Cybersecurity – a responsibility of top management

“Cybersecurity has not really been strictly defined yet, but, in practice, it refers to the new types of security-related challenges that affect organizations and society at large as digital transformation – and our dependency on interrelated digital systems and services – progresses,” says Arttu Lehmuskallio, Director, National Cyber Security Center, Finnish Transport and Communications Agency.

Cybersecurity can also refer to the measures that an organization can use to protect its critical business systems, software, devices and data communications networks against any cyberthreats. Cyberthreats, in turn, are harmful events or processes that can affect an organization’s operations, finances, data, reputation and, in the worst case, the continuity of its business.

Through his work, Lehmuskallio has long experience with cyber-incidents and is used to seeing things from a risk point of view. “I sometimes wonder – half seriously – if we really know where we are going with digital transformation. Do we really understand all the risks and consequences of it?”  

Open communication would benefit everybody

Denial-of-service attacks, ransomware, data breaches, CEO frauds, social engineering…. The digital operating environment opens several opportunities for criminals within both IT and OT environments – and any business, large or small, with a reliance on technology is at risk of becoming a target of cybercrime.

It isn’t necessarily your own organization that is attacked directly.

“What makes the situation even more complicated is that it isn’t necessarily your own organization that is attacked directly – it may be an organization in your business network whose difficulties then have a major effect on your business,” Lehmuskallio explains.  

An understanding of these kinds of digital interconnections between organizations is a crucial part of cyberthreat prevention. It is important to make sure that all parties comply with cybersecurity standards and openly share information on threats, for example.

“In general, all the organizations within a sector or a cluster would benefit from sharing of best practices but also from open communication and dialogue concerning cyberattacks that they have experienced.”

Cybersecurity is a top management responsibility

Cybersecurity was previously seen as the concern of IT security professionals alone. This, however, is changing, due to the growing awareness among senior executives and others about cyberthreats and their potentially devastating effects on businesses. Cybersecurity is increasingly becoming a top management and board-level concern – and should very much be so.

“According to a recent study among Finnish companies, organizations where top management is engaged in and prioritizing cybersecurity are better prepared for cyberattacks and also best equipped to quickly recover from them. These organizations have accepted the fact that prevention of cyberthreats requires continuous analysis and investments,” says Lehmuskallio.

Due to the enormous potential impacts, cybersecurity should be an integral part of a company’s risk management, and a cyberattack recovery plan needs to be included in the comprehensive business continuity plan. It is also good to keep in mind that, compared to many other risks, cybersecurity-related risks need to be assessed more often – preferably in real-time. All this makes cybersecurity a strategic-level issue.

“For example, when a new vulnerability is found from a service, it makes the service previously thought to be secure insecure not only immediately but also retro-actively. It means that the system in question has been insecure possibly during its whole lifecycle. There is no guarantee that the vulnerability was not found and exploited already years ago.”

Proper strategy supports cybersecure decision-making

A carefully created cybersecurity strategy is a good tool for steering an organization’s development towards more secure IT and OT systems and for strengthening secure routines in daily operations. A cybersecurity strategy process may, for example, include identification and assessment of the potential risks, a realistic evaluation of the present state of cybersecurity in the organization, including its business network, as well as decision-making concerning development areas and resource allocation.

Approximately 90 percent of cyberattacks are done through individuals.

“A strategy should also state an organization’s cybersecurity-related targets and goals and the means, actions and routines that will help to reach them,” Lehmuskallio says.

In addition, to increase personnel awareness of cyberthreats through communication, training and crisis exercises is important.

Approximately 90 percent of cyberattacks are done through individuals, and personnel is often said to be the weakest link. This is understandable because we humans are easy targets – we are emphatic, we want to please, we do not want to be humiliated and so on.

“But, as I see it, it is an organization’s and its top management’s responsibility to create a cybersecure environment and culture that help individuals to stick to secure routines and make the right decisions – and limit the damage an individual employee can cause.”   

Practice makes perfect – an opportunity one should not miss

Cybersecurity exercises are an excellent way to test an organization’s crisis management guidelines, processes and roles in practice as well as to improve its crisis tolerance and accelerate recovery from cybersecurity incidents.

“A company should think of an exercise as a crisis-situation whose timing and effects it gets to choose – a ‘free’ crisis, so to say,” says Lehmuskallio.  Some of the added benefits of exercises are improved observation, reaction and recovery skills of employees and decision-makers in case of severe security incidents as well as faster allocation of resources to areas identified as vulnerable.

“Extremely important take-aways are also an increased understanding of supplier dependencies and an enhanced identification and management of individual threats in the cyber environment,” Lehmuskallio concludes.

Text Sanna Haanpää-Liukko