November 7–8 2023 the annual Cyber Security Nordic event was held in Helsinki, Finland. One central theme of the event was to examine the current Nordic cyber threat landscape, the changes in it, and ways to protect from the threats. According to the experts of the event, several overlapping factors affect now on the current Nordic cyber threat landscape. First, international political events are dividing the globe increasingly into different blocs. Related to this, it is likely that this year’s the most significant targets of cyber influence will be companies in the field of defence technology, their related suppliers and, especially in Finland, NATO cooperation. Secondly, the numerous dismissals that followed the recession and the austerity measures of companies can create the basis for increasing job dissatisfaction and thereby increase the realisation of the insider threat. In addition, there are presidential elections coming ahead in Finland, which may be reflected in, among other things, an increase in disinformation campaigns. In the discussions with the threat landscape, resilience, and the perspective of improving it went hand in hand.

In a short time, cyberattacks have experienced steroidic development and have become very advanced. For example, cybercriminals have moved to offer their services in a more centralised manner than before, and tailor their attacks more often specifically to victim organisations. The Nordic cyber threat landscape has seen a spike in the number of ransomware and denial-of-service attacks, especially against Finnish companies, in the past year. This has been influenced by the international security situation, support given to Ukraine and especially Finland’s NATO membership process. The multiplication of the number of hacktivist groups during the past year is also reflected in the increase in the number of attacks. In addition to the above-mentioned threats, cyber espionage has also increased significantly in the Nordic countries, as evidenced by the extensive phishing campaigns carried out by APT groups. The current cyber threat landscape is also affected by the rapid development of technology and the implementation of this new technology, which can be seen in the growth of the attack interface and increased cyberattacks on different parts of the supply chain. The rapid development of artificial intelligence can be seen especially in the development of malware and in deep fakes that feel more and more real.

The changes in the cyber threat landscape require organisations to have a more multidimensional understanding of the situation than before and to keep up with the change. Investing in cybersecurity is no longer one of the basic conditions for business continuity, but also a factor affecting overall societal resilience. In particular, the minimum requirements for risk management that come with the new NIS2 directive also increase the pressure on companies to respond to the changing challenges of cybersecurity even better and faster than before. The minimum requirements of the NIS2 directive will directly affect especially critical actors in society, but also indirectly the various parts of the supply chain of these actors. In addition, they also serve as a good guide for those who are not directly related to critical sectors.

As the mandatory nature of cybersecurity increases, it also becomes an even more important competitive factor. Those organisations that have already invested in cybersecurity on their own initiative will stand out from the rest. It is recommended that regardless of whether the directive applies to the organisation or not, cybersecurity should be brought to the level required by the minimum requirements. One of the challenges raised at the Cyber Security Nordic was that companies currently do not have enough cybersecurity experts to meet the increased demands. Especially in the public sector and the defence, concern about the increase in regulations and compliance has grown over the past year. The key is to identify the organisation’s needs and, if necessary, create partnerships that will cover the skill gap in all main areas.

Teemu Salmi, CEO of Nixu Corporation, who gave a speech at the cybersecurity event, discussed in his presentation the latest annual cyber security report published by the company (Nixu Cybersecurity Index 2023) and how the most successful companies think and act when it comes to cybersecurity. According to the findings of the report, successful companies stand out from others, especially in that they define cyber risk management as one of the company’s most important assets – without the law obliging them to do so. However, a successful risk management process requires an understanding of why it is being done, so that it is done for the right reasons. We may often focus on the “wrong” risks or focus too much on the perspective of prevention. For companies that are successful in cybersecurity, it is always a management-level issue, which is basically also reported at the board level. According to Salmi, success can also be seen in the fact that the annual investments in cybersecurity are clearly higher than what is generally budgeted for this, and that cost efficiency does not come before cybersecurity. The key to being successful in cybersecurity is that enough time, resources, and budget are allocated to it.

In business, resilience is understood as an organisation’s ability to tolerate disruptions, to recover from them quickly, while being able to maintain business operations with as few delays or obstacles as possible. Business resilience is increased especially by the already mentioned strong risk management culture, but also by adaptable employees, a solid IT infrastructure and a strong supply chain. In its report, Nixu has also listed the issues that have a key impact on business resilience. According to the report, everything is based on a well-planned business strategy and continuity thinking. In addition to this, it is important to be aware of issues that threaten the business and possible dependencies. It is also essential to implement cybersecurity in the organisation’s business goals and to ensure that the company has sufficient ability to detect anomalies, mitigate their risks and be able to recover from cyber anomalies. Last, but not least, is building a culture of awareness in the organisation and regular monitoring of the cyber environment. The most resilient companies of all can improve and develop their own operations even during an ongoing stress situation. It is possible to consciously practice this by conducting various stress tests related to cyber threats in the company on a regular basis. Increasing business resilience is above all a question of attitude: does your company want to be the one that thrives under pressure.

References

Valentino De Sousa; Principal Director, Cyber Threat Intelligence Lead for Emea at Accenture: The Cyber Threat Landscape of the Nordics. Cyber Security Nordic 2023 Event.

Teemu Salmi; CEO Nixu Corporation: Business Resilience as a Strategic Priority. Cyber Security Nordic 2023 Event.

Carsten Maartmann-Moe; Head of Cyber and Digital Risk/ CEO Advisense Norway: From Risk to Resilience. Cyber Security Nordic 2023 Event.

Nixu, Cybersecurity Index report 2023: https://www.nixu.com/sites/default/files/NIXU_CyberSecurity_Index_Report_2023.pdf

Pictures Cyber Security Nordic 2023. Helsinki Messukeskus/Kimmo Brandt