Improved security for local administrator accounts

Administrative rights on company computers can be handy, but they often come with insecure and repetitive passwords. In this blog post, we talk about a solution that helps to improve the security of local administrator accounts: Windows LAPS.

LAPS stands for Local Administrator Password SolutionAlmost 10 years ago, Microsoft developed the "LAPS" tool, which automatically and regularly changes local passwords and stores them centrally.

Who is affected?

The NIS 2 Directive defines two groups of organisations from 18 different sectors. Organisations with fewer than 50 employees are not affected.

Essential facilities:

Large operators (>249 employees & €50 million annual turnover) from 11 sectors
Operators of critical facilities (KRITIS)
Other organisations (including DNS services, qualified trust services, federal ministries, Federal Chancellery)

Important facilities:

Large operators (>249 employees & €50 million annual turnover) from 7 other sectors
Medium-sized operators (50 - 249 employees & >€10 million annual turnover) from all 18 sectors
Other organisations (including trust services, defence equipment manufacturers)

What is in store for these organisations?

The Cybersecurity Directive sets out Minimum requirements for these facilities fixed. The management monitors compliance and is held liable for it. Measures must be implemented in the following areas:

• Concepts relating to risk analysis and security for information systems
• Management of security incidents
• Maintaining operations (Business Continuity Management - BCM)
• Security of the supply chain
• Security measures for the acquisition, development and maintenance of network and information systems
• Effectiveness of risk management measures in the area of cyber security
• Cyber hygiene and training in the area of cyber security
• Use of cryptography and encryption where appropriate
• Personnel security, concepts for access control and management of systems
• Use of solutions for multi-factor authentication or continuous authentication

What sanctions will I face if I do not comply with NIS-2?

Depending on the sector, offences are different fines sanctioned:

Essential sectors: Penalty of up to EUR 10 million or 2% of global turnover
Important sectors: Penalty of up to EUR 7 million or 1.4% of global turnover

What does the timeline look like?

On 17 October 2024 is the transposition deadline for EU member statesThis means that the NIS-2 Directive must be transposed into national law by then. As a typical NIS-2 compliance process can take up to 12 months, the evaluation should be started as soon as possible. In addition, the management must ensure in good time that all security measures are complied with and regularly reviewed.

What can/must I do?

1. Find out whether your organisation falls within the scope of NIS-2.
2. You probably already fulfil some of the NIS-2 requirements. Document/update your processes.
3. Check your information security infrastructure.
4. Set a ISMS (Information Security Management System) in.
5. Get external help if necessary.

Do you have any questions?

Simply make an appointment with our information security experts and set the course now for successful compliance with the NIS 2 directive. By the way, it's called NIS-2 in German, NIS 2 in English and NIS2 is (probably) the SEO-optimised version.