Cybersecurity and cyberattacks – in common thinking, these terms still refer to something remote and military that does not concern the average business and person.

But the reality is quite different: the computers and systems of ordinary owners are the ones being attacked, their data were stolen, hard drives encrypted, and ransomware claims made to them. These are the risks that any company should be aware of and address through cybersecurity to prevent damage from an attack.

This article is based on materials from the National Information System Authority’s (RIA) Cyber Security Review “Cyber Security 2019” (https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisus-2019.pdf).

First and foremost the owner is responsible

Business executives should be aware that cybersecurity is not just a matter of the company’s IT department or the person in charge of the computer systems. First and foremost, the cybersecurity of a system or device is the responsibility of the owner (individual or company).

“It’s primarily the matter of management, who decides on business processes and investments,” emphasizes Uku Särekanno, head of the National Information System Authority in the review “Cyber Security 2019”.

What are the risks of disregarding cybersecurity?

The fact that the situation in the Estonian cyberspace is becoming increasingly critical is characterized by the number of reports made to the RIA. RIA received almost twice the number of reports (17,440 reports) in 2018 as the year before, including 3,390 incidents affecting data or information systems („Cyber Security 2019“).

Businesses need to be aware that disregarding cybersecurity can be detrimental to both their products and services. Significant damage can be done to a company’s reputation – imagine a situation where your website or computer system has been “hacked” and this is noticed by your existing or potential customers. Or a situation where malware is sent from your email address to your business contacts. All of this can mean losing your customers and their income with them. Consider how much revenue you would lose, for example, during the days when you need to recover data lost due to ransomware incidents.

Insecure devices can cause damage

RIA’s cybersecurity review reveals that in the summer of 2018, it was discovered that certain Internet routers for small businesses and home users could be used to hide malicious activity, steal information, but also, for example, to extract cryptocurrency.

“We issued a warning to inform users of the need to upgrade the software concerned,” the RIA reports. “Despite the warnings issued in the summer, we have repeatedly seen devices on the private and public networks that use the same vulnerable, not updated software.”

Insecure email

Much of the business-to-business communication is via email, so security in this area needs to be increasingly addressed.

However, according to RIA, a large number of email accounts of Estonian companies and institutions can still be easily faked. This means that you can send malware via email or ask to send money to the wrong accounts. “Some of the security protocols and technologies for email servers are years old, but still not updated,” states the RIA’s cybersecurity review.

Insecure websites

The company website is the company’s digital business card. However, there are often situations where the web servers and pages which software is not updated or security standards are not applied, are compromised.

Using computer resources to extract cryptocurrency

Media consumers have certainly not missed the rise in popularity (and price) of cryptocurrency at the end of 2017. According to the RIA, criminals were trying to find increasingly better ways to collect cryptocurrency in this way.

Because “mining” cryptocurrency mostly requires energy and processor resources, “publicly known vulnerabilities (such as routers in the home) that do not have upgraded software, provided easy ways for attackers to use other people’s computing resources,” reports to RIA; according to the agency, in the first half of 2018 this trend continued even further.

The weakest link, not the most valuable one, is attacked

A small business executive or a single person might ask: Why would anyone attack me because there is nothing valuable or confidential in my information?

The RIA draws attention to the fact that the system is often attacked not on the most valuable link, but on the weakest link. Statistics show that “most cyberattacks do not pay any attention to the user’s identity, but target all unprotected devices and user accounts indiscriminately,” the RIA points out.

The processing of sensitive data requires special attention

Issues related to the processing of sensitive personal data have become particularly important in the context of the recently adopted cybersecurity law.

The RIA emphasizes that cybersecurity is the first important step in preventing personal information from being leaked. “This means systematically taking the necessary steps, which again needs to be addressed by the leaders of the organizations. Systems storing and handling personal data need consistent risk mitigation, software updates and the transition to new, more secure standards, regardless of the size of the organization“ („Cyber Security 2019“).

What are the benefits of considering cybersecurity?

Keeping cybersecurity and up-to-date security standards in mind will certainly absorb the company’s time and money. But it also shows that the company is a responsible and caring one that is up to date with the latest developments in cybersecurity.

By working on cybersecurity, each company contributes to maintaining Estonia’s cybersecurity image. Certainly, no company will miss the opportunity to exploit the image of Estonia as a developed e-state for its own benefit. In this case, this image should also be supported by your own contribution.

Paying attention to cybersecurity is often not that difficult: when a new software version is developed or a security standard is updated, it is responsible to replace the old version with a new one. Similarly, email accounts, web servers, operating systems, and communication channels need to be upgraded.

It is imperative to pay attention to cybersecurity before any incident has happened. Usually, people and companies tend to do the opposite, but it is by taking preventive action that the harm is the least.

Enforcement of the cybersecurity law

In 2018, the Cyber Security Act was passed in Estonia. As a result, companies that provide vital services, such as medical care, electricity, or ID card identification, must also pay more attention to cybersecurity.

Webshops, search engines, and other digital service providers also need to pay attention to ensuring the cybersecurity of their customers’ data. The relevant regulation sets out how cybersecurity risks should be identified and the security requirements to prevent them.

Cybersecurity