There is much self-deception in organizations' cyber security posture. Anti-virus programs are often thought to provide adequate protection. Moreover, if the company has an IT system administrator and the IT service is managed, then it seems as though everything is fine. In fact, everything is far from being fine. Cyber security includes much more than just anti-virus protection.
Anti-virus programs and other technical solutions alone are of little use if the organization does not have a person responsible for information security and the necessary competence to implement and use these tools. The best solution is to have a manager in charge of the field with all the authority and responsibility for the development of cyber security.
You must first consider how big an impact cyber attacks would have on the company when planning cyber security. It should be noted that the majority of Estonian companies are small or medium-sized organizations, and many of them have surprisingly high IT risks. Unfortunately, it is accepted either knowingly or due to a lack of information.
Large investments in cyber security are not a priority for a start-up because the main focus is on testing the business model. Often, a working business model is still being sought and, as a result, IT solutions are also rapidly changed. Security usually becomes an issue when the company has reached the stage of raising money and investors need reassurance that it is a serious business.
However, in large companies and in critical fields such as healthcare, local government, energy companies, the financial sector, etc., IT risk is not at all acceptable. The situation in healthcare is particularly problematic. The importance of cyber security is recognized there but the meagre budget often leaves no good options because healthcare is seriously underfunded.
The importance of the situation has been understood in the financial sector. The sector actively invests in cyber security because banking has become almost entirely digital. Regulations have also tightened, which is reflected in greater protection of data and systems. On the whole, all this helps create cyber security because it forces companies to pay more attention to it and to direct the necessary resources into it.
There is a thicker layer of IT culture in the local offices of large international companies, as there is in Estonian organizations with traditions (in banks, telecommunications service providers, as well as the public sector). They have experience with cyber attacks or other incidents, and often employ several people with experience in IT who have contributed to the emergence of the IT culture.
At the same time, the IT culture is also a risk because technology becomes obsolete at a tremendous speed. For example, if a bank uses a mainframe computer that is required for certain operations, then its security requirements are a thing of the past.
Cyber security often does not fit into the budgets of private companies, either. It is common for companies to replace laptops and other office equipment every 3-5 years. Security solutions should also be reviewed with fresh eyes at the same interval because the lengths of their life cycles vary and some of them may be hopelessly out of date.
It is also common that the general IT solutions companies use in their operations have changed over a long period of time. For example, companies have started using cloud services; thus, security processes must also keep up with the times and be updated. Both external and internal audits help check whether risks are managed and whether the level of risk corresponds to the level of risk acceptable to the company.
In addition to the loss or manipulation of data, the company must deal with the damage to its reputation, which the victim of an attack automatically suffers. The larger the scale of the company, the more the company's reputation will be under attack. For example, should banking services be suspended for an hour or two, it would affect hundreds of thousands of customers in Estonia and make headlines. Cyber defense capabilities have proven to be a tipping point in highly competitive sectors when customers choose service providers.
Employee awareness plays an important role in the company's preparedness. Employees need to be informed and instructed on how to act in the event of cyber incidents. The information security unit must have its own emergency number for crisis situations, that is a hotline personnel can contact to report their concerns. It is important to remind employees that the threat must be reported immediately because the cost of days or weeks of delay can be very high.
The capability of cyber units is increasingly critical in national defense, and the same principle must also be followed in private business and other institutions.
Head of Cyber Security
mihkelkukk@kpmg.com
+372 521 4332
By implementing artificial intelligence, the quickest returns are achieved thro..
IT or cyber security training is more engaging when delivered by trainers who a..
When planning your cyber defence strategy, it’s crucial to recognise that vulne..
The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..
According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.
We are excit..
The line blurring between work and spare time, and the widespread use of remote work mean that peo..
Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.
Analysis of employee awareness focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.