Mika Susi: How Companies Can Remain One Step Ahead of Cybercriminals

With cybercrime, it is now not a question of ‘if’ but ‘when.’ Today’s cybercriminals are more advanced, quickly adapting their tactics with each improvement in an organization’s security system. How can IT leaders ensure that cybersecurity systems are powerful enough to keep even the smartest cybercriminals at bay?  

We had an opportunity to pick the brain of Mika Susi, former Executive Director of the Finnish Information Security Cluster, on how cybercriminals think, the role of cybersecurity in risk management, steps to improve employee cybersecurity programs, and more.  

   

What weak spots do cybercriminals look out for before carrying out an attack? 

It is true that digitalization tends to expand the attack surface on an organization. Many criminals carry out intelligence gatherings on their victims before the attack. There are several weak spots that are commonly utilized. Unpatched vulnerabilities are a common target for criminals. Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network. Therefore, you must assess your cyber risk environment through technology, people and partners. 

 

What role does cybersecurity play in an organization’s risk management strategy? 

Nowadays, cybersecurity should definitely be on every organization´s strategic risk management agenda. You just can´t avoid it anymore. Cybersecurity issues are currently a very relevant strategic question for most organizations. Your top-level executives should at least be aware of security issues concerning business continuity, communications, and R&D.

As a whole, a good level of security should not slow down digitalization. A well-planned and executed digitalization process, where security is taken carefully into consideration, enables safe and secure digital operations, better efficiency and resilience for the organization. Therefore, security is not an obstacle — it should be seen as an enabler. 

 

How can IT leaders ensure that they are making the right IT security investments?

Investments should always be based on a good risk management process. This means that they are efficient and tailored precisely to an organization´s needs. There is no investment rulebook or checklist that can be applied to every environment. An organization must understand its own unique risk environment and through that set out the most urgent and effective investment needs. 

 

What are the biggest challenges organizations face when building cyber resilience? 

There is of course always the question of the need for funds and investments. Unfortunately, not all organizations are ready to invest heavily in cybersecurity. I think the major challenge for many organizations is to understand cybersecurity as a strategic level question. It is not just some IT guy in the basement using his company´s money to buy fancy security gadgets.

Building a good level of cybersecurity is an all-encompassing mission for an organization. It´s about people, leadership, communications, partners, learning and continuous development. In other words, it´s a process that will never be 100% completed. But if you invest in it, you will eventually see a good return on your investment. 

   

What immediate measures should organizations take after experiencing a cyber attack? 

Of course, it is necessary to start the containment and recovery process immediately. This means that you have to understand what is happening and what has happened already —  in other words, gain the current situational picture. There is no other way to define the measures needed. If you feel uncertain about this, you can always contact professionals to help you. I would like to stress that readiness for both external and internal communications is crucial. 

At the same time, it is important to remember that there are several regulatory reporting requirements concerning data leaks and breaches. Contacting the relevant authorities like the national cybersecurity center or the police is also very advisable as they can offer help and advice.

 

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity? How can cybersecurity training programs for employees be improved?

This might be a mantra that everyone is tired of, but in some respects, it is still a valid argument. We are all vulnerable to scams and fraud, and we can be socially engineered to do something harmful in a digital environment. However, well-trained and motivated employees are a great strength for an organization. If they notice risks, they will react, assess and report. In that case, they are definitely not the weakest links.  

I see that basic knowledge of cybersecurity issues is currently a normal part of working life. Therefore, cybersecurity training programs should be very close to everyday working environments and situations. They should form a basis for continuous development for all.

Additionally, they should include some motivational aspects like reward systems. In many successful companies with good security culture personnel, reward systems have been integrated into security training programs. That is something I would like to see more.   

 

What are the emerging cybersecurity and cybercrime trends in 2022? 

This is always a good question! Nothing is harder than predicting – especially predicting the future. However, I can say that we are still going to see the constant evolution of cybercrime. Criminals develop their tactics further and we are going to see a continuous flood and changes in ransomware and other online fraud campaigns. 

Secondly, one thing that already affects many organizations is growing regulation. We see this everywhere. Every company should prepare for growing cybersecurity compliance requirements. From a technological side, I think questions concerning cloud security, IoT and the security of wireless networks will be relevant in the next few years. Many organizations have uncertainty about these issues, and it is important for all organizations to experience the benefits from digitalization and developing technologies. I see that security´s role is to enable growth and efficiency, and not to hinder them.

 

*The answers have been edited for length and clarity.