Cyber security
29.06 2022

Managers of Estonian companies consider information security and cyber security important

Managers of Estonian companies consider information security and cyber security important and assess the risk that cyber incidents materialise rather likely.

In the first quarter of 2022, KPMG Baltics, in cooperation with the Estonian business daily Äripäev, conducted an independent survey on information security and cyber security among leading Estonian companies. The survey’s main objective was to find out companies’ attitudes towards information security and cyber security and how they have gone about ensuring it. The survey was motivated by the instability of the current political, healthcare and economic situation in the world, which has undoubtedly had an impact on the field of information technology and, more specifically, cyber security. The survey aimed to draw attention to the importance of information security and specific weaknesses in this area, so businesses would become aware of potential threats and be better prepared to respond to them.

The survey was carried out in two stages. Stage 1 encompassed interviews with company managers of the 300 largest employers in Estonia. Stage 2 of the survey was dedicated to the healthcare sector, with interviews carried out among managers of healthcare institutions and organisations. The healthcare sector was treated separately in the survey because it is subject to more stringent data protection requirements due to processing sensitive personal data.

The survey results confirm that the vast majority of Estonian company managers consider information security and cyber security important and believe that the risk that cyber incidents materialise is rather likely today. In addition, the data shows that a large number of companies have also been directly affected by cyber incidents. Company managers confirm that there has been a significant increase in the number of information security incidents over the past year. At the same time, only less than half of the respondents assessed their ability to ensure information security and cyber security to be sufficient.

The statistics of the survey based on the responses received from the 300 largest employers are as follows: 90% of the respondents are concerned about possible future incidents, 54% have lost time due to cyber incidents, and 41% have suffered financial loss due to cyber incidents.

However, the statistics for healthcare companies and organisations are clearly different: 85% of the healthcare companies surveyed are concerned about potential incidents, while only 10% of the respondents have lost time due to cyber incidents. None of the Estonian healthcare companies has suffered financial loss due to cyber incidents. The statistical discrepancies between healthcare companies and the largest employers are probably due to three possible reasons:  

  • potential criminals have no interest in attacking healthcare companies for ethical reasons;
  • healthcare companies’ protection measures are more effective than those of other companies;
  • there have already been attacks, but healthcare companies have simply failed to detect them.

Notably, more than half of all respondents stated that the responsibility for information security in their company lies with a service partner. While this may be the case, it cannot be overlooked that, according to KPMG’s experience, it is often mistakenly presumed that the IT service partner should also automatically assume responsibility for the company’s cyber security. In practice, this means that by outsourcing the management of IT systems, the company’s management expects the service to include ensuring the security of the IT systems (e.g. secure configuration of devices and applications, changing default passwords, periodic password changes, secure network segmentation, consistent installation of security patches on devices and applications, rogue access point detection, scanning for security vulnerabilities, etc.). Thus, the responsibility for information security is passed on from the company to the service partner. In reality, the IT service partner only performs the tasks that are specified in the contract. As a rule, a contract for IT services management does not include an obligation to ensure information security. It is often only when faced with a cyber incident that companies realise that their outsourced service actually does not meet their security expectations. Furthermore, it is important for company managers to understand that the ultimate responsibility for the security of their information systems remains with them, even if the contract signed with the IT service partner provides for all possible security obligations.

In addition, the survey results show that information security checks (e.g., penetration testing or IT security audits) carried out by an independent party are rather rare among Estonian companies. Unfortunately, particularly few such checks are carried out in healthcare companies, where one would expect more checks to be conducted due to the higher standards in force. It may well be that, due to the lack of independent checks, many cyber incidents remain undetected, and the company’s management is under the false impression that they have not had any cyber incidents. At the same time, however, cybercriminals may have gained access to the company’s information systems and may already be selling electronic documents containing personal data or business secrets on the ‘black market’.

Today, information security and cyber security are more important than ever. KPMG recommends addressing cyber security proactively and systematically, mapping the current situation (ideally in cooperation with an independent party) and being prepared for worst-case scenarios (e.g. a ransomware attack across an organisation’s entire IT infrastructure that could paralyse its entire business operations). The survey results show that companies’ cyber security situation is far from ideal. Above all, one should do away with the mindset that “cybercriminals are not interested in us, so we are unlikely to be attacked” and focus on improving the situation today, as it may be too late tomorrow.

The independent survey conducted by KPMG Baltics OÜ and Äripäev can be found HERE.

Bolstering Cyber Resilience with High-Quality Red Teaming

The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..

Cyber security

KPMG recognized as a Leader in Cybersecurity Consulting Services in Europe

According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.

We are excit..

Cyber security

Cyber Security Expert: IT Hygiene Should Not Be Neglected During Holidays and Vacations

The line blurring between work and spare time, and the widespread use of remote work mean that peo..

Cyber security

A Company Must Not Be Bought Without a Pre-transaction IT Audit

It is a volatile time for economy, which always leads to businesses being purchased and sold. For ..

Cyber security

How To Prepare for Overcoming a Cyber Incident

It is no longer a question of if cyber incidents take place, but when they will take place. Based ..

Cyber security

Too Many Companies Underestimate IT Risks

Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is att..

Cyber security

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: