About CinqC's future signals
Bringing together expert voices from government, military, legal, business and tech, CinqC's future signals shares news and views you can use with startups, entrepreneurs and small businesses around the globe.
future signals gathers short- to mid-term (18-24 months) perspectives from our signal sources, identifies signal clusters where our experts' opinions coalesce, and highlights outlier signals that may indicate things to come or that you might need to put on your radar. The objective is to share pragmatic and practical advice along with methods you can adopt and tools to help you adapt. These are news and views you can use to create robust future businesses in our ever-evolving world.
Having produced a Global Cybersecurity report in June 2021, Startup Estonia reached out to me to produce a companion piece to provide Estonian startups and small businesses with local cybersecurity information and advice from Estonian experts.
I travelled to Tallinn and Tartu and interviewed four local experts, my future signals sources, and have summarised their responses to my questions in the report below. Every expert shares a different perspective and unique insights on what startups, entrepreneurs and business owners can do to protect their IP, staff, investors and customers and how to create robust future businesses in our ever-evolving world.
For full transparency the audio recording of our full discussions in also made available at the end of the report.
This future signals Cybersecurity Report Estonia Edition is created in association with Startup Estonia and with the support of the European Regional Development Fund under the Startup Estonia EU50651 program.
The report is free and available to all. Please share it widely with anyone who may benefit from these expert insights. You can follow me on Twitter or LinkedIn to receive updates and new future signals reports.
CEO & Founder, CinqC.co
📡 Signal cluster: Security must be the concern of all, not just the responsibility of technical teams. Everyone has a role to play, a different role perhaps, but we are all in this together and share the security responsibility.
📡 Signal Cluster : User and vendor verification, authentication and certification as well as behaviour analytics and monitoring.
📡 Outlier signals: We’ll have more identities and personas in the future and we’re going to need more user-friendly ways to safeguard them and better ways to authenticate using them.
📡 Signal cluster: Consider your C.I.A - not your Central Intelligence Agency, but your business and data Confidentiality, Integrity, and Availability. Understand your assets, your customers and use this knowledge to define your security requirements, and you’re never too small to adopt baseline controls and frameworks!
📡 Signal cluster : Education, awareness and good information are key. You can use them to unite and empower your users and workforce, create cyber hygiene and a security mindset, and identify the security champions on your team.
One way we did this was to create an all-day security event for all employees. People got to work as a team and this removed the fear of isolation around not knowing something. Everyone quickly got to see who knew what and the people who knew most usually ended up helping others in their group. This also enabled me to identify my security champions as well as let everyone else see who they were so they knew who to go to with questions; these people became trusted confidants for the group.
📡 Strong Signal: Zero Trust (See the responses from the Digital Minister of Taiwan and the former Head of the NSA in the Global Cybersecurity Report who also cite Zero Trust as a growing security practise)
📡 Signal Cluster: Not only do you need to validate the identity of your users/partners/vendors, you also need to know where your data is and who is accessing it, from where...
It is worth noting that if you have your security system set up so that your employees and users have a good experience this can probably help your company make more money.
📡 Signal Cluster: As soon as you think you may have an issue, take action. Notify the authorities, report the incident, communicate to your teams and customers, ...
Proactively plan and practise for incidents so you are not caught-out trying to come up with a plan in a time of crisis.
CERT-EE, the organisation responsible for the management of security incidents in .ee networks. It is also a national contact point for international co-operation in the field of cyber security. Via their site you can report cyber incidents and if you check a box then they will also send information to the police. You can also call CERT-EE on 24/7 on +372 663 0299.
You can also contact the police via their site: cyber.politsei.ee or call on +372 612 3000, especially in case of personal identity theft, a malware attack or suspicious email, etc.
If you consider a risk to human life and health to be likely, then call 112 directly, even in the case of a cyber incident.
If your company has a data breach related to your clients or vendors personally identifiable data then by law you have to notify the Data Protection Authority within 72 hours of the incident.
Having a Disaster Recovery Plan means you know who you are going to call and when an issue occurs; you've already got your reaction mapped out and so you're not trying to figure out what to do in a moment of crisis. If your plan is to not plan for the worst, then you've already failed, and you probably shouldn’t be trusted with the assets you have been trusted with. That's just poor leadership.
Mari Seeba: I want to suggest some resources where you can get more information.
A good place to start is our RIA blog or the RIA news feed.
The Estonian Information Security Standard Portal is an MVP at the moment with information only in Estonian, but it has all the documentation you need including a security measures catalogue and related supportive materials to implement an information security management system. You can also find help on popular security standards like ISO27001, CIS20 or NIST CSF. Estonian standards allow optimisation in typical asset usage, providing ready-made sets of measures; some other standards require full risk management.
Another great thing to do is to participate in Capture the Flag (CTF) cyber competitions or hands-on hacking training. Both will help you understand how easy it is to attack someone and can help you change how you think about cybersecurity. Through this you’ll understand that cybersecurity is an issue for everybody and not only IT because most mistakes are made by people, and not technology.
Jesse Wojtkowiak: I would recommend that when you are recruiting and interviewing the candidates should also be asked about their security knowledge; this should be part of the interview process as there's no part of your organisation that's not touched by security. People who talk to you customers may have to respond and address their fears and they need to be ready to have that conversation. Salespeople who are trying to get new customers have to put them at ease and build trust. Someone can be a great developer, but if they say ‘I don't do security’, you're going to be paying other people to carry that responsibility for them. That’s an additional cost and one that is probably going to hurt your culture too. The same goes for your management team; if your leadership is not on-board or invested in security, then they're going to be making the wrong decisions for the future of the business, and not just your business, but also for your supply chain, and everyone you’re connected with.
Liisa Past: There is still a school of thought that thinks of security as a well-hidden, secretive silo within an organisation. I understand the thinking but security needs to be integrated into all your operations. If it is isolated then it's really hard to mainstream and it takes a lot of manual labour.
Make cybersecurity a normal part of running your organisation like workplace safety, financial management, or HR. Every project and process has to be accountable to HR or budgetary rules and regulations and they should also be accountable for security.
The information security specialists can help and empower the whole organisation. Security cannot be marginalised in a single department. That's as true in government as it is in very small and growing, ambitious organisations.
Rain Ottis: I would like to emphasise that getting started in cybersecurity is free. Just invest a little bit of time. I know that time is also valuable, especially on the first days of your startup but is time well spent. Even if you call a smart friend or go to YouTube and put in some search words there are a lot of opportunities to avoid rookie mistakes in your early days.
Maybe you haven't even set up your company structure yet and you’re still operating on our own personal accounts but just take the trouble to agree how you treat your data. Ask ‘Does everybody here know what two factor authentication is? and can we agree that we're going to use this?’ Or, ‘Will we use some sort of encryption? Do we make backups? Whose responsibility is it to make backups?’ Even on day-one, if you have no infrastructure, no domain registered, and a budget of zero there are things you can do. As long as you take the time to think about them, do a bit of research, and then agree and execute. Just don't be afraid to take the next step to become better tomorrow than you were today.
📡 future signals sign out
I'd like to say a big thank you to the four expert signal sources for sharing their time, experience and expertise so generously.
At Startup Estonia I'd like to thank Marily Hendrikson and Liisi Org for instigating this Estonia Edition, helping me reach out to the experts, and for sharing the report with their communities. Thank you also to the European Regional Development Fund for their support in making this report possible.
Finally, a special thanks to David T., who always has my back 🙏