In a new, increasingly digitalised world, companies and society are becoming more vulnerable. Which means that it’s time to get security firmly under control.

“Sooner or later, incidents occur, and without proactive digital security, the confidence of customers and the public will be eroded. We cannot afford this if we want to continue to develop our companies and our communities,” says Anne-Marie Eklund Löwinder, Chief Information Security Officer at the Internet Foundation in Sweden (IIS) and one of Sweden’s most prominent experts on digital security.

As we digitalise and centralise our control environments, we open ourselves up to more vulnerabilities and totally new lines of attack.

“At the moment, industry and companies are fixated on improving efficiency, without really understanding the real purpose of digitalisation. It’s actually not just about saving money, but digitalisation is also fundamentally changing our processes and the way we work. As processes are optimised, we must also understand the new risks that are created by this. Data breaches and information data leaks can have disastrous consequences for companies. Criminals have already understood that there is big money to be made, and we’re currently experiencing a global increase in the number of data breaches and data crimes,” says Anne-Marie Eklund Löwinder, Chief Information Security Officer at the Internet Foundation in Sweden (IIS).

Security awareness varies

There is now such a high level of complexity that it is actually impossible to protect yourself completely against all possible threats.

“But you can evaluate and manage risks, and that’s something that companies must focus on,” says Anne-Marie Eklund-Löwinder.

Digital security varies greatly in industry at present.

“But even if there is some risk awareness, we have people with an ability to overlook potential threats and not always perform the long-term impact analyses that are required and necessary. Becoming truly digital will be expensive. It’s human nature to prefer fire-fighting to adopting a preventive approach,” says Anne-Marie Eklund Löwinder.

Digital security

She personally prefers the term digital security to digital safety.

“It’s a telling term launched by the government. Digitalisation is in itself a good thing, and it’s our aim at the Internet Foundation that everyone should want, dare and be able to use the Internet, and that they also feel secure when doing so. To get there, we’re working a lot with public education initiatives, including via schools, to raise levels of digital awareness.”

Digital security is also a precondition for a good work environment and a safe workplace.

“If employers don’t make it clear to employees what they may and may not do, there is no personal safety or security. It’s easy for employees to get into trouble if they aren’t aware that they’re doing something wrong. So it’s important to create a solid sense of digital security in companies,” says Anne-Marie Eklund Löwinder.

Collaborate with HR

Most attacks nowadays are not based on technology, but on the art of social engineering. People are manipulated to disclose information that they should not. This is something that attackers are experts in, and to keep ahead of them organisations must be equally good at understanding how people work and why they do what they do.

“Behavioural science is a competence that more organisations should prioritise and make sure that they have in-house. After all, it’s ongoing work and a need that won’t disappear, so management teams should also involve HR in this work. The people who work there are often good when it comes to behavioural issues. Then it’s also about being persistent, communicating with employees and adopting an educational approach when explaining the risks and why the company has certain rules. The most important consideration is always to create aware employees who are familiar with what applies when it comes to rules, guidelines and behaviour. It must be easy to do the right thing and difficult to get it wrong. Here too, technology can lend a helping hand. Technology is just a supplement to the rules and guidelines that apply and must be observed, and it will in itself never be able to offer comprehensive protection,” says Anne-Marie Eklund Löwinder, continuing:

“It’s about creating a digital security culture. And that requires resources and time for information, training courses, exercises and the introduction of systematic work on digital security. Be prepared for it to take a long time, but it’s a great job when it finally produces results.”

Password paradox

It is now 2018 and one serious problem, according to Anne-Marie Eklund Löwinder, is that a large proportion of companies’ information can still be accessed via a password.

“And this is where we see a password paradox – you know that it’s not good to use passwords that are too simple or too short, and to use the same password for all logins, but you do anyway.”

Passwords don’t necessarily have to be a bad thing. There are very few alternatives at present to compete with passwords when it comes to simplicity and expense, but this places demands on users. It is the way we choose to manage passwords that is not good.

“Companies can help their employees with password managers and better quality when choosing passwords, increasing the number of characters and blacklisting the 500 most common passwords. The risks have already been reduced radically here. It’s more difficult to remember a longer password, but with every character you make it more difficult to gain unauthorised access. The tools used nowadays to crack passwords are incredibly advanced and very competent, and they can crack codes that are too simple in a few seconds. Managers and supervisors must set a good example here, they are often the worst offenders.”

Engage management and the Board

In today’s complex environments, work on information security is not something that can be dealt with by one single security manager. Collaboration is everything if the challenges are to be met.

“It’s important to collaborate across departmental boundaries and with other managers. The issue of security must be reflected in strategies, in the Board’s work and among management. Ultimately, it’s always management’s responsibility, which is why there should also be digital competence at management and Board level,” says Anne-Marie Eklund Löwinder.

One common role in this context is what is known as a CISO (Chief Information Security Officer), who reports directly to the CEO.  The idea is that this person serves as a link between security, commercial activities and management, and he or she has to make sure that they create a good, risk-conscious environment.

Perform risk assessments

Digitalisation is putting the focus on speed, flexibility and innovation.

“It’s easy to get carried away, but you have to keep a cool head. The more you focus on innovation and speed, the greater the need to have systems and method support in place. That’s something that many forget. When it comes to new technology, it’s easy to sleepwalk your way straight into new situations without having thought it through properly,” says Anne-Marie Eklund Löwinder.

It is therefore very important at all times to perform digital risk and vulnerability analyses in order to build up a picture of which threats the company is facing, as well as which prioritisations have to be made and what measures need to be implemented. The risk analysis must always consider factors such as costs and efficiency.

Draw up a contingency plan

Based on the analysis, a contingency plan is then created featuring procedures, processes and an effective communication plan for if and when an incident occurs.

“It’s important to tell your customers if something goes wrong. For example, use social media if your platform is down. That makes it easier to get customers to understand. And keep practising and testing different scenarios – anyone who hasn’t practised doesn’t have a plan. It’s usually very educational for the organisation and it contributes to increasing awareness of security and reducing transition times.”

This business of managing risks and trying to look well into the future is not easy. To succeed with this, according to Anne-Marie Eklund Löwinder, you should aim high and give your imagination free rein, with no suggestions being silly suggestions.

“Because our imagination has its limitations. We’ll never be able to think in ways that are as devious as an attacker. Analysing the risks and combating the effect of them is something that all of us need to learn. Companies must understand which information is important and sensitive, they must be able to guarantee that the information is correct, to make sure that it is accessible for the right people and that it is traceable, so that it is clear who has processed it. They must also identify all existing threats and their consequences before, in the next step, they try to perform a correct assessment of whether or not it is worth taking a risk.”

ISO 27001 covers it all

It is therefore time to certify the plant or the company in accordance with ISO 27001, which is the standard for an information security management system. In many countries it is required by government authorities that such certification is in place in order to run vital infrastructures, such as electricity grids, water and sewage, district heating/cooling and so on.

“ISO 27001 contains all the necessary requirements and should be integrated into other management systems, so that each new system is not perceived as a burden for those who work with it. Systematic work on this should be part of the business process and the business development process,” concludes Anne-Marie Eklund Löwinder.