Tierney - stock.adobe.com

Nordic SMEs lack the money needed for cyber security

Businesses and governments in Denmark and Norway are working together to address a cyber security shortfall for SMEs in each country

Nordic companies remain increasingly vulnerable to malicious cyber attacks, with the high cost of keeping ahead of cyber attackers the biggest challenge for smaller organisations in the region.

In response, business organisations in Denmark and Norway have launched a series of initiatives to attract state support and help enterprises overcome the technical and financial barriers to implementing effective IT security to protect critical data networks and the integrity of their business.

The Danish Business Authority (DBA/Erhvervsstyrelsen), a business organisation that provides a range of support for high growth productivity companies, has identified cost as the single biggest factor impeding firms from strengthening their IT security defences.

This is at a time of growing general awareness within companies to the increasing risks posed by hostile actors lurking and looking for easy targets in the cyber domain.

The DBA estimates that as many as 30% of all small to medium-sized enterprises (SMEs) in Denmark remain “acutely vulnerable” to malicious malware attacks from cyber space, with affordability the most common reason SMEs give for shelving or delaying measures to strengthen their IT security systems and employing professional expertise.

Meanwhile, SMEs in Norway have been slow to prioritise IT security spending and system upgrades due to a false sense of over-confidence in the ability of their existing systems to counter threats, according to a survey conducted by YouGov for the Oslo-headquartered Norwegian Center for Information Security (NorSIS).

The findings of the YouGov survey has caused NorSIS to intensify efforts to deepen cooperation with private and state sector firms to raise awareness about the diversity of cyber threat risks facing individual businesses and the long-term competitiveness of the Norwegian economy.

Peggy Heie, director general at NorSIS’s, described the survey’s findings as “deeply troublesome”. The results, she said, suggests that Norwegian companies are far too complacent regarding the capacity of their present IT security systems to deal with the growing sophistication of cyber space threats, especially a sustained strike or a targeted ransomware-type attack.

“Company leaders cannot expect partners and authorities to take all the responsibility for the protection against cyber crime. They must also act and invest in improving their IT security systems to safeguard their company’s assets and important data,” said Heie.

“Firms must also ensure that the digital competence of their employees is strengthened. What is extremely worrying from the survey is that so few Norwegian companies seem to recognise the actual extent of the risk they face from cyber space.”

NorSIS is responding to a lack of risk-awareness among Norwegian SMEs by redoubling efforts to encourage enterprises in the private and public sectors to run regular cyber threat tests to evaluate the effectiveness of their IT security systems.

Technical appraisals run by NorSIS also help SMEs judge the level of capital investment needed, both in technology upgrades and cyber threat defence expertise, to adequately protect their companies against the range of existing and future threats from the cyber domain.

Denmark’s security initiatives

In October, the DBA launched a co-venture with the Danish Industry Foundation (DIF/Industriens Fond) that specifically targeted SMEs wanting to professionally assess the cyber risk in their IT security systems and data networks.

Moreover, the DBA-DIF partnership will serve as a gateway for SMEs requiring state capital or technical support to part-finance and implement IT security upgrade projects.

“From what we know, some Danish companies are highly vulnerable to IT security threats. These threats can have far-reaching consequences for the individual company and for their employees. Our alliance with the DIF will elevate action around risk and preparation. It is imperative that Danish business and industry becomes more broadly part of the solution,” said Torsten Andersen, the DBA’s vice-director.

The Together Against Cyber Threats national initiative rolled out by the DBA-DIF partnership features recorded videos of companies that have fallen victim to malicious cyber crime attacks, including digital thefts against their IT systems and data network infrastructure. 

The DIF’s own research reveals that one in four Danish SMEs haven’t even implemented the most basic IT security measures to protect their businesses against routine cyber threats, said Tim Sloth Jørgensen, programme manager for the DIF’s special task force on cyber security.

“Together with the DBA, we want to add momentum to efforts to promote increased awareness of the threat-environment companies now face from cyber criminals,” Jørgensen said.

The DIF is heavily engaged and has invested in a number of high profile cyber security enhancement projects in the Danish SME sector. The organisation has allocated DKK100m (€14m) to a cyber crime defence project to support SMEs attacks against IT data systems. The Danish Hub for Cybersecurity (DHCS), launched in June 2019, is part-funded by the DIF. The DIF’s investment in the DHCS will amount to around €3.5m in 2019.

Significantly, the DHCS has a special unit dedicated to helping Danish companies, in particular SMEs and startups, professionally evaluate and respond to cyber threats. The DHCS is also working with enterprises to accelerate innovation and development in the cyber security domain. 

“The Danish hub has a strong cyber security focus. The ambition here is to bring together the various smart initiatives that exist around Denmark. This will allow the sharing of experiences and knowledge, while creating synergies across actors in the field. It will create an ecosystem that contributes to the development of innovative cyber solutions,” said Jørgensen.

Ultimately, the DHCS’s primary goal is to enhance the competitiveness of Danish business and industry by creating innovative tools and safe products through collaboration between research, innovation and teaching. A strong cyber security capability is regarded as one of the fundamental pillars of this national initiative to drive competitiveness.

The DHCS’s partners Denmark’s leading universities, including the Alexandra Institute, the Centre for Defence, Space & Security, Copenhagen Business School, the Technical University of Denmark, the Danish Institute of Fire and Security Technology, and Aarhus Business Academy. Part of the DHCS’s funding will come in direct and indirect grants and contributions from the Danish state.

The Norwegian government is also primed to play a greater role in supporting the work of state-backed agencies such as NorSIS to improve cyber defence expertise in native companies. The YouGov study exposed a wide gap between actual IT security capability and the scale of threats. It also revealed a serious lack of both specialist cyber defence expertise and risk planning in most SMEs regardless of their location in Norway.

The risks that face Norwegian companies from bad actors in cyber space are certain to multiply rather than diminish, said Nikolai Astrup, Norway’s digitisation minister.

“The onset of 5G will bring additional risks for companies and society. The solution is effective dialogue at national level, collaboration, knowledge sharing and planning between the state and stakeholders in business and industry,” Astrups said.

“It’s essential that all practical steps are taken to protect critical national IT infrastructure and ensure enterprises, state and private, are equipped to operate safely and unhindered by malevolent actors in the cyber domain.”

Read more about security in the Nordics

Read more on IT security

Data Center
Data Management