This blog is an English translation of an article published in Børsen on March 15, 2023.

Danish version: IT SECURITY MUST NOT BE A PAPER EXERCISE - Issuu (issuu-com.translate.goog)

IT security must strengthen the business and must not simply become a paper exercise that only ensures that directives such as GDPR and NIS2 are complied with.

If IT security is to make a difference for the companies, it is absolutely central that the strategic and operational level are connected, that IT security is viewed holistically, and that there are clear lines of communication between top management and the engine room.

Danish companies and organizations are in the firing line when it comes to cyber attacks. Figures from the PwC Cybercrime Survey 2022 show that more than six in ten business leaders and IT professionals are more concerned about attacks today than just a year ago. One of the main reasons for the concerns is Denmark's involvement in the war in Ukraine, which has, among other things, triggered a string of DDoS attacks, the so-called load attacks, where websites or mobile access to the bank go down because IT criminals deliberately overload the site.

In the wake of the many attacks and to protect data, the EU has launched directives such as GDPR, and in 2024 NIS2 awaits, which comes with stricter requirements for companies' IT security.

"Cyber ​​security is under threat, and it is of course important that companies comply with the directives. Having said that, we would like to emphasize the importance of companies engagement with the directives. “

Facts

We are Improsec. Our company name is a contraction of what we do; we improve security. As an impartial and independent advisor within Cybersecurity, we take active responsibility for improving the security of both private companies, organizations and public institutions.

We do not sell hardware, software or managed services. We deliver knowledge, experience as well as strategic and deep technical expertise at specialist level. Most importantly, we work for a SAFER and BETTER future together with our customers.

“IT security is important because there is a threat to the company, and not because there is a directive," says Thomas Wong, Director of Technical Cyber ​​Risk Advisory at Improsec and elaborates: "For example, I don't have an airbag in my car either, because the law dictates it, but because the airbag can save me in an accident. In the same way, a company that produces steel, for example, must have IT security in place to ensure that production is not threatened or comes to a standstill".

Companies must look inward Security has become more complex today. There are many aspects of security that a business must take into account. This can be a challenge for companies that do not have sufficient resources or expertise to understand and address these threats and risks.

At Improsec, who are specialists in carrying out operational IT security tests and security consultancy, they see a risk in the IT security of companies becoming a paper task that does not really strengthen the companies.

"With GDPR, IT security has seriously moved into the management corridors, and that's fine. Unfortunately, we see a tendency for communication between top management and the engine room not to function optimally," says Thomas Wong: "Compliance and control are good, but technical testing and testing is a condition and a necessity for effective risk management. It requires management to understand the technicalities behind security, and the CISOs to understand the strategy from management.”

Understand the technology behind security

According to Improsec, it requires companies to familiarize themselves with the technology in the engine room and strengthen communication, so that a vacuum does not arise where the management nods to a series of technical reports with green ticks from the engine room, without the technology being known.

"If the companies actually had an insight into the operational aspects - i.e. the technology, the various EU directives would not hit so hard at all, because the insight would support that security is under control," explains Thomas Wong. At Improsec, they specialize in helping companies to understand the technology behind it and to contribute with monitoring, so that those responsible for security get the right tools so that they can communicate clearly to management.

"Companies need to take a holistic approach to IT security, because IT criminals will always look for an open door until they find one. It is of no use if the approach to IT security becomes too loose and sporadic, because then the IT criminals quickly find the door they can enter through," explains Improsec's Managing Director, Martin Kofoed. An example could be that companies use multi-factor authentication when employees log into a system. But does the company have the same secure approach when a new system or application is made available to customers? If there is no connection, IT security becomes fragile because the chain is never stronger than the weakest link.

The new attacks are old acquaintances

“The type of attacks we are currently seeing are not new. But with Rasmus Paludan's Koran burnings and Denmark's involvement in the war in Ukraine, we are now experiencing that the attacks are no longer only aimed at gaining political attention, but at destroying the technological infrastructure," says Martin Kofoed and elaborates: "The point is that had companies knew the technology and already protected themselves against DDoS attacks when we first saw them years ago, we didn't have the problems with them now. At the time they were not top of mind, but it should have been dealt with a long time ago.”

A threat catalog could help companies. At Improsec, they are calling for more openness between companies. And then the IT security experts call for the authorities to, for example, prepare a threat catalogue, so that companies can see which specific security threats they have to deal with. It will be more motivating and constructive than threatening EU directives such as GDPR and NIS2, which can trigger high fines, the right to conduct business, etc.

A framework that actually describes the threats will make it easier for companies to create a holistic approach to IT security with clear communication between the strategic and operational plan in the company.