Cyber security
27.07 2023

Too Many Companies Underestimate IT Risks

Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is attached to cyber security in highly competitive sectors such as finance and telecommunications industry, and its significance is also recognised in national defense, IT risks are undeservedly often pushed into the background.

There is much self-deception in organizations' cyber security posture. Anti-virus programs are often thought to provide adequate protection. Moreover, if the company has an IT system administrator and the IT service is managed, then it seems as though everything is fine. In fact, everything is far from being fine. Cyber security includes much more than just anti-virus protection.

Anti-virus programs and other technical solutions alone are of little use if the organization does not have a person responsible for information security and the necessary competence to implement and use these tools. The best solution is to have a manager in charge of the field with all the authority and responsibility for the development of cyber security.

Small businesses, big risk

You must first consider how big an impact cyber attacks would have on the company when planning cyber security. It should be noted that the majority of Estonian companies are small or medium-sized organizations, and many of them have surprisingly high IT risks. Unfortunately, it is accepted either knowingly or due to a lack of information.

Large investments in cyber security are not a priority for a start-up because the main focus is on testing the business model. Often, a working business model is still being sought and, as a result, IT solutions are also rapidly changed. Security usually becomes an issue when the company has reached the stage of raising money and investors need reassurance that it is a serious business.

However, in large companies and in critical fields such as healthcare, local government, energy companies, the financial sector, etc., IT risk is not at all acceptable. The situation in healthcare is particularly problematic. The importance of cyber security is recognized there but the meagre budget often leaves no good options because healthcare is seriously underfunded.

The importance of the situation has been understood in the financial sector. The sector actively invests in cyber security because banking has become almost entirely digital. Regulations have also tightened, which is reflected in greater protection of data and systems. On the whole, all this helps create cyber security because it forces companies to pay more attention to it and to direct the necessary resources into it.

The IT budget is still largely spent on hardware

There is a thicker layer of IT culture in the local offices of large international companies, as there is in Estonian organizations with traditions (in banks, telecommunications service providers, as well as the public sector). They have experience with cyber attacks or other incidents, and often employ several people with experience in IT who have contributed to the emergence of the IT culture.

At the same time, the IT culture is also a risk because technology becomes obsolete at a tremendous speed. For example, if a bank uses a mainframe computer that is required for certain operations, then its security requirements are a thing of the past.

Cyber security often does not fit into the budgets of private companies, either. It is common for companies to replace laptops and other office equipment every 3-5 years. Security solutions should also be reviewed with fresh eyes at the same interval because the lengths of their life cycles vary and some of them may be hopelessly out of date.

It is also common that the general IT solutions companies use in their operations have changed over a long period of time. For example, companies have started using cloud services; thus, security processes must also keep up with the times and be updated. Both external and internal audits help check whether risks are managed and whether the level of risk corresponds to the level of risk acceptable to the company.

Recovery from reputational damage may take years

In addition to the loss or manipulation of data, the company must deal with the damage to its reputation, which the victim of an attack automatically suffers. The larger the scale of the company, the more the company's reputation will be under attack. For example, should banking services be suspended for an hour or two, it would affect hundreds of thousands of customers in Estonia and make headlines. Cyber defense capabilities have proven to be a tipping point in highly competitive sectors when customers choose service providers.

Employee awareness plays an important role in the company's preparedness. Employees need to be informed and instructed on how to act in the event of cyber incidents. The information security unit must have its own emergency number for crisis situations, that is a hotline personnel can contact to report their concerns. It is important to remind employees that the threat must be reported immediately because the cost of days or weeks of delay can be very high.

The capability of cyber units is increasingly critical in national defense, and the same principle must also be followed in private business and other institutions.

Mihkel Kukk

Head of Cyber Security
+372 521 4332

Bolstering Cyber Resilience with High-Quality Red Teaming

The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..

Cyber security

KPMG recognized as a Leader in Cybersecurity Consulting Services in Europe

According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.

We are excit..

Cyber security

Cyber Security Expert: IT Hygiene Should Not Be Neglected During Holidays and Vacations

The line blurring between work and spare time, and the widespread use of remote work mean that peo..

Cyber security

A Company Must Not Be Bought Without a Pre-transaction IT Audit

It is a volatile time for economy, which always leads to businesses being purchased and sold. For ..

Cyber security

How To Prepare for Overcoming a Cyber Incident

It is no longer a question of if cyber incidents take place, but when they will take place. Based ..

Cyber security

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: