This is a discussion article. The opinions expressed are the writer’s own.
DEBATE. The question is not whether an organization will be hit, but when the next attack will occur and how well you manage to protect your organization. But many companies and public organizations lack sufficient control over their digital infrastructure, writes Johan Torstensson, Tietoevry.
Cyber attacks and ongoing wars in our immediate area have clearly shown how vulnerable our society can be. Unfortunately, Sweden’s digital preparedness is far too low and the fact is that only three out of ten IT managers state that their organization would be able to fully maintain operations if Sweden were to be cut off from the outside world. I now want to warn about Sweden’s low IT preparedness and ability to protect our most important digital assets.
The amount of data produced in the world is growing rapidly. The use of cloud services is a prerequisite for being able to effectively manage the enormous amounts of data that flow through intercontinental cables and is vital for society to function. Unfortunately, we can state that Sweden’s IT preparedness is far too low to withstand natural disasters, cyber attacks, sabotage and, in the worst case scenario, war.
The threat has become particularly clear recently when several Swedish businesses have been hit hard. At the same time, we know, from a survey conducted by the analysis company Radar, that a whopping 79 percent of Swedish organizations indicate that they have been exposed to data breaches in the past three years and that 43 percent have experienced ten or more during the same time. It is therefore not a question of whether you will be hit, but when the next attack will occur and how well you manage to protect your organization.
This clearly shows that far too many public sector organizations do not have sufficient control over their data and digital infrastructure.
From another survey, carried out by Novus on our behalf, we know that only one in five Swedish IT managers (19 percent) believe that their organization is very well prepared if the IT systems were to stop working as intended. Almost as many, 17 percent, say they are not prepared and more than one in five (22 percent) have not security-classified their data into different categories with different protection needs, meaning it is most likely to be mishandled.
In the same survey, we see that the public sector is worse equipped than the private sector. In the public sector, for example, only 4 percent of IT managers believe that their organization is very well prepared, compared to 24 percent in the private sector. If Sweden were to be cut off from the outside world, only 23 percent of those questioned in the public sector state that they would be able to fully maintain operations, while the corresponding figure in the private sector is 32 percent. This clearly shows that far too many public sector organizations do not have sufficient control over their data and digital infrastructure.
As if the uncertain geopolitical situation were not enough, organizations also have to deal with often difficult to interpret regulations and conflicting European and American legislation for the handling and storage of data. A clear example is how Swedish and Finnish authorities interpret the same EU laws in different ways, which meant that Finnish authorities became more digitally mature and were able to use safer and more innovative solutions.
The rapid digitization, high rate of innovation and increased use of cloud services are now challenged by a reality where business benefit and cost efficiency must be set against risk and the ability to ensure digital sovereignty and protect your organization’s data.
It is time to take action to strengthen Sweden’s digital sovereignty and preparedness. Swedish businesses, not least in the public sector, need to a greater degree than before to supplement with local supply chains and forms of delivery where operation, data management and competence supply can be secured within the country’s borders.
Five measures to strengthen Sweden’s digital sovereignty:
• Business and the public sector need to get better at working together for safe and innovative solutions. Strong ecosystems in cybersecurity are needed to respond to the increased threat and strengthen digital preparedness. No one can do everything, but together we as the various actors in society can do a lot.
• All organizations must clearly prioritize the parts that are most worth protecting. It is important to classify and protect the right data and the most important parts of the digital infrastructure.
• Digital sovereignty is as much about transparency as security. All data cannot be locked up and a healthy mix of solutions is needed to be able to protect innovation, which today is made possible primarily via public cloud solutions. But transparency is needed around where data is stored and all organizations need to understand under which legal control their data is handled and protected.
• Clearer laws, rules and guidelines are needed for above all the public sector. It is unsustainable that different authorities and municipalities make different interpretations of how data may be stored and which services may be used. Therefore, supervisory authorities, such as MSB, need to clarify which precedents and requirements they place on different types of organizations in practice.
• A national skills lift is needed to ensure Sweden’s competitiveness and become self-sufficient in the necessary tech skills. In order to handle security-classified information in the right way, not only local solutions are required, but also security-classified local personnel. According to the industry organization TechSverige, 70,000 experts are missing in the Swedish tech industry.
Johan TorstenssonSweden manager Tietoevry