The rapidly developing cyber threat landscape makes the data service providers’ expertise and understanding of the global information security all the more significant.
The geopolitical situation in our society, which is undergoing changes related to digitisation, has made cybersecurity questions critical across every organisation. Russia’s attack on Ukraine and Finland’s NATO membership discussions have raised the threat level for cyber attacks, but the threats materialise into business risks only if they are not prepared for accordingly.
An unpredictable environment can be made safe if the risks and vulnerabilities are identified. In addition to safe technology, information security awareness, risk assessments and monitoring are needed in order to prevent business risks related to vulnerabilities in our systems.
At the same time, the rapidly changing world places challenges on anticipation, as DoS attacks and ransomware, for example, are developing at the same rate as the technology and continuously changing regulation. We live in a situation where the new normal is that there is no normal. All of this makes the data service providers’ expertise and understanding of the global information security all the more significant.
Constant change demands a new level of vigilance from organisations and people alike. We need to be able to anticipate and react quickly in order to secure the continuity of business even during potential crises.
A cyber attack does not automatically constitute a crisis, but in the worst-case scenario, it can threaten the very existence of an entire organisation. Protecting the critical data and ensuring the continuity of essential business operations in an exceptional situation helps to minimise the potential damage.
Computer programs are always susceptible to attacks, and the core functions of an organisation should never rely solely on them. An example of this is Denmark, where railway traffic had to be completely halted for several hours recently as a result of cyber attack, as there was no longer a manual option for overseeing the railway environment. When we take the necessary precautions and practise preparation, we can avoid panic even in dire circumstances.
Cyber attacks should be seen as a flipside to the business opportunities arising from digitalisation and as part of an organisation’s normal everyday operations and risk management.
In the wild modern landscape of cyber attacks, we should try to remember that not nearly all situations constitute a crisis. For DoS attacks, which hinder business operations, and ransomware with potential for major disasters, there are good ways of safeguarding the company from being completely devastated.
When potential attacks have been prepared for in advance and the warning signs have been detected in time, operational reliability can be ensured even during a crisis.
Simply focusing on the prevention of attacks is no longer sufficient due to the fact that the attacks are constantly becoming more and more advanced. It is extremely important that the system is monitored effectively in order to detect operations that deviate from the normal and that the necessary actions are taken on its basis in a timely manner.
The rapid rate of technological development and the continuously updated regulatory measures alongside it make preparing for information security issues very challenging. The pressure to adopt modern technologies that promote efficiency and to launch new business software may tempt organisations to take shortcuts with regard to security questions.
Information security is created in the product development phase, and it cannot be added as an additional layer after the fact. In the future, the rush to develop applications may yet become a serious threat to business. Efficiency requirements and the actions of individual people are a much greater information security threat than the technology itself, although cybersecurity discussions are often focused on the technological aspect. We need a common mindset in securing development in accordance with the values of the European data economy.
The European Union’s General Data Protection Regulation (GDPR) is aimed at securing citizens’ self-determination in the data market, but in the operational field dominated by the giants of the digital field from outside Europe, the regulation has proven to be insufficient. New ways of protecting critical data from ending up in the hands of outsiders are constantly being sought, but the solutions are not so simple.
The safest choice may not necessarily be practical or even possible. Alongside the regulation, it would be crucial to have data management that is based on risk analysis, where the essential thing is to separate the critical data and place it in the optimal place from the perspective of both costs and security.
|According to Tietoevry’s Head of Cyber Security Maria Nordgren and Communications Coordinator Liisi Hatinen, improving information security in a company is a team effort.|
Separating the critical data requires careful mapping of the risks as well as an understanding of the multidimensional nature of the constantly changing regulation and of the topical information security and cybersecurity issues.
The starting point for risk analysis is to identify the most essential things from a business perspective and the threats that may expose the business to bankruptcy and to protect these by using robust defences. For instance, if ransomware prevents the shop’s cash register from being used and shuts the establishment down for multiple weeks during peak season, the business ends up in a state of crisis. The crisis must be prepared for in a preventive manner by making sure that cash payments can be received during potential attack situations, which will allow the establishment to keep its doors open, at least in some capacity.
Tietoevry tailors cloud services to its customers based on risk assessments, so that the confidential data of Finnish organisations is managed and processed in a sovereign cloud within the Finnish borders, leaving outsiders no possibility to access it. Data is often placed in the public cloud due to functional reasons, and the confidentiality of the data and the results of the risk assessment are considered with regard to the relocated data. It should be clear that data should be protected appropriately, even if it is in the public cloud.
In the sovereign cloud, information protection is centred around malware and access management. In the public cloud, the focus is on the analysis of users and activities that deviate from the normal. With our multi-cloud solutions, we make the choice easy for our customers – the data is protected according to its specific needs, regardless of what type of cloud solution is used.
The realisation of information security risks is typically tied to the individual’s lack of awareness and consideration. In the new global situation, the consequences of carelessness can be severe.
Negligence due to laziness is a common occurrence in setting passwords and user IDs, locking of computers, handling of e-mail links and tending of business-related matters in public spaces. People need to be constantly reminded of the importance of vigilance. In addition to training, this could take the form of small security pointers when the screensaver is active.
Information security risks often stem from the actions of individual people.
In a world of cyber threats, knowledge improves security, and unconscious action is prevented through expertise. The responsibility for the risks always lies with the company itself, but the help of an experienced and certified professional is the surest way to avoid disaster.
We help organisations find the balance between the level of information security, costs and the usability of services.