Managers of Estonian companies consider information security and cyber security important

The survey was carried out in two stages. Stage 1 encompassed interviews with company managers of the 300 largest employers in Estonia. Stage 2 of the survey was dedicated to the healthcare sector, with interviews carried out among managers of healthcare institutions and organisations. The healthcare sector was treated separately in the survey because it is subject to more stringent data protection requirements due to processing sensitive personal data.

The survey results confirm that the vast majority of Estonian company managers consider information security and cyber security important and believe that the risk that cyber incidents materialise is rather likely today. In addition, the data shows that a large number of companies have also been directly affected by cyber incidents. Company managers confirm that there has been a significant increase in the number of information security incidents over the past year. At the same time, only less than half of the respondents assessed their ability to ensure information security and cyber security to be sufficient.

The statistics of the survey based on the responses received from the 300 largest employers are as follows: 90% of the respondents are concerned about possible future incidents, 54% have lost time due to cyber incidents, and 41% have suffered financial loss due to cyber incidents.

However, the statistics for healthcare companies and organisations are clearly different: 85% of the healthcare companies surveyed are concerned about potential incidents, while only 10% of the respondents have lost time due to cyber incidents. None of the Estonian healthcare companies has suffered financial loss due to cyber incidents. The statistical discrepancies between healthcare companies and the largest employers are probably due to three possible reasons:  

• potential criminals have no interest in attacking healthcare companies for ethical reasons;
• healthcare companies’ protection measures are more effective than those of other companies;
• there have already been attacks, but healthcare companies have simply failed to detect them.
  

Notably, more than half of all respondents stated that the responsibility for information security in their company lies with a service partner. While this may be the case, it cannot be overlooked that, according to KPMG’s experience, it is often mistakenly presumed that the IT service partner should also automatically assume responsibility for the company’s cyber security. In practice, this means that by outsourcing the management of IT systems, the company’s management expects the service to include ensuring the security of the IT systems (e.g. secure configuration of devices and applications, changing default passwords, periodic password changes, secure network segmentation, consistent installation of security patches on devices and applications, rogue access point detection, scanning for security vulnerabilities, etc.). Thus, the responsibility for information security is passed on from the company to the service partner. In reality, the IT service partner only performs the tasks that are specified in the contract. As a rule, a contract for IT services management does not include an obligation to ensure information security. It is often only when faced with a cyber incident that companies realise that their outsourced service actually does not meet their security expectations. Furthermore, it is important for company managers to understand that the ultimate responsibility for the security of their information systems remains with them, even if the contract signed with the IT service partner provides for all possible security obligations.

In addition, the survey results show that information security checks (e.g., penetration testing or IT security audits) carried out by an independent party are rather rare among Estonian companies. Unfortunately, particularly few such checks are carried out in healthcare companies, where one would expect more checks to be conducted due to the higher standards in force. It may well be that, due to the lack of independent checks, many cyber incidents remain undetected, and the company’s management is under the false impression that they have not had any cyber incidents. At the same time, however, cybercriminals may have gained access to the company’s information systems and may already be selling electronic documents containing personal data or business secrets on the ‘black market’.

Today, information security and cyber security are more important than ever. KPMG recommends addressing cyber security proactively and systematically, mapping the current situation (ideally in cooperation with an independent party) and being prepared for worst-case scenarios (e.g. a ransomware attack across an organisation’s entire IT infrastructure that could paralyse its entire business operations). The survey results show that companies’ cyber security situation is far from ideal. Above all, one should do away with the mindset that “cybercriminals are not interested in us, so we are unlikely to be attacked” and focus on improving the situation today, as it may be too late tomorrow.

The independent survey conducted by KPMG Baltics OÜ and Äripäev can be found HERE.