Both the type of attack, the complexity and the size of the attacks are changing and increasing all the time, and the consequences of an attack can be huge. A prerequisite for success with digitalisation is, therefore, that security and privacy are safeguarded right from the start. Unfortunately, that is not the case for many companies today. We have talked with Espen Johansen about this:
– Although technology contributes positively to Norwegian companies, both through efficiency and cost savings, it also requires a restructuring of the way we work. In this context, I think many companies forget the most important element: the security aspect.
Norwegian companies are exposed to cybercrime
The IT and security challenge Norway faces have never been greater. The National Security Authority (NSM) reports a steady increase in the number of targeted cyber attacks against Norwegian business. In 2019, they registered 20,000 alarms on ICT events.
Although only a few of these are serious incidents, NSM considers that the most serious cases are now more comprehensive and complex.
So how well prepared are Norwegian businesses if they are faced with cyber criminality?
A report carried out by Telenor, Digital Security 2018, shows that 25% of business executives do not know what to do if the company is attacked digitally. In another report, the Hybrid Survey report (Hybridundersøkelsen), 63% of the respondents state that lack of awareness in terms of security makes the organisation vulnerable.
All employees must have basic competence
Although businesses’ awareness about IT-related vulnerabilities is increasing, the implementation of vulnerability-reducing measures does not keep up with the pace of emerging cybersecurity threats. Often, this is due to a lack of knowledge and expertise within the management group.
What actions can you take to prevent sensitive information from getting into the wrong pair of hands, financial loss or negative media attention and frightened customers?
– Norwegian managers lack both the knowledge and expertise required to analyse hazards online. They, therefore, do not know what risks they are taking on behalf of the company. This poses a danger that they might prioritise incorrectly and that sensitive data goes astray.
According to the security manager, many managers believe that the responsibility for IT security lies in the hands of others in the company or with the company itself.
Mørketallsundersøkelsen from Næringslivets sikkerhetsråd (a survey from The Norwegian Business and Industry Security Council) shows that just over half of the companies have an information security management system in place, which is especially true for larger companies, while the figure is lower for the smaller ones.
– The figures show that safety is not a high enough priority for Norwegian companies. As a minimum, all business leaders should ensure that all employees have basic IT security expertise. Not everyone needs to understand everything, but everyone needs to understand the basics, such as good password routines.
Choose a supplier that takes security seriously
Most companies use one or more cloud services today – and this use is only going to increase. Choosing the right cloud service provider is crucial, says Johansen.
According to him, many believe that it is the location of the company’s data that is crucial, but in reality, what is most important is the security procedure and professionalism surrounding the processing of data and the company’s infrastructure. By choosing the right supplier, you can minimise the security risk.
– Always be sure to choose a provider that takes IT security seriously. You have to be able to trust that your supplier will do everything in their power to protect you, and also always tell you if something goes wrong. At Visma, we give our customers the security of being open about how we work with IT security and provide the Visma Trust Centre platform, which gives an overview of how Visma stores and protects data and information.
Invites computer hackers to find security holes
For over 15 years, Visma has been leading the way in developing cloud-based business solutions. The company, therefore, has good insight into how malicious players operate.
– One must distinguish between hackers with bad intentions and hackers with good intentions. The latter are experts within IT and data and have a very unique competence that companies worldwide depend on. We are so lucky to have some of the best here in Visma, Johansen explains.
Like many large companies around the world, such as Google and Amazon, Visma has opened up for talented hackers around the world to challenge Visma’s systems and software by looking for vulnerabilities.
When hackers detect the vulnerability, they must report this through Visma’s Bug Bounty program. Hackers who are not part of Visma’s Bug Bounty program can report their findings through Responsible Disclosure. This way, they get to show off their skills, Visma commits to fixing the vulnerabilities they may discover, and they receive well-deserved honour and praise for their work.
– The best contributors will be presented in our Hall of Fame. It’s a win-win situation: We get to close potentially vulnerable security holes and in return, our recognition becomes something they can put in their hacker portfolio. That is why I tend to say that Norwegian companies are completely dependent on hackers – those with good intentions, that is.
A race between good and evil forces
Johansen works with product security and leads a team of experts who help around 200 IT security and risk management specialists. Every single day, they handle over 10,000 malicious attacks against their own business.
The hackers with bad intentions are just as capable as those with good intentions but lack the moral compass. When they detect vulnerability in a system, they exploit these opportunities for various forms of attack.
– All companies have vulnerabilities. It is not possible to come around this. By prioritising security within every part of our organisation, we can ensure that we have control over new vulnerabilities in our systems and update them. I also believe that by being open and cooperating with other actors, we are more strongly prepared for criminal attacks.
The cloud is safer than the alternative
For businesses that hope to succeed in the future, cloud-based services will be a key element of being able to increase business productivity and competitive advantage in an increasingly tough market.
But why is the cloud a safe choice?
– As individuals, we consider it a matter of course to use cloud services and select professional players. Businesses are often more sceptical, for no reason at all: The cloud offers great opportunities to improve IT security in your business. Cloud service providers are very professional and have extensive experience. They also have the opportunity to use the most advanced protection mechanisms the market has to offer. It’s a lot more than you can handle on your own, explains Johansen.
Johansen believes that especially smaller companies that do not have the resources or specialised expertise internally, need to get help from professional players.
– It is very complicated to operate a cloud service that should be accessible, safe and stable. This requires specialist expertise and continuous follow-up. My best advice to companies is, therefore, to let someone other than yourself take the main responsibility for this job, Johansen concludes.