Too Many Companies Underestimate IT Risks

There is much self-deception in organizations' cyber security posture. Anti-virus programs are often thought to provide adequate protection. Moreover, if the company has an IT system administrator and the IT service is managed, then it seems as though everything is fine. In fact, everything is far from being fine. Cyber security includes much more than just anti-virus protection.

Anti-virus programs and other technical solutions alone are of little use if the organization does not have a person responsible for information security and the necessary competence to implement and use these tools. The best solution is to have a manager in charge of the field with all the authority and responsibility for the development of cyber security.

Small businesses, big risk

You must first consider how big an impact cyber attacks would have on the company when planning cyber security. It should be noted that the majority of Estonian companies are small or medium-sized organizations, and many of them have surprisingly high IT risks. Unfortunately, it is accepted either knowingly or due to a lack of information.

Large investments in cyber security are not a priority for a start-up because the main focus is on testing the business model. Often, a working business model is still being sought and, as a result, IT solutions are also rapidly changed. Security usually becomes an issue when the company has reached the stage of raising money and investors need reassurance that it is a serious business.

However, in large companies and in critical fields such as healthcare, local government, energy companies, the financial sector, etc., IT risk is not at all acceptable. The situation in healthcare is particularly problematic. The importance of cyber security is recognized there but the meagre budget often leaves no good options because healthcare is seriously underfunded.

The importance of the situation has been understood in the financial sector. The sector actively invests in cyber security because banking has become almost entirely digital. Regulations have also tightened, which is reflected in greater protection of data and systems. On the whole, all this helps create cyber security because it forces companies to pay more attention to it and to direct the necessary resources into it.

The IT budget is still largely spent on hardware

There is a thicker layer of IT culture in the local offices of large international companies, as there is in Estonian organizations with traditions (in banks, telecommunications service providers, as well as the public sector). They have experience with cyber attacks or other incidents, and often employ several people with experience in IT who have contributed to the emergence of the IT culture.

At the same time, the IT culture is also a risk because technology becomes obsolete at a tremendous speed. For example, if a bank uses a mainframe computer that is required for certain operations, then its security requirements are a thing of the past.

Cyber security often does not fit into the budgets of private companies, either. It is common for companies to replace laptops and other office equipment every 3-5 years. Security solutions should also be reviewed with fresh eyes at the same interval because the lengths of their life cycles vary and some of them may be hopelessly out of date.

It is also common that the general IT solutions companies use in their operations have changed over a long period of time. For example, companies have started using cloud services; thus, security processes must also keep up with the times and be updated. Both external and internal audits help check whether risks are managed and whether the level of risk corresponds to the level of risk acceptable to the company.

Recovery from reputational damage may take years

In addition to the loss or manipulation of data, the company must deal with the damage to its reputation, which the victim of an attack automatically suffers. The larger the scale of the company, the more the company's reputation will be under attack. For example, should banking services be suspended for an hour or two, it would affect hundreds of thousands of customers in Estonia and make headlines. Cyber defense capabilities have proven to be a tipping point in highly competitive sectors when customers choose service providers.

Employee awareness plays an important role in the company's preparedness. Employees need to be informed and instructed on how to act in the event of cyber incidents. The information security unit must have its own emergency number for crisis situations, that is a hotline personnel can contact to report their concerns. It is important to remind employees that the threat must be reported immediately because the cost of days or weeks of delay can be very high.

The capability of cyber units is increasingly critical in national defense, and the same principle must also be followed in private business and other institutions.