The Wall Street Journal today reported that Finland Plans Cyber Funding For Companies Amid Rising Security Threats. The move is to help address the spate of cyberattacks the country has suffered since announcing their intent to join NATO. An April attack shut down the Finnish Parliament website and again this summer. The funds would give companies vouchers to help boost their cybersecurity.
In response, four experts offer perspective.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Policies such a this helps address trend of targeting SMBs. Larger organizations, while not 100 percent secure, make for more difficult victims. Small businesses are not able to afford the same level and quantity of cybersecurity talent/tooling, not to mention there is an overall shortage of cybersecurity professionals.
Criminals understand the staffing issues that small companies must contend with so they know they will be softer targets, spending less time completing a successful breach. Additionally, SMBs often can be hired by larger companies to complete various projects. It is a common strategy to target smaller companies that have a relationship with a larger company, which is the real goal for the adversary.
A milestone example is the Target breach in 2013, when a compromised third-party HVAC company gave access to point-of-sale systems that wreaked havoc for the retailer during the holiday season and still reverberates to this day.
I think a key point to emphasize is the need to utilize this funding for training, not just to purchase the latest security tooling. Without sufficient training for their cybersecurity staff, companies, especially small companies, won’t get the value out of improved tooling that they’re expecting. Whereas improved training on cybersecurity essentials and how to use the tools that are already in place stands to provide greater long-term benefit.
This could also be a doubling effect for MSP/MSSP organizations if their customers and prospective customers could use vouchers to pay for their services while they could also use vouchers to improve their teams and tools. If done right, that could be a significant improvement to SMB security and could be implemented very quickly.
It’s great to see a shift within news media towards meaningful news coverage of Finland’s progressive policies from the recent coverage around Sanna Marin’s personal life. Finland and the Nordic region in general has had a lot of success in driving individual as well as business behavior through government programs and these cybersecurity vouchers are a valuable and necessary step towards improving cyber resiliency across government and businesses alike. Cyber security as well as cyber education across the region has been historically underfunded through years of peace and is now ripe for acceleration in light of rising security threats as well as increased focus from nation state threat actors. An effective private to public sector partnership can advance technology adoption a lot faster than relying solely on general market conditions.
It’s understandable and sensible of the Finnish government to provide financial subsidies to companies in order that they can strengthen their defenses. After all, Finland is in the cyber frontline. That said, I do hope that the government – or agencies appointed by the government – give guidance on specifically what layers of security are most needed and most effective against the anticipated attack vectors. Otherwise, the funding may be sub-optimally applied.