Having produced a Global Cybersecurity report in June 2021, Startup Estonia reached out to me to produce a companion piece to provide Estonian startups and small businesses with local cybersecurity information and advice from Estonian experts.

I travelled to Tallinn and Tartu and interviewed four local experts, my future signals sources, and have summarised their responses to my questions in the report below. Every expert shares a different perspective and unique insights on what startups, entrepreneurs and business owners can do to protect their IP, staff, investors and customers and how to create robust future businesses in our ever-evolving world.

For full transparency the audio recording of our full discussions in also made available at the end of the report.

This future signals Cybersecurity Report Estonia Edition is created in association with Startup Estonia and with the support of the European Regional Development Fund under the Startup Estonia EU50651 program.

The report is free and available to all. Please share it widely with anyone who may benefit from these expert insights. You can follow me on Twitter or LinkedIn to receive updates and new future signals reports.

Kristen Davis

CEO & Founder, CinqC.co

Q1. Is future cybersecurity a technical, government, business or societal issue?

📡 Signal cluster: Security must be the concern of all, not just the responsibility of technical teams. Everyone has a role to play, a different role perhaps, but we are all in this together and share the security responsibility.

• Liisa Past: The answer is Yes! In Estonia, the people who laid the foundations for our secure e-governance and for a Secure Digital State were technologists with a vision. The infrastructure that underlies the government services is now widely used and commercial products have become viable because of this. Without these services, across the different governance domains from defence to communications and telecommunications, to education and everything else, you can't really be a digital society. 
  We have two technical facilitators that allow for secure services: one of them is the ID card with 2-factor authentication, a government backed method of making sure I'm me, and the second is the X-Road, our secure data exchange layer. Both of these facilitate our ecosystem and allow close-to plug-in services for the private sector, the public sector and between citizens. So for me security is an everything question.
• Mari Seeba: I have to say that security is a topic for every actor. There is no cyber security without the government as they make the decisions, hold the skills, resources, and supervise policy implementation. We can build a technical defence, but, if citizens don't have a security culture they will just find workarounds and so it becomes a societal issue too.  The issue is that many people think that cybersecurity is a technical issue that they don't care about and think it should be the responsibility of technical teams.
• Rain Ottis: Our society is reliant on digital technologies, which poses an interesting problem that manifests itself through cybersecurity problems. Technology, businesses and the government have to deal with this issue for the benefit of society. The government has the responsibility to regulate, to police, to monitor for certain behaviours or for the quality of products and services to provide a secure experience for the society. Businesses have opportunities to provide other solutions and services. Business and government have different roles but overall, they both try to serve society in their own way, so I would say we're all in this together but we all have different roles to play.

Q2. What will change identity, trust and security in the near future?

📡 Signal Cluster : User and vendor verification, authentication and certification as well as behaviour analytics and monitoring.

• Rain Ottis: Governments and the tech sector are trying to create better, more secure ways to authenticate people and this is slowly making its way through society and the economy. Two-factor authentication is probably something that you have heard of because social media keeps telling you to turn it on, but this can look like an extra hassle. 
• Liisa Past: We can't overlook the accelerated digital transition of most societies in the last 18 months. During this period we saw cyber attacks taking advantage of the fact that people weren't in office environments. What that means in security is that perimeter defence is much less relevant and we're moving more to endpoint defence, user validation, user behaviour analytics and monitoring solutions.
• Mari Seeba: I think the main change will be related to supply chain management because you need to know what assets you're using in your company, and understand how dependent you are on them and third party products and services. Your supply chain is an aspect of your business risk as well as security risk as you must verify the identity of all your service providers, so I predict we will hear a lot about certification to establish supply chain security. It could become bureaucratic managing all these certificates for vendors but as this is how we can establish trust this is probably what we’ll be doing more of in our near future.

📡 Outlier signals: We’ll have more identities and personas in the future and we’re going to need more user-friendly ways to safeguard them and better ways to authenticate using them.

• Jesse Wojtkowiak: I think the thing that will change identity the most is the way people perceive it and use it. Having one identity has always been the norm throughout history, but as time goes on, people commonly have more than one passport and more than one persona for LinkedIn and Facebook. In the past, this was a luxury feature and in the future this will be standard behaviour. Having multiple profiles is going to become the norm.
• Rain Ottis: We need better and more user-friendly, low overhead options to safeguard our identities, and to make sure that we can actually authenticate more easily. I do believe there's going to be development in this in the next 18-24 months.

Q3. What is the one thing businesses should start doing, or be doing more of, to better ‘future protect’ their stakeholders (customers, employees, shareholders, investors)?

📡 Signal cluster: Consider your C.I.A - not your Central Intelligence Agency, but your business and data Confidentiality, Integrity, and Availability. Understand your assets, your customers and use this knowledge to define your security requirements, and you’re never too small to adopt baseline controls and frameworks!

• Mari Seeba: To start you need to understand your business objectives and then consider what kind of assets you have in relation to this. Once you know this you can then define your security requirements around them in relation to GDPR, legal requirements, your IP and your data integrity. You also need to consider who needs to have access to what and how often - your ‘CIA’ triangle - Confidentiality, Integrity and Availability. Once you’ve determined this you can do risk analysis and take some baseline security measures in line with your business objectives, your budget, your risk appetite and acceptance criteria.  I want to add that this security issue is not an IT-department issue. It's really important that top level leadership provides resources and oversight. Your cybersecurity should be part of your business risks.
• Jesse Wojtkowiak: Find an information security management system and adopt a compliance framework that resonates with your customers; those are the two things you need to decide on in the very beginning. Once you have that you’ll start to improve security and if you keep investing over time, you'll get to the security results that you're looking for. The information security management system and a compliance network are not security tools - they are mechanisms to create trust with customers. Using this you can create a standard behaviour for users and test against that standard behaviour.  I recommend the UK's NCSC that maps nicely to the NIST framework. This provides a basic level where an organisation could start and shows what the next step would be so you can plan actions to get to the next level. I recommend starting here.
• Liisa Past: Small companies are not required to do audits but that's not to say that small and growing businesses shouldn't work with security policies in mind. 
  ISOO27001 compliance is not something a small company should be worried about but I'm a big fan of adopting security controls before baseline standards because they build up to the same end but are more flexible. There are a few out there that are pretty good: the US-based Centre for Internet Security CIS controls for example, and the British NCSC cybersecurity agency and ENISA all provide good advice.

   

Q4. Which one of these is going to be the most critical to protecting startups and small businesses that don’t have cybersecurity expertise or budgets: Policies, policing, or education?

📡 Signal cluster : Education, awareness and good information are key. You can use them to unite and empower your users and workforce, create cyber hygiene and a security mindset, and identify the security champions on your team.

• Rain Ottis: I'm obviously biassed and so voting for education but I can rationalise my choice in that having policies and policing is pointless if your workforce or your users are not aware of the problems and behave in a way that may actually introduce further vulnerabilities into your system. I am not as naive as to think that we can educate everyone, but we do need to push a basic level of cyber hygiene out to everyone, even in startups.  For startups, it is cheaper to think about security in the beginning than to try to bolt it on later. The odds of you actually making it as a unicorn with poor security are poor so, start when you're small and this will pay off in the future; especially if we get to a point where people start to demand more responsible behaviour from their service providers.
• Jesse Wojtkowiak: In my opinion education awareness is the most critical. I find that if you give people good information they have a hard time resisting using it. If they get educated and are aware of something they start thinking differently. If you want to get to a security mindset the easiest way to do this is security awareness.

  One way we did this was to create an all-day security event for all employees. People got to work as a team and this removed the fear of isolation around not knowing something. Everyone quickly got to see who knew what and the people who knew most usually ended up helping others in their group. This also enabled me to identify my security champions as well as let everyone else see who they were so they knew who to go to with questions; these people became trusted confidants for the group.

Q5. Covid-19 and remote work has radically changed cybersecurity perimeters & practises. How must cybersecurity management evolve given that hybrid working is here to stay?

📡 Strong Signal: Zero Trust (See the responses from the Digital Minister of Taiwan and the former Head of the NSA in the Global Cybersecurity Report who also cite Zero Trust as a growing security practise)

• Jesse Wojtkowiak: At Pipedrive we had already started the journey to Zero Trust networks before COVID happened and so when the pandemic did affect us we could take very quick leaps and get to a more comfortable place. I think Zero Trust networks are the future. This means every time you go anywhere and connect, your identity is validated, even if you're going to the same place within the same hour, you’ll have to log in again. It doesn't take a second to do so there's a reason not to adopt it.

📡 Signal Cluster: Not only do you need to validate the identity of your users/partners/vendors, you also need to know where your data is and who is accessing it, from where...

• Rain Ottis:Today, not only have employees moved outside of perimeter walls, but also your crown jewels have probably moved outside your perimeter and into the cloud. It is like a Super Mario game but your princess is not in the castle. Where is your data? Where is this other castle? Instead of castle walls your defences have to shift; you have to start monitoring to detect anomalies earlier, for example if a user account is logged in from two countries at once. There are systems that can do this but you cannot just turn them on. You have to understand your network and how users use your services then build monitoring and focus on reacting to the things you detect. History tells us 100% security wasn't a thing when we used moats and walls and like then, this is really just about fighting for time.

  It is worth noting that if you have your security system set up so that your employees and users have a good experience this can probably help your company make more money.

• Liisa Past: Remote working means you need to ensure that information doesn't end up in strange places. People might be working across national boundaries or outside of the EU. If you're working with GDPR compliant systems you can't really do that from outside of EU borders because that information is not supposed to leave the EU.

Q6. Who should you call when you need help?

📡 Signal Cluster: As soon as you think you may have an issue, take action. Notify the authorities, report the incident, communicate to your teams and customers, ...

Proactively plan and practise for incidents so you are not caught-out trying to come up with a plan in a time of crisis.

• Mari Seeba: If you believe that somebody external is attacking you and it could be harmful to you, to your company or others the most important thing is to inform the authorities. There are two services to help you: 

1. CERT-EE, the organisation responsible for the management of security incidents in .ee networks. It is also a national contact point for international co-operation in the field of cyber security. Via their site you can report cyber incidents and if you check a box then they will also send information to the police. You can also call CERT-EE on 24/7 on +372 663 0299.

2. You can also contact the police via their site: cyber.politsei.ee or call on +372 612 3000, especially in case of personal identity theft, a malware attack or suspicious email, etc.

If you consider a risk to human life and health to be likely, then call 112 directly, even in the case of a cyber incident.

If your company has a data breach related to your clients or vendors personally identifiable data then by law you have to notify the Data Protection Authority within 72 hours of the incident.

• Jesse Wojtkowiak: If you have an information security management programme then you should already have conducted a Business Continuity Plan and have a Disaster Recovery Plan. These are the first steps to take to be able to react. Business Continuity requires identifying what you want to protect and what's important with regards security and business operations. Your marketing operations and sales teams may have different security and continuity needs and priorities. Once you understand what's important to them you can create your Business Continuity Plan. Doing this also allows you to engage all the organisation and again identify your security champions, and develop your plan with them.

  Having a Disaster Recovery Plan means you know who you are going to call and when an issue occurs; you've already got your reaction mapped out and so you're not trying to figure out what to do in a moment of crisis. If your plan is to not plan for the worst, then you've already failed, and you probably shouldn’t be trusted with the assets you have been trusted with. That's just poor leadership.

• Rain Ottis: If you think that somebody is doing something maliciously that may cause financial harm or affect the health or well being of somebody, then you should call the police.  We have laws to handle this and we have law enforcement to enforce those laws. The most important thing is that the issue gets reported and logged as an incident. If you keep it to yourself and nobody talks about issues then it's easy to say that the problems don't exist. I know it is a painful decision to make, especially if you're the first one to report an issue, but you will also be the bravest.  A friend of mine says, ‘Talking about your weakness is a sign of strength.’ Only the strong can admit that they have weaknesses, so show your strength. If you are trying to project that you are invulnerable and cannot be attacked then you're deluding yourself so communicate when there is an issue. It's a simple, very generic answer, but probably the best thing you can do, and it's free.

Q7. What one thing have you not told me that startups and small businesses need to know?

Mari Seeba: I want to suggest some resources where you can get more information.

A good place to start is our RIA blog or the RIA news feed.

The Estonian Information Security Standard Portal is an MVP at the moment with information only in Estonian, but it has all the documentation you need including a security measures catalogue and related supportive materials to implement an information security management system. You can also find help on popular security standards like ISO27001, CIS20 or NIST CSF. Estonian standards allow optimisation in typical asset usage, providing ready-made sets of measures; some other standards require full risk management.

Another great thing to do is to participate in Capture the Flag (CTF) cyber competitions or hands-on hacking training. Both will help you understand how easy it is to attack someone and can help you change how you think about cybersecurity. Through this you’ll understand that cybersecurity is an issue for everybody and not only IT because most mistakes are made by people, and not technology.

Jesse Wojtkowiak: I would recommend that when you are recruiting and interviewing the candidates should also be asked about their security knowledge; this should be part of the interview process as there's no part of your organisation that's not touched by security. People who talk to you customers may have to respond and address their fears and they need to be ready to have that conversation. Salespeople who are trying to get new customers have to put them at ease and build trust. Someone can be a great developer, but if they say ‘I don't do security’, you're going to be paying other people to carry that responsibility for them. That’s an additional cost and one that is probably going to hurt your culture too. The same goes for your management team; if your leadership is not on-board or invested in security, then they're going to be making the wrong decisions for the future of the business, and not just your business, but also for your supply chain, and everyone you’re connected with.

Liisa Past: There is still a school of thought that thinks of security as a well-hidden, secretive silo within an organisation. I understand the thinking but security needs to be integrated into all your operations. If it is isolated then it's really hard to mainstream and it takes a lot of manual labour.

Make cybersecurity a normal part of running your organisation like workplace safety, financial management, or HR. Every project and process has to be accountable to HR or budgetary rules and regulations and they should also be accountable for security.

The information security specialists can help and empower the whole organisation. Security cannot be marginalised in a single department. That's as true in government as it is in very small and growing, ambitious organisations.

Rain Ottis: I would like to emphasise that getting started in cybersecurity is free. Just invest a little bit of time. I know that time is also valuable, especially on the first days of your startup but is time well spent. Even if you call a smart friend or go to YouTube and put in some search words there are a lot of opportunities to avoid rookie mistakes in your early days.

Maybe you haven't even set up your company structure yet and you’re still operating on our own personal accounts but just take the trouble to agree how you treat your data. Ask ‘Does everybody here know what two factor authentication is? and can we agree that we're going to use this?’ Or, ‘Will we use some sort of encryption? Do we make backups? Whose responsibility is it to make backups?’ Even on day-one, if you have no infrastructure, no domain registered, and a budget of zero there are things you can do. As long as you take the time to think about them, do a bit of research, and then agree and execute. Just don't be afraid to take the next step to become better tomorrow than you were today.