required for outsourced systems covered by Sarbanes-Oxley (SOX).
SOC 2 is a security framework that specifies how organisations should protect customer data from unauthorised access, security incidents, and other vulnerabilities. SOC 2 is part of the System and Organization Controls suite of services developed by the American Institute of Certified Public Accountants (AICPA).
SOC 2 is designed to establish trust between service providers and their customers by providing auditors with guidance for evaluating the operating effectiveness of an organisation’s security protocols.
A SOC 2 framework is founded on five Trust Service Principles essential for securely managing customer data. These are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
To achieve SOC 2 compliance, businesses need to identify the type and scope of compliance, choose a compliance platform for automating processes, sign up a SOC 2 audit partner, conduct an internal risk assessment, and have a robust security stack.
A SOC 2 audit is an independent third-party assessment that evaluates a cloud service provider’s or other service organisation’s internal controls and practices that protect and secure customer data. It involves auditing the organisation’s confidentiality and privacy controls based on the American Institute of Certified Public Accountants (AICPA) or Trust Service Criteria (TSC).
A SOC 2 report is a report on a service organisation’s IT controls. It is an attestation report in which the organisation makes assertions about the design and implementation of those IT controls, and an independent Certified Public Accountant (CPA) firm audits those assertions. A SOC 2 Type 2 report also evaluates the operating effectiveness of the IT controls over a specified period.
SIEM stands for Security Information and Event Management. It is a security solution that helps organisations detect, analyse, and respond to security threats before they harm business operations. A SIEM solution combines security information management (SIM) and security event management (SEM) into one security management system. SIEM technology collects event log data from various sources, identifies activity that deviates from the norm, and takes appropriate action.
The difference between a SIEM solution and SIEM tools lies in their scope and functionality. SIEM tools are products you can purchase, which are essential components of a SIEM system. SIEM tools focus on the technical aspects, such as collecting, aggregating, and analysing security-related data from various sources within an organisation.
On the other hand, an SIEM solution encompasses not only the SIEM tools but also the people, processes, and other technologies to implement a comprehensive security or compliance strategy.
In summary, while SIEM tools provide the necessary technical capabilities, a SIEM solution is a broader concept that integrates these tools with the appropriate expertise and procedures to create a robust security defence system.
Both event data and log data are crucial for monitoring and analysing system activities, but they serve different purposes and contain different types of information. In brief, event data refers to observable occurrences that happen at a specific point in time. Log data is a time-stamped record of events that occur within an organisation’s systems and networks.
