Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

The public sector must improve its approach to cyber security

This article was first published in Svenska Dagbladet

To address the shortcomings highlighted by the MSB, the public sector needs to increase its ability to resist and respond to cyberattacks, say Anders Herrström and Herman Rask, information and cyber security experts at PA Consulting. 

The public sector's information assets are constantly exposed to state, criminal and ideologically motivated threats. Successful attacks can – in addition to damaging national security – lead to high financial costs and seriously disrupt the core business. The ability to withstand and face attacks must be increased.

The number of businesses affected by malware attacks has risen sharply in recent years. In parallel with the digitalisation of society, security policy developments have contributed to a sharply deteriorating situation. This has extensive and long-lasting consequences for Sweden's overall security policy at state, regional and municipal level.

In a recently published report, the Swedish Civil Contingencies Agency, MSB, has, in a commendable way, clarified the state of the public sector's work on information security. Unfortunately, the results show worrying shortcomings. At the time of the investigation, large parts of the public sector were not working systematically on information security. There were certainly some examples of positive work, but the survey generally shows clear shortcomings in the public sector's way of working on information security. Not least, there were shortcomings in management of business continuity and follow-up.

What is now needed is a change process with a focus on quickly developing a safer and more resilient public sector, which can deliver on its mission over time. The following three points are areas of particular concern.

Choose your IT solution based on the actual conditions
The information to be protected is often central to fulfilling a public mission and the services citizens need. In addition to strengthening resources, management needs to take active responsibility and ownership of the question of what risks are acceptable and how the business's information should be protected. The basis of the protection needed is set by management in their choice of the design of the IT business. Building functioning protection against threats requires access to qualified IT, operations and security resources. This is something that, for example, municipalities with limited IT budgets will not be able to do themselves. In particular, smaller municipalities and authorities should seek solutions in terms of skilled operational and security services, such as cloud services, from large established suppliers. These choices must of course be made within the framework of Swedish and European legislation on the handling of classified information and personal data. In this respect, Swedish authorities and municipalities need to find a common way forward.

Build security from top to bottom
The protection of a business's information must be built from the top down. The same information is likely to be found in several different places in an organisation. If the organisation does not have a common understanding of how important certain information is and how it should be protected, different parts of the organisation will make different assessments of how it should be handled. This creates a suboptimal and likely unnecessarily expensive security business. The work on security must be based on a common assessment of the information needing protection to ensure that the information has well-balanced and equal protection throughout the organisation. The highest level of municipal management should  ensure that everyone in the organisation has the same view of the business, its processes, dependencies and thus which information assets are important and need protecting. The operation and its purpose must be at the heart of the work on cyber safety.

Long-term change management is everything
Functioning information and cyber security measures are a prerequisite for maintaining trust in public administration during ongoing digitalisation. Politicians and officials at various levels must take responsibility for the country and citizens’  information and protect it from theft, corruption or misuse. This cannot be achieved through individual one-off actions. To create a safe business, work on systematic and long-term change is required with a total focus from the centre.

In summary, Swedish public administration needs to make a step change in its information security work to ensure our ability to carry out the activities citizens take for granted. This will not happen by itself – it is high time that information and cybersecurity are taken seriously.


Helping to protect and grow your organisation in a digital world

Find out more

Contact the authors

Sweden public services leadership team

Joacim Sundell

Joacim Sundell

Country Head and Transport expert

Peter Daniel

Peter Daniel

PA digital, government and public services expert

Martin Eriksson

Martin Eriksson

PA lean, agile and public services expert

Tobias Kihlén

Tobias Kihlén

PA transport and infrastructure expert