5 minute read
5 things to focus on in 2021 to cybersecure your business
It is wise to learn from the past, and yet, the future requires even more from us. We listed five lessons for business leads on how to improve the cybersecurity of their business in 2021.
Text by: Mika Hållfast, VP, Security Leader for Finland, Poland and Baltics Region at CGI
Advertisement
A SMART PERSON LEARNS FROM OTHER PEOPLE´´ S MISTAKES
In addition to the coronavirus pandemic, the year 2020 will be remembered for its cybersecurity news. The top news story in Finland was the Vastaamo case: a database with sensitive patient information was breached. The information security company FireEye’s difficulties and the cyberattack against the Parliament of Finland also made the headlines. Some good points can be drawn from these examples.
1. MERE RESOURCES ARE NOT ENOUGH TO PREVENT CYBERATTACKS
FireEye has probably the best possible professionals and technological solutions to secure their business. The same is true with the Parliament. A central governmental actor must have had sufficient resources and been very familiar with the threat landscape. But the opposing side has many aces up its sleeve. First of all, it has complicatedness on its side. An IT environment which is comprised of thousands of components, must be always configured in the right way and be always updated to the latest versions. Secondly, the opposing side has time on its side. It doesn’t care about working hours – at least not the Finnish Working Hours Act. Nights, weekends, and holidays shouldn’t have an effect on abilities.
# Resources are not enough to prevent cyber problems. However, their likelihood and impact can be significantly lowered with resources well spent.
2. YOU CAN’T PROTECT EVERYTHING
According to FireEye, the ”only” tools compromised were those that are used for the consulting business. The attackers were unable to get their hands on the crown jewels of product development. This is essential in terms of their business continuity. If the source codes of information security products had been exposed, the company would have probably faced insurmountable difficulties. The Vastaamo case could have had a better ending if information about confidential therapy sessions and other client information had been separated.
# Choose what you protect, preferably based on risks.
3. DAMAGE CAN BE MINIMIZED WITH GOOD COMMUNICATION
It is interesting to compare how different cyber breach cases have been communicated to the public. Our cases have some good and bad examples. FireEye chose to be honest: “Yes, this happened. Here are the instructions on how to minimize the damage.” It turned out to be a good approach, and the company is probably able to continue its business. This is a good lesson to remember. Prepare a crisis communication plan and test it regularly.
# Communication helps you ride out a bad situation – but only if you are mastering it.
A SMART ORGANIZATION IS PREPARED
A new year has a lot of promise. The impact of coronavirus is likely to weaken towards the end of the year, but the accelerated digitalization it has brought along will not slow down. During 2021, more business processes and other processes will be integrated into automatic or semi-automatic information processing. Manual work is replaced with increasing speed: paper documents, old systems, and communication between people are replaced with automatic and technical tools. This change is naturally driven by efficiency, new business opportunities, and technological advancements, which all guide our choices towards activities that are all the more dependent on cybersecurity. In this way we are all responsible for the future: The next time you consider a new digital process or technology, ask yourself and your team whether you need all the data you gather and whether you have sufficient resources to handle it.
4. IF YOU CAN’T PROTECT, DON’T COLLECT
Are you sure you need all that data? Could your service be offered with less information gathering – less personal data, less confidential information? Are you able to delete the data after it is no longer relevant? Can the information be anonymized before it is transferred like in Koronavilkku (Finnish Covid-19 contact tracing app), for example? Is it possible to separate confidential and non-confidential information and to store them separately?
#In formation handling comes at a cost. Cost optimization of it starts with gathering less data.
5. CYBERSECURITY EXPENSES ARE PART OF BUSINESS EXPENSES
Cybersecurity expenses have long been part of ICT expenses without a direct link to business. With new digital development projects, a significantly better option would be to budged the costs of the required protection and allocate the costs directly to the activity in question. Too common are those business cases which don’t take into account costs of protection and, as a result, present the wrong calculations on profitability – this way the true profitability of new digital services is not apparent. Let’s take a classic example of starting an online store. Even though fire insurance, physical locks, and security guards might not be needed, you must take into account the continual updating of software components and application firewalls, and monitoring of information security. The year 2021 is a good time to start allocating cybersecurity expenses to the business that is being protected. That project will not be completed within a year.
Digitalization offers a great promise. With its efficiency it will solve many of the current challenges we currently face and produce new opportunities to those who will take advantage of it. However, it is wise to learn from the past. Some of us remember the arrival of email – this new service established its position remarkably fast. The information security issues that came along with it, such as spam, encryption, and sender verification, have resulted in decades of fixing. As digitalization speeds up, organizations create dozens of “email systems” every year, and the number of information systems just keeps on growing. IT departments or information security managers don’t have sufficient resources to manage all the maintenance and the control of dependencies.
# Cybersecurity should be an integral part of planning from the beginning.
Mika Hållfast, VP, Security Leader for Finland, Poland and Baltics Region at CGI
Mika is a seasoned security professional, he has 15 years of experience in technology, architecture and cybersecurity. With a keen focus on translating business requirements into technical solutions, Mika works with clients across industries, including government, banking, communications and oil and gas. Currently on secondment to CGI’s global cybersecurity practice, Mika manages the ongoing learning program for CGI’s 1,400 cybersecurity experts, contributes to thought leadership, and speaks at security industry conferences. He also advises on security projects, bringing his practical, business-focused approach to CGI clients around the world.
Mika Hållfast
