Major cyber attacks and security breaches often make headline news these days – and their impact on the Nordic region has been growing.
The rapid digitisation of Nordic life has brought with it opportunities for criminals and, according to Jarno Limnéll, professor of cyber security at Finland’s Aalto University and vice-president of Insta Group, there are two key reasons for this. “Firstly, our societies and business life are getting increasingly digitised,” he said. “Secondly, criminals seem to be getting more professional, innovative and aggressive.”
There are plenty of examples of this in the news. Just this month, Sweden revealed a serious data leak, potentially exposing military secrets, that was caused by an IT outsourcing slip-up. Back in 2014, 50 Norwegian oil and energy companies were hacked and a further 250 Norwegian firms put at risk, and in March last year a distributed denial of service (DDoS) attack crippled the online editions of Sweden’s biggest newspapers for several hours.
Earlier this year, even the CEO of Swedish security company Securitas was declared bankrupt following an identity theft.
According to PricewaterhouseCooper’s (PwC) Global economic crime survey 2016, 48% of the Swedish organisations surveyed had been exposed to IT-related crime – a significant increase from 26% in the previous survey in 2014.
Although PwC does not divulge the types of attack, a recent security survey by IDC Nordic found that the region’s IT security leaders thought phishing, malware and hacking posed the biggest danger to their networks, data and internet security.
Significantly less attention was paid to software vulnerabilities, with only one in eight respondents seeing vulnerabilities in third-party software as a significant threat, and even fewer were worried about staff use of personal devices or a lack of patching.
But these attitudes could soon change. The high-profile WannaCry ransomware attack took advantage of a Microsoft Windows vulnerability and its successor, NotPetya, tapped into the same exploit. Neither caused serious problems for Nordic organisations – with some notable exceptions, such as Danish shipping giant Maersk – but they fired warning shots.
“In the coming years, we will see more and more news similar to this about ransomware software, cyber espionage, data hacks and leaks,” said Limnéll.
IDC Nordic expects the region’s IT security market, including hardware, software and services, to grow by 7.5% a year between 2015 and 2020, and surpass €2.3bn by 2020.
Fuelling this upward trend is the growing use of mobile technologies, cloud services and the internet of things (IoT), which expose Nordic companies to new threats. Further pressures come from new regulatory demands, such as the upcoming EU General Data Protection Regulation (GDPR).
Despite the growing IT security market – or perhaps because of it – the number of Nordic organisations for which security breaches pose extensive problems remains relatively small. According to IDC Nordic, the average organisation has experienced fewer than four security breaches in the past two years, and only 7% suffered more than 10 breaches in two years.
But when breaches do happen, the consequences can be costly. According to the PwC survey, almost half of Swedish respondents that had fallen victim to cyber crime said it had cost them up to $1m in the past 24 months.
Similarly, in the IDC Nordic survey, 40% of respondents that had suffered a security breach said it had had direct economic consequences, such as paying a ransom or losing revenue. A further 45% said a breach had negatively affected their customer relationships.
But cyber security is not just about money – there are also politically motivated attacks. In January this year, Swedish prime minister Stefan Löfven raised concerns about the potential of Russia interfering with its elections, and in April Danish prime minister Lars Løkke Rasmussen pointed his finger at Russia in a cyber espionage case.
Around the same time, a large-scale cyber espionage hack, dubbed Cloud Hopper, was discovered, with Finland, Norway and Sweden listed among its targets (and with suspected backing from China). Cloud Hopper targeted managed IT service providers in the public, IT, communications, healthcare, energy and research sectors.
The trend does not surprise Limnéll. He pointed out that countries have always spied on each other and as information is increasingly stored in a digital format, this has introduced a new channel for espionage. What worries Limnéll most is the lack of consequences.
“The challenge is that countries can be more and more aggressive and act relatively freely in the cyber world without significant political consequences,” he said. “We are sending out the wrong signal that in the cyber world, political risks are small. This will encourage even more active and aggressive attacks.”
With cyber threats increasingly common and sophisticated, Nordic companies have also begun to realise that it is not enough simply to sort out their own security. In April, a group of Nordic banks, including industry giants Nordea and Danske Bank, announced a collaborative venture called Nordic Financial CERT (Computer Emergency Response Team).
Morten Tandle, head of the CERT, said: “For financial institutions, or anyone else who is defending against cyber attacks, being able to share information about these incidents is key. But there are still quite a lot of inhibitors for this.”
Key among these inhibitors are the legal restrictions concerning financial information, but Tandle said there was also still a tradition of “closed doors” in the security community. The Nordic Financial CERT aims to change this by taking its operational model from its Norwegian equivalent, FinansCERT. This means annual face-to-face meetings, weekly online meetings for situational check-ups, a digital portal for information sharing, and interaction and coordinated responses in the event of an IT incident.
Taking this a step further, Swedish government agencies can no longer choose to share information on major IT incidents – they have been required to report them to the Swedish Civil Contingencies Agency (MSB) since April 2016. The MSB’s head of cyber security, Richard Oehme, said it would take years to have the system fully in place, but he was already seeing the benefits.
“Before this, we had reports and dialogue, but now we know we get almost everything ‘into our basket’,” said Oehme. “It has already given us extremely valuable information about those incidents. Now we have to use those experiences to implement different sorts of guidelines for government agencies and the rest of the society.”
MSB says about one-third of the 350 IT incidents reported so far have resulted from cyber attacks.
Protect your crown jewels
Oehme believes Swedish organisations, both public and private, are well aware of today’s cyber threats, but their level of preparedness varies widely. For him, a positive shift in the past few years has been cyber security moving from an IT-only issue to be part of board-level discussions – but issues still remain.
Oehme advocates better risk assessment and contingency plans for all types of cyber incident. Organisations must assume that such incidents will happen and define what their “crown jewels” are – the areas where no risks are taken, he said.
“If you don’t do that at the beginning, you are going to be vulnerable to all different types of disturbances, from bad management to bad security and cyber attacks,” he said. “There is still a huge need for this, as I see it from the Swedish standpoint, and I don’t think it is any different in the rest of the Nordics.”
And the numbers back him up. PwC’s survey shows that 43% of its Swedish respondents have some kind of incident response plan in place for cyber crime, while the figure is 41% for the Nordics and 37% globally, but only 35% in Finland.
Similarly, IDC Nordic found that only half of the Nordic organisations surveyed have a strategic IT investment plan and only 28% invest proactively, although these types of organisation were less likely to suffer a security breach.
This ties in with Limnéll’s view that too many Nordic companies still view cyber security as something to fix once and then forget about for a while.
“Although in general it feels that companies are better prepared for cyber threats, they are yet to understand that cyber security is dynamic,” said Limnéll. “The big challenge, now that we have started to make progress and understand these phenomena and prepare for them, is how to follow on and keep up with the constantly changing threat landscape.”