Another month, another large-scale cyber attack. That’s what 2017 felt like for many. Notably, the WannaCry ransomware attack in May, followed by NotPetya a month later, paralysed computers – and companies – globally.
One of the hardest hit was Danish shipping giant Maersk, which estimates NotPetya cost it up to €300m in lost revenue. But have these highly publicised attacks affected Nordic companies’ approach to cyber security?
“Ransomware attacks [in 2017] were definitely a wake-up call for many companies since they affected businesses of all sizes and from all sectors,” said Mika Susi, chief policy adviser, corporate security, at the Confederation of Finnish Industries. “I think many companies realised the chance of getting attacked nowadays is more probable than ever.”
Petteri Arola, head of cyber security for Fujitsu in Nordics, agreed. Cyber security awareness has been a growing trend for a few years as Nordic companies’ business models become increasingly digital, but Arola said the recent large-scale ransomware attacks have helped to push these issues higher on the boardroom agenda.
“Attitudes have changed. An important factor here is that when an issue is raised for the [executive] board’s attention and is driven by the board, it will get enough resources and budget,” added Arola.
The Nordics aren’t a safe haven
In 2017, cyber threats and security blunders also threw more fuel on the fire for Nordic cyber security. Most notably the Swedish government was hit by an IT security scandal in July when a major data leak from the Swedish Transport Agency was uncovered.
The leak was a result of the agency outsourcing its IT maintenance to IBM in the Czech Republic in 2015, but failing to carry out the required security clearance checks. This meant driving licence data and information about all vehicles in Sweden – including police and military – became available to foreign IT workers without security clearance.
“What’s happening is very controlled. It’s not small hacker groups doing it for the fun of it,” Frederiksen told the Copenhagen Post at the time. “It’s connected to intelligence agencies or central elements in the Russian government, and holding them off is a constant struggle.”
Soon after this a global cyber espionage campaign, dubbed Cloud Hopper, was discovered. China-based hacker group APT10 is suspected as being behind the attack, which targeted businesses and government agencies through IT service providers. Among the targeted countries were Sweden, Norway and Finland.
Countering cyber threats
But it isn’t all doom and gloom. Sisu believes preparedness for cyber attacks has improved in Nordic companies in recent years. Frederick Wennmark, solution consulting manager for the Nordics at ServiceNow, feels increased cyber security awareness has led to greater focus on developing structured, automated processes for IT security.
But this is not true for all. While the Nordics in general fare well in global comparison – in a recent PwC survey, 41% of its Nordic respondents had some kind of a cyber incident response plan, compared with 37% globally – Arola stressed there was a lot of divergence in cyber security approaches.
“There are still companies where cyber security maturity is at a fairly early stage. They haven’t properly prepared [for cyber threats], taken them seriously enough or don’t understand how they should be treated,” he said. “They have bought an anti-malware product and think the issue is sorted. But the situation is much more complex – protection needs to have multiple layers and the threat situation has to be constantly monitored.”
Nordic governments have also woken up to this and invested in cross-border collaboration. In the wake of the Russian cyber espionage news, Danish and Swedish defence ministers released a statement in August 2017 promising deeper defence cooperation, including against hybrid threats. These were defined as various forms of cyber attacks, disinformation and false news.
Mika Susi, Confederation of Finnish Industries
A month later, Finland’s capital Helsinki celebrated the opening of a European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE). The centre is tasked with supporting its member countries’ “efforts to enhance their civil-military capabilities, resilience and preparedness to counter hybrid threats”. Initially, it is joined by Finland’s neighbours Estonia, Latvia, Lithuania, Norway and Sweden, alongside France, Germany, Poland, Spain, the UK and the US.
Security as a service
By now it is readily apparent to companies and governments that cyber threats are here to stay, and Nordic organisations recognise they have to take new measures to prepare for them. Arola pointed out a growing trend is buying cyber security as a service, particularly in Finland.
“In Finland, [companies] are more ready to buy cyber security as a service. In Sweden, they might want to build their internal expertise more. But everywhere, the direction is towards buying as a service,” said Arola. “This is also because there is starting to be a shortage of cyber security expertise. Experts in this sector are in high demand and there aren’t enough of them to go around. So even if companies would like to do these things internally, they might not find the right talent.”
And expertise is needed as the cyber security sector becomes increasingly complex. Notably, Wennmark expects the number of Nordic companies using artificial intelligence (AI) and machine learning for security automation to grow in the coming year. But first comes legal compliance, as all European companies handling personal data prepare for GDPR, which comes into force in May.
“GDPR will be the big thing in 2018. First prepare and comply, then understand how to optimise and automate the processes around maintaining compliance and customer requirements,” Wennmark concluded.