The security of private companies is the weak link in society

The infrastructure of society is a complex apparatus with an ecosystem of suppliers required to operate all its vital functions. Private companies and their IT systems are no exception to this. When they are affected by cyberattacks, the impacts on us citizens are very real, writes Anders Herrström, information and cybersecurity expert at PA Consulting.

According to analysts, the much-talked-about IT attack on COOP's suppliers that caused the entire POS system to fail in 2021 cost the company an estimated hundreds of millions of kronor a day. But companies don't just risk high costs in the event of a cyberattack. With the latest update of the NIS Directive coming into force in August 2023, companies that do not prioritise safety could face penalties of up to €10 million.

The unemployment insurance funds, which in December last year were temporarily shut down after a suspected cyberattack on Softronic, the Swedish Space Corporation that had a backdoor to its IT system installed or the IT attack on Kalix municipality just over a year ago that cost millions of kronor, are further examples of incidents that cost both companies and society money. And who knows, the next attack may be linked to the ongoing distribution of electricity support.

In the current situation – with Russia's invasion of Ukraine and the ongoing electricity crisis – prevention measures are more important than ever in reducing the vulnerability of society and its citizens.

MSB, together with the sector authorities, has a responsibility to develop societal resilience in collaboration with private companies, municipalities, regions, state authorities and NGOs. But the overall resilience of society is still completely dependent on the security measures that the respective companies have in place.

As Civil Defence Minister Carl-Oskar Bohlin said recently: “There is no excuse for not working very actively and insistently to protect against this type of attack.”

In plain language, it is not possible or reasonable for a company(ies) to sit and wait for help. Company management must take action to increase their own security, and therefore also that of society as a whole.

We see three areas that everyone should work on to achieve this goal:

Understand your protection values and build custom protection.

Map out what information you have, how significant it is for the business, where it is stored and not least what it should be protected from. Adapt protective measures based on the needs and legal requirements of the business. Always take IT security measures to get a basic level of protection. Get help from the recommendations from various authorities such as the Swedish Civil Contingencies Agency (MSB), the National Cyber Security Centre (NCSC) and the Police Authority.

Prepare for system outages.

Plan for how you will handle disruptions in your systems so that these affect your service deliveries as little as possible. Start with the processes that are critical to your deliveries. Practice your emergency plans so that you are prepared to use them if you become a victim of a cyberattack.

Build an ecosystem.

Establish a forum for collaboration with your suppliers and industry colleagues. Everyone faces similar challenges and threats. A concrete example is NCSC's collaboration forum for a number of the important players in the financial system.

Company managers around Sweden should take responsibility and work together create resilient protection against cyberattacks. If they do not, they are not only endangering the finances of their companies, but also Sweden’s security.