CYBER SAFETY: ITS RELEVANCE AND WHAT TO DO ABOUT IT
// Leena Nyman, Mikko Vieltojärvi // Rainer Saks, Kari-Pekka Rannikko and Lucie Kadlecová (CybExer Technologies)1
It is undisputable that cyber security is to remain among the top global challenges for the decades to come. Different IT networks have become a core component of the critical infrastructure globally while their interconnectedness has grown exponentially. Despite the improvements in the quality of life stemming from this technological advancement, this also brings along serious cyber threats and risks. Cyber crime is the fastest growing branch of criminal activities worldwide. Different state-supported actors permanently enlarge their activities in cyber space.
Remote work, forced upon us by the global pandemics, is to stay with us even in the future increasing the number of potential targets and challenges for cyber security systems of public institutions and enterprises. And the list goes on.
Although the general awareness about these cyber threats has improved recently, especially among decision makers, it is still relatively poor. Many decision makers keep leaving the responsibility for cyber issues mainly to their IT departments while they omit rising cyber awareness among their employees and miss a chance to implement a complex top-down solution. This is the moment when cyber safety enters the picture.
CYBER SAFETY VS. CYBER SECURITY Cyber security is generally understood as the practice and application of technologies, processes and controls to protect systems and data from cyber attacks. In other words, it is group’s efforts and measures to protect its members from harm in cyber space. On the other hand, cyber safety can be described as part of social security of our society.
Safety relates to a personal feeling of being free from danger and harm. Applied in cyber space, cyber safety is the feeling of citizens to operate safely in any sphere of activities using internet-based services. While cyber security is defined as measures and efforts in cyber space that are outside of an individual, cyber safety relates to individual’s inner feelings in respect to the online activities.
The individual’s feeling of cyber safety is influenced in two directions – from top-down and bottom-up. The top-down influence can be defined through external factors originating in authorities present in the individual’s life. For example, the feeling of cyber safety is in this case influenced by the cyber security regulations of an employer, national cyber-related policies and legislations, media’s reporting on cyber incidents, insurance policies for organizations or the maturity of service providers’ market.
In contrast, the bottom-up influence on an individual’s cyber safety feeling is based on the society and its general approach to cyber domain. This can, for instance, include the perception (or lack thereof) that cyber security is a citizen’s own responsibility, limited training and educational opportunities, lack of opportunities for insurance cover or understanding cyber threats as one of the security risks in a person’s life.
EDUCATION AS THE FUNDAMENTAL CORNERSTONE OF CYBER SAFETY
Successful cyber safety can only be achieved when the whole society is engaged, and comprehensive security thinking is employed. The bottom line for efficient cyber safety is professional and responsible security authorities, resistant critical infrastructure solutions and service providers and educated decision makers. Nevertheless, this all will not achieve a well-developed cyber safety if, first of all, a key factor is not addressed immediately and comprehensively – education of individuals, the centrepiece of cyber safety concept, on the topic of cyber security throughout all levels of society.
There is currently a need for cyber security skills across a wide swath of the educational and professional areas and each has different needs and require tailored approaches. Each category should have a pathway resulting in a Cyber Educational Development Plan. This plan is much like a Professional Development Plan; however, it describes a training and education pathway from the earliest years until professional roles. It provides information and develops skills how to be cyber safe not only at school and workplace but also at home and when on-the-go with a mobile device. We have identified and proposed the following four primary audience types.
FOUR PRIMARY CYBER EDUCATION AUDIENCE GROUPS Firstly, our attention has to be focused on the youth at primary (age of 6-10) and secondary (age of 11-18) education. If we want to achieve the point at which the whole society is educated on cyber issues, it does not suffice to start with cyber education only at university level. Already the education of students at primary level should be centred around basic cyber hygiene principles and progress to a level of knowledge preparing them for the higher classes. By the time students reach the senior classes of secondary education, they should be steeped in basic cyber security concepts and understand how those concepts interrelate with their courses (e.g., software development, biology, physics, etc.). Overall, the development plan should prepare them for university or any other type of post-secondary education.
Secondly, university students should focus their attention at how cyber security, data analysis, and advanced topics such as machine learning or artificial intelligence might affect their current studies and what impact it might have upon their studies and profession as well as personal life later on in the future.
While incorporating the cyber element into the school and university curricula, two more fundamental topics must also be kept in mind. It is absolutely essential that students are familiarized with ethical principles of their behaviour in cyber space from the very beginning.
To adopt the ethical way of acting in IT networks is core so that the students do not use their preciously acquired knowledge for malicious purposes later on. The other topic is to go beyond a theory of cyber security in the curricula and actually adopt an experiential learning, loosely defined as learning through reflection on doing.
In other words, students should not learn only theory, but schools must provide them with opportunities to train real skills. A hands-on experience is fundamental in cyber security. Our practical experience with trainings and exercises in our cyber range proves this point.
The third audience group for cyber security education is front-line professionals who are generally classified as information technology workers in that they are system/network administrators, database administrators, storage administrators, etc. Although their roles have a cyber security component, they are focused on administration, provisioning and other back-office support functions. However, because they are generally the experts on the systems and the first to notice anomalous activities, it is paramount that they not only understand the basics of cyber security but also specifics related to their devises and when to escalate to a Security Operations Centre, Incident Response Team, or other cyber security teams.
Finally, the last audience group are cyber security professionals themselves. This group is the most in need globally. Training and education should begin with establishing a baseline of common knowledge. This baseline ensures that all participants have a common understanding of core concepts. From the baseline, participants then move into specialized knowledge required for their respective roles and still provide a pathway for advancement.
TWO MORE AUDIENCE GROUPS WITH A NEED FOR A SPECIFIC APPROACH Besides the identified audience, there are two more groups to which a particular attention should be paid, and a specific approach adopted. The first group is the older generation which grew up at the times when internet was still a research project of DARPA. This is a particularly vulnerable audience which quickly needs to acquire the basic knowledge of cyber hygiene and elementary IT protection. Special educative programmes in that regards can be developed in cooperation with universities or NGOs while important role could be played by young people who might help to educate their grandparents and parents in cyber matters.
The other vulnerable group are girls and women in general. Overall, cyber security and IT is still misperceived as a primarily man-dominated industry throughout the society. This perception must start to get eroded already in the heads of the youngest generation. There is no objective reason to think that men are necessarily better than women in IT or cyber security. There is an urgent need for more IT and cyber security specialists and bringing more girls and women into the industry can significantly help to fill in this gap.
MULTISTAKEHOLDER APPROACH TO EDUCATION AS THE WAY FORWARD FOR CYBER SAFETY To make this complex educational structure successfully work, there is an urgent need for private and public sectors to cooperate closely. Private sector owns the resources necessary for cyber education, be it funding, knowhow, infrastructure or experts while public sector has the power to make the policies effective. We also must not forget about the role of academia. Lack of scientists, teachers and employees is massive but universities, in collaboration with private and public sectors, have the potential to help create functioning educative programmes and training courses for schools and general public.
The starting point for this multistakeholder cooperation could be briefer events like boot camps, corporate and government scholarships and internships which would serve as a basis for further, more complex initiatives and programmes.
In conclusion, this article introduced many different ways how to support and enhance education on cyber matters throughout the whole spectrum of society. All of them have, however, one thing in common – only through the education of individuals on all the societal levels, we can strengthen the cyber safety of our citizens and ultimately empower the whole society in its feeling of being truly safe online. Cyber security, its principles and processes must be widely understood as a collective responsibility, but that will not be achieved unless every citizen is educated in at least basic cyber security principles, understands the importance thereof and sees the relevance of feeling cyber safe.
1 We would like to thank Mr. Kevin Estis for his original thoughts on the complex approach to cyber education in the society.
CybExer Technologies is a NATO-awarded Estonian cyber security company. CybExer's flagship solution is its proprietary cyber range and highly realistic cyber security exercises conducted on the range. Its capabilities and solutions have been used to conduct some of the world's largest cyber exercises.
Rainer Saks joined Cybexer Technologies OÜ as member of Management Board in late 2020. He is responsible for government relations and some of the research and development projects in the company. He worked as a civil servant for Estonian Republic between 1999- 2020. Rainer Saks worked as a Government Security Coordinator, Director of the Office of the President of Estonian Republic, Director-General for Foreign Intelligence Service and finally as a Secretary General for Ministry of Foreign Affairs. He has a long experience in dealing with foreign and security policy issues and strategic planning.
LUCIE KADLECOVÁ
Lucie Kadlecová works as a Senior Associate (Strategy and Threat Intelligence) and the company’s representative in the Czech Republic in CybExer Technologies. Previously, Lucie served as a cyber security and policy specialist in National Cyber Security Centre of the Czech Republic and as a trainee in Cyber Defence Section, Emerging Security Challenges Division at NATO HQ in Brussels.
She was also a visiting scholar on Fulbright scholarship at Massachusetts Institute of Technology (MIT), Cambridge, USA. Besides her professional career, Lucie works as a postdoctoral researcher in Peace Research Centre Prague focusing on the study of states’ behaviour in cyber space. She holds a PhD from Charles University in Prague and an MA degree with distinction from War Studies Department, King’s College London.
KARI-PEKKA RANNIKKO
Col (Ret.) Kari Rannikko joined CybExer Technologies OÜ strategy team 2020 as Senior Advisor focusing on hybrid threats and strategic decisionmaking. His academic interests are focused on EU’s Integrated Approach to Crisis Management, which he is realizing as a senior instructor in Finnish Defence Forces International Centre. In 2019 Kari-Pekka served as the Project Manager in Prime Minister’s office of Finland during country’s EU Presidency.
He was responsible for Scenario Based Policy Discussions on Countering Hybrid Threats. Kari-Pekka has a long experience in dealing defence policy issues on the strategic level.
A PASSION FOR A SAFE CYBER WORLD
FORMULATING A DEPENDABLE CYBER SECURITY WITH A COMPREHENSIVE APPROACH
Strategic cyber expertise requires a holistic view and understanding of the interdependencies of people, practices and technology, and the opportunities for development that they offer. Our mission is to secure the functions of critical infrastructure as well as protect your organisation´s most valuable assets. We guide you to a solid cyber security culture that strengthens your organisation’s resilience to crises and reduces business risks.
Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters
BENEFITS AND COMPETITIVE ADVANTAGES
Improved situational awareness is the basis for better decision-making. Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience.
REFERENCES
In Finland, our major client is the Finnish Government and its ministries, such as the Prime Minister´s office, Ministry of Foreign Affairs, the Ministry of Employment and the Economy, Ministry of Defence and Digital and Population Data Services Agency. We also work with Finnish cities and municipalities as well as many private companies from the banking, logistic and energy sectors such as Fortum.
We have facilitated cyber security strategy processes in many countries for example in Eastern Europe and the Middle East. Our experts have created a course curriculum for Geneva Centre of Security Policy (GCSP) on Cyber Security Strategies and Polices, and organised the courses five years in a row. We have also assisted Geneva based foundations such as DCAF (Democratic Control of Armed Forces) and the Diplo Foundation in their endeavour to build cyber security competence in many countries.
*Appropriate Client References will be available at request. In some assignments we are bound by specific restrictions stemming from Client confidentiality and privilege.
COMPANY
Cyberwatch Finland´s strategic-level international expertise is based on experience and an extensive network of experts. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to ensure your cyber security to the highest possible level.
We develop cyber security strategies, risk analyses and roadmaps for cities and municipalities, states, companies and organisations aimed at a safer corporate culture, based on extensive strategic expertise and experiences. The end result of well-executed strategy planning, and implementation is resilience: an organisation’s stronger crisis resilience and defence against cyber attacks.
SCAN ME
Facilitation of cyber security leadership
On the basis of a comprehensive strategy, a concrete roadmap and capacity building plan will be created.
It defines how cyber security should be managed and how people should be trained, what technologies and best practices are needed, as well as all the other necessary practical actions and resourcing.
SCAN ME
Situational awareness services
It is difficult to build reliable cyber security without knowing what is happening in the cyber world. Services include weekly, monthly, and quarterly reviews based on data collected from a variety of sources , industry reports. Our analyses provide a broad picture of the everchanging cyber world, threats, their interdependencies, backgrounds, causes, and consequences.
SCAN ME
DARKSOCTMas a service NEW
DARKSOC ™ creates better cybersecurity resilience. It increases the capabilities of cyber intelligence, anticipates a constantly changing cyber world (early warnings). It complements the company’s cyber maturity and serves as a tool for forensic investigations. Supports organisational strategic decision making by complementing strategic cyber awareness, helps to find vulnerabilities and weaknesses and facilitate the implementation of the cyber strategy process.
Cyberwatch forensic services
Cyberwatch Forensic assists companies and other organisations in preventing, detecting, and responding fraud, compliance violations, and other misconducts. We offer you independent expertise, a clear operating model, and the level of support you want. With our long and extensive experience, we can help you reduce fraud and corruption risks and support in investigating internal or external misconducts. We also offer you a full-service whistleblowing channel.
SCAN ME
Training, seminars, games and workshops
As a conceptual service, we produce monthly reviews, tailored seminars, webinars, games, workshops, podcasts and learning development solutions by utilising the latest technology and an international network of experts.
SCAN ME
Risk analysis
Without the comprehensive situational awareness, it is impossible to increase the capability to respond to cyber risks. A cyber security risk assessment is done to help determine your organisation’s capabilities and limitations in detecting, preventing and responding to the evolving cyber threats. Risk analysis is a key tool in facilitating your cyber security planning.
SCAN ME
Innovative technologies
We support our customers in building resilient critical infrastructure through services and technical solutions that meet the cybersecurity requirements at the highest level in the fastchanging world.