Finnish companies have a good understanding of what cybersecurity is all about. However, how it affects the company itself is less clear. These are words of Mikko Kiviharju, Professor of Practice at Aalto University and South-Eastern Finland University of Applied Sciences Xamk.
“It depends quite a lot on the size of the company. If a company has at least one person working on cybersecurity even part-time, that goes a long way,” Kiviharju says in an interview with Aalto Leaders' Insight.
Kiviharju's work focuses on cybersecurity in artificial intelligence and industrial automation. He also teaches at several programs of Aalto EE.
According to him, the most important thing is for companies to be able to identify the key assets that need to be protected in their own company.
The most important thing is for companies to be able to
identify the key issues that need to be protected."
“Whether it's information systems, customer data, business plans, server stability... Is there something that is really critical that the rest of society is watching and needs to be kept up? These industries are becoming more prevalent because of the NIS2 directive and there may be obligations even for small businesses.”
Kiviharju has trained security professionals on issues such as the assets to be protected, their prioritization and the resources to be used to protect them, for example at the Aalto EE's Diploma in Safety and Security Management Program and Diploma in Cyber Security program.
Criminals do illegal business and governments spy
Ever since his high school years Kiviharju has been interested in computers and why things work – or why they don't work. This led to his early interest in technology and security.
“This issue is at the root of quite a few cybersecurity threats. Why didn't the system work the way it was supposed to? Why didn't the firewall stop the intruder when it was supposed to?”
In a cyber environment, a system cannot be forced to do something it is not programmed to do. The fact that a system is insecure is not because the programming is 'shattered', but because it was programmed incorrectly in the first place.
You don't necessarily have to be on bad terms with China, but everyone who knows China is a potential target for espionage."
”I have always had this kind of engineering-based approach to things.”
Prior to his professorship at Aalto University, Kiviharju worked for twenty years on cybersecurity and information security technologies at the Finnish Defense Research Agency.
It is important for businesses to understand that criminals are now doing illegal business online. For example, ransomware is a growing threat.
"For example, backup policies must be carefully considered: how backups are made, how decentralized are they, how often are they made? How well is the backup versioned? Is a virus check part of the process?"
Governments are another actor that has to be taken into account. China, for example, is increasingly spying on companies.
“The Chinese way of thinking is perhaps a little different from the European way. You don't necessarily have to be on bad terms with China, but everyone who knows China is a potential target for espionage – you have to learn from your friends, including their corporate secrets.”
”If everything is even a little bit protected, it already prevents a lot of trouble”
Kiviharju's research areas, such as the Internet of Things and artificial intelligence, bring many business opportunities for companies. They can be used to speed up and significantly improve the cost efficiency of many processes.
In cybersecurity, both defense and offense are becoming increasingly automated.
“Usually, if you're a little bit better than the others at cybersecurity, you can do well," says Kiviharju. Photo: Johnny Jussila / Aalto EE
"Humans do not have the time to analyze and make decisions as quickly as AI can. Especially if it's not an action that you have to be absolutely legally certain you’re getting it right, but rather you just need to get a sense of what your opponent did, then in those cases AI is pretty invincible.”
One of the key risks of technology is that anyone in the organization can compromise the security of the company.
“Criminals often choose the easiest route. If that route has even a bit of protection, that's pretty much a deterrent.”
It is therefore important to maintain cybersecurity awareness in the workplace. Kiviharju goes on to say that a Microsoft study shows that up to 99% of cyber-attacks could be prevented with basic data security.
The average company, which does not operate in a very critical sector and does not control state secrets, is usually not a direct target of cyber-attacks simply because of its name or customer data, but as part of a larger group.
“Usually, if you're a little bit better than the others at cybersecurity, you can do well. Most things are the same as in a normal environment: for example, if something looks too good to be true, it probably is too good to be true.”
Security threatened by rush and hierarchical organizational culture
Organizations should also understand that big things cannot be done in a hurry. Many attacks get through precisely because of people doing things in a rush, such as opening a PDF attachment of a message to check something.
If the situation does not seem credible, Kiviharju advises checking and daring to question before acting.
I need to be able to check, for example with the front office, whether the CEO actually sent me an email and a request like this.”
“I need to be able to check, for example with the front office, whether the CEO actually sent me an email and a request like this.”
Of course, this requires a low-key organizational culture where asking questions and verifying things are allowed.
"Even the management of an organization has to accept that cybersecurity raises questions about whether or not something was intended."
Cybersecurity skills needed increasingly
Why do organizations need to develop cybersecurity skills and knowhow now?
According to Kiviharju, the primary reason is that cybersecurity is entering areas where it was not needed before and is expanding elsewhere as well.
An interesting example is the financial sector, which has traditionally had strict security requirements and is a pioneer in this respect.
However, there have been criticisms that the industry protects its own business but not always the consumer. Some cases of fraud have shown that, for example, financial and credit card systems are not sufficiently secure for consumers.
"Lenders are difficult to fool, but consumers provide an easier asset," Kiviharju sums up.
Another key reason is that the range of targets requiring protection is becoming wider. Companies are now having to train new people and move them into cyber security roles.
“On the other hand, cybersecurity threats are constantly evolving and their relationships are changing. Understanding them requires new skills, so cybersecurity professionals need to continuously develop their skillsets,” Kiviharju says.
Mikko Kiviharju, Professor of Practice
Education: D.Sc.(Tech) in Computer Science from Aalto University
Research interests: applications of cybersecurity in the areas of logistics and critical infrastructure.
Currently working on: Protection of the AI's internal process. “AI is doing things in the dark: we can't see what it's doing. But in quite a few high-security cases, that would be important.”
Would like to learn more about the integrity protection of artificial intelligence using cryptographic methods.
Relaxes by woodworking in the garage. “It's the kind of meticulous work you have to concentrate on.”