Cyber security modelled on the vaccination programme


​At present, cyber security tends to be discussed using terms referring to war and crime. Although the threats are real, it is more useful to seek and adopt solutions to combat the problem rather than conjure up alarming scenarios. The national vaccination programme, which has produced public health benefits, could serve as a model.

– We have witnessed enormous improvements in public health – life expectancy has increased and new cures have been found for serious diseases. A similar solution-oriented approach could be applied more often in the cyber security discussion, says Kimmo Halunen, Senior Scientist from VTT's information security team.

According to the Halunen, the implementation of a "vaccination programme" for cyber security first requires the identification of the problem. Who are cyber criminals targeting with their attacks, and which targets are objects of government espionage, for example? Only when we know this can we find solutions to the problems.

We must also insure sufficient coverage by the programme. How can we encourage companies to invest in cyber security and reduce risk behaviour that is a threat to the organisation's cyber security? According to Halunen, risk behaviour can be as simple as leaving the office door unlocked at the end of the working day.

Incentives to curb cyber risks

In the future, companies can be encouraged to invest in cyber security through means such as granting various certificates to organisations whose network security is at the desired level.

This is also the direction being taken in Finland. The Finnish Cyber Security Certificate (FINSC), for example, is a certification system developed together with businesses and the public sector with the aim of increasing cyber security competence and understanding among different players in society, as well as helping organisations control their own security.

The EU also announced last June that it would enhance its resilience against cyber threats by establishing an EU-wide certification framework for ICT products, services and processes. Certificates issued on the basis of these systems will be valid in all EU countries.

Borders in the online world?

If a carrot approach does not help, a stick may be needed. In the future, decision-makers may need to regulate the types of security requirements and implementations organisations should have. A similar model in the current networked IoT-world is also called for by American security specialist Bruce Schneier.

– It isn't easy to determine the right level of regulation, but that's what we have experts for, and there is an ongoing dialogue around this issue. We should consider the kind of regulation possibly needed in order to make sure that everyone is "vaccinated" and that improvement measures are widely adopted.

The basics must be in order

Halunen reminds us that organisations still have a lot to improve in their information security basics. For example, updates, backups and passwords are still not adequately managed.

Organisations should also more carefully control their risks – by ensuring, for example, that persons leaving the organisation do not continue to have access to their user accounts.

As the ongoing IoT revolution is still in its early days, the importance of cyber security will continue to increase in the future. Computers and traditional smart devices, such as smart TVs and phones, are already online, but as the technology evolves, also "dumb" devices will gradually move into the online world. In the future, the security of consumer devices connected to the internet will be increasingly important.

– From the consumer's perspective, it doesn't make sense for a toaster to be online: they don't need a message on their mobile phone that the toast is done. But in the future even the toaster will be online, because the manufacturer wants to collect data, says security expert Mikko Hyppönen from F-Secure.

– Data is money, and even toaster manufacturers know that. If they could already connect their devices to the internet now, they would, but they can't because it's too expensive. In another ten years it will be possible, adds Hyppönen.

Resilience, or resistance to attacks

The ability to prepare for risks will be in an important role in the future battle against cyber threats. Some organisations operate in sectors that are more susceptible to online attacks, and this must be taken into account when building cyber security protection.

– Organisations should prepare against potential attacks already at an early stage. This will ensure that if the organisation is attacked and takes a hit, it is clear how to get the organisation back on its feet as quickly as possible and with minimal damages, emphasises Halunen.

The key issue is to plan how the organisation can detect that a cyber attack has taken place and what to do when this happens. Not many in the security business want to consider this, although they should.

– It can take up to months before anyone in the organisation even notices that it has become the victim of a crime, as network traffic isn't monitored actively enough – often, it isn't even known what normal network traffic looks like, F-Secure's Mikko Hyppönen says in conclusion. 

Our vision beyond 2030

A safe society is a wonderful thing. It should be treasured and strengthened so that known and unknown threats both in the real and virtual worlds do not jeopardise it.