The Scandinavian countries are some of the most digitally developed in the world as they are leading the way of digitalisation in many industries. These countries are considered being early adopters of new technologies who often focus on being at the forefront of digital developments to stay competitive.

The current digitalisation of the public and private sectors will streamline many business processes and improve efficiency. This digital transformation will also open up for a new array of cyber threats which require a proactive approach. Instead, research has shown that a big proportion of Scandinavian companies haven’t yet taken the necessary precautions to secure their technologies against external threats.

This graph shows the negative correlation between the Digital Development Index (DDI) from 2018 where the Scandinavian countries rank high and the National Cyber Security Index (NCSI) from 2018 which shows that the Scandinavian countries are lagging behind in their cyber security preparations.

*The NCSI for 2019 has just been released showing an impressive improvement by Denmark who has jumped to 6th spot on the ranking. Sweden and Norway are however still trailing behind as they show no improvement in 36th and 31th spot respectively.

Scandinavian sectors that are more vulnerable to cyber attacks

Following are four of the sectors where digitalisation is going strong in the Scandinavian markets. These sectors require an extra focus on preventive measures to secure information technology (IT) and operational technology (OT).

Healthcare – The Scandinavian countries are front runners in the world when it comes to digitalising their healthcare. Both Sweden and Norway have set targets to be world leaders in the area of eHealth in 2025 and Denmark also holds a strong position. The current increase in connected medical devices are making way for new threats where the possible implications can be dire if the hospitals are not prepared. Hospitals also hold a wealth of information in their medical records which makes them a target for attacks which was shown in serious breaches in the Scandinavian healthcare industry last year.

Manufacturing – The manufacturing industry in Scandinavia is in the midst of scaling up in the Industry 4.0 transition. This will require security capabilities to be built into any connected devices at design to prevent security breaches for the IT/OT and to avoid security gaps between the two. The deployment of internet-of-things (IoT) technologies to enable the convergence of IT and OT is often named as a vulnerable entry point for attacks on the Industrial control systems (ICS) such as the old programmable Logic Controllers (PLC) that are still much in use in Scandinavia. Measures to secure these technologies are needed to avoid attacks that can lead to a shutdown in production and huge financial losses.

Financial services – Criminal elements will continue to target financial institutions because that is where the money can be found. The Scandinavian banks are at the same time answering the population’s high expectations of digital banking services for an enhanced convenience while they are at the same time trying to stay ahead of new potential threats. Cash is no longer king as all three Scandinavian countries are investigating the possibilities of their separate digital currencies. The potential introduction of an E-krona could expose them for a whole new wave of security issues.

Transportation – Electric, connected and autonomous vehicles are vital for the Scandinavian countries to reach the aim of a transportation industry that is more efficient, greener and safer. The implementation of Intelligent Transport Systems (ITS) such as V2V and V2I technologies comes with concerns that these systems can be hacked and tampered with to cause major security breaches which calls for the Scandinavian automotive sector to implement security components throughout the development of cars and trucks. The technologies of autonomous vehicles which are currently being tested in Scandinavia will also have to be secured before connecting them on a big scale with the existing transportation networks.

Global trends – local security concerns

We can see three global trends of Enterprise Mobility that will affect the way Scandinavian companies operate and the associated security concerns they bring. The first two trends are connected and in wide use today, while the third trend is just starting to appear but with bigger implications expected ahead.

• Swedish research from 2018 shows that cloud computing services is the biggest and most important trend according to Swedish IT managers and it was followed by the management of growing security risks as close second. The trend of cloud computing services moves a bit slower in Norway and Denmark with security concerns as one of the main reasons for companies not to engage. By implementing cloud security solutions Scandinavian companies will be able to engage further with this trend without putting their data at risk.

• The protection of company data comes into play with another growing trend in the world. Bring your own device (BYOD) is no exception for Scandinavian employees who often enjoy ‘freedom under responsibility’. There is a concern of remote workers who open company applications on their own devices, using unsecure networks. BYOD policies, backed up by solutions such as endpoint security is therefore needed in the Scandinavian private sector as this trend seems to continue.

• The governments of Sweden, Norway and Finland are working together to implement 5G networks ahead of the rest of Europe. Denmark have also recently released their own action plan on how they will roll out 5G to facilitate and accelerate the digitisation of companies, especially for IoT automated production and intelligent transportation. 5G will improve the connectivity of devices and the sharing of data but it will at the same time increase the risk of exposing systems and devices for attacks, putting an extra pressure on the sectors accounted for earlier. Scandinavian companies should therefore have network security solutions in place when 5G becomes a reality.

Current Risk Management and future projections

There have been many recent surveys and researches made which take a look at the preparedness of the Scandinavian companies during this increasing threat of cyber crime. Most of these point out that the level of security measures by the Scandinavian companies in general is still low, but we can now see indications that this topic is gaining ground, both in the public discourse and in the company boardrooms.

There is a common cultural mindset in the region to believe the best in people. This local naivety towards a global issue is one reason why many Scandinavian companies up to now, have been reactive instead of proactive when it comes to securing their IT and OT. The topic of cyber security is now often covered in the local media and there are many events focusing on educating, collaborating and sharing information on how to protect against cyber attacks. The heightened coverage may help to gradually change this mindset for a proactive approach to adapt the level of security parallel with new technology implementations.

The world wide shortage of cyber security talents in the workplace is also critical in Scandinavia which is leading to fierce competition of an insufficient pool of cyber security experts. The companies who can’t afford to attract the top talent will often employ someone with an insufficient skill-set, or outsource the IT security to an external company which itself opens up to third party security issues. The lack of experienced cyber security experts is often said to be one the biggest hindrance in Scandinavia for companies to scale up their security measures in time. There is a current increase in educational programs in cyber security in the region, but it will take a few years before we see a steady influx of new cyber security professionals, especially with the necessary experience.

Cyber security in the region has for a long time been an issue for the IT department and the CISO who in many cases isn’t reporting directly to the executives who then often fail to engage. This disconnect between the CISO and the executives is much less of a problem in other countries where cyber security is more considered a strategic issue than solely an IT issue. There is a new Norwegian Security Act that entered into force the 1th of January 2019 which extends the board’s responsibility for the cyber security decisions they take and especially the consequences of decisions not taken. This may be what is needed to move the security issues from the IT department and into the boardroom by making company boards responsible.

The recent surveys and reports covering the current risk management of the Scandinavian private sector indicate that there is only a minority of companies who currently reach a sufficient level of cyber security measures. We can however see a clear shift in the last year that cyber security is moving up on the agendas and that the securing of data (IT) and processes (OT) will be among the top priorities for the coming years. What is clear is that the Scandinavian countries need to improve their cyber security measures if they want to continue to be leading forces in the digitalisation of the public and private sector which is one, if not the single most important strategic objective for the governments of these countries.