27 juni 2024 publicerade IT-kanalen denna krönika skriven av Plantvisions cybersäkerhetsexpert Magnus Rosendahl. Krönikan lyfter det viktiga ämnet att investera i sin cybersäkerhet och den tekniska skuld Sverige har och vad det ställer för krav på organisationer.
_________________________________________
Sweden has undergone rapid digitization over the past decade, creating opportunities ranging from hybrid work to seamless digital commerce, but also significant security challenges.
After Sweden's entry into NATO and a more extensive geopolitical threat picture as well as new regulatory requirements from, among other things, the NIS2 directive, the organizations have to deal with old leaven - the technical debt.
The gap between often outdated OT (operational technology) systems and modern cybersecurity requirements is large. Swedish companies risk being exposed if we do not prioritize security in both information technology and operational technology.
Costly bill for business downtime
Sweden has a long tradition of innovation and manufacturing, with prominent companies such as LKAB, SSAB and Sandvik, the backbone of our economy. Both production and operational stoppages have significant economic consequences. They affect not only the companies but also our exports and GDP, especially when it comes to critical goods like medicine or steel. A recent study estimates that digital outages cost the 2,000 largest companies in the world $400 billion annually, equivalent to an average of 9% of their profits.
When companies and organizations use old and outdated systems instead of investing in more modern, safer alternatives while both society and legislation evolve at a faster pace, a technological debt is created. Operational technology is essential for all production, but in critical sectors the impact becomes more tangible. This is particularly problematic in socially critical sectors such as electricity and water supply and medical manufacturing, where OT is central to daily operations. The technical debt creates a vulnerability to cyber attacks, among other things.
The challenge of new regulations
The NIS2 Directive is the EU's initiative to strengthen cybersecurity in critical sectors. The directive sets high standards for security and comprehensive reporting, but many Swedish companies are not adequately prepared. The current compliance timeframe of October 17 is challenging.
Today, for example, there are around 2 000 hydropower plants spread across most municipalities in Sweden. Together they account for almost half of our electricity supply. Each of these now has to navigate new complex regulatory requirements, a major challenge compounded by an extensive technical debt.
"It is now necessary for Swedish businesses and public entities to be proactive."
Lack of resources a major problem for a growing tech debt
One of the main obstacles to reducing technical debt is the lack of resources and skills. Many companies and businesses do not allocate the financial resources required to create a secure IT/OT environment. This is a challenge that cannot be solved overnight and requires long-term investment and extensive training. Some systems may be running on operating systems that no longer exist, or outdated versions.
It is now necessary for Swedish businesses and public organizations to be proactive. Investing in security is no longer just a cost, but an insurance for the future. For example, one of the new requirements in NIS2 is that the board or management must be committed to cybersecurity and have clear responsibilities. This helps us all to see security as an investment in our future and our national security. Boards and management, not just IT managers, must take responsibility for cybersecurity and ensure their organizations are ready for modern requirements and a new threat landscape.
Outdated systems and a habit of prioritizing investments in security threaten not only our businesses, our critical infrastructure, citizens and our national security. Pharmaceutical companies, manufacturing industries, energy companies and others must all prioritize reducing their technological debt, to mitigate the consequences of the next major cyberattack or security breach.
