Our Cyberday team entered the Autumn in full swing, and we participated in the Cyber Security Nordic event on 29-30 October as a Strategic Partner with our full team. In this blog, you can join us at the event aftermaths, hear the highlights and get insights into the event topics.
The Cyber Security Nordic 2024 event took place at the Helsinki Expo and Convention Centre. The annual conference focuses on critical cybersecurity topics, including politics, the economy, current threats, and future developments in the field. The event brings together IT and cybersecurity professionals, public and private sector leaders, and government officials.
This year’s program featured keynotes, speeches and discussions on diverse issues such as cyber resilience, digitalization security, strategies for cybercrime prevention, and the intersection of geopolitics and cybersecurity. NIS2 was the talk of the town again, in terms of e.g. supply chain security, security posture management and NIS2 in general at European level. The event provided a platform for sharing knowledge, and staying updated on the latest trends and challenges in cybersecurity. Let's look more closely into few of the topics highlighted in the event more in-depth. We've created this post to offer insight into topical themes, also for those who were unable to attend to the event.
Hot topics at CSN 2024 🔥
Supply chain security
Supply chain attacks have escalated significantly in recent years, posing substantial risks to organizations worldwide. It is important to remember that an organisation is as secure as its weakest link.
Supply chain attacks are a form of cyber-attack where attackers infiltrate an organization by exploiting less-secure elements within its supply chain. This could involve compromising software updates, injecting malicious code into third-party products, or breaching service providers who have trusted access to critical systems. Supply chain attacks can lead to far-reaching consequences, affecting not only the targeted organization but also its customers and partners.
Safeguarding the supply chain is a complex but essential part of modern cybersecurity. By understanding the threats and implementing solid security protocols, companies can better protect themselves against such indirect but highly effective attack routes. Organizations that proactively work with their supply chain to improve security posture not only reduce the risk of attack, but also foster a culture of security that benefits all members of their ecosystem.
At Cyber Security Nordic, the subject was also discussed in terms of requirements frameworks: New requirements regarding supply chain management are currently coming in from frameworks such as DORA, CRA and NIS2, so let's look a bit closer into what you might need to know.
NIS2
NIS2 mandates that organizations implement effective risk management measures that account for the cybersecurity of their entire supply chain. This includes ensuring that third-party vendors and partners meet certain security standards to protect the organization and reduce overall supply chain risk.
NIS2 promotes shared responsibility and transparency by requiring organizations to establish clear communication and cooperation across their supply chain networks. This involves defining roles and responsibilities within security protocols to ensure that each entity understands its role in maintaining security. By fostering a culture of collective accountability, NIS2 aims to strengthen the overall security of supply chains.
We cover more on how NIS2 encourages stronger supply chain collaboration on our other blog post here.
DORA
The Digital Operational Resilience Act (DORA) is focused on strengthening the digital resilience of financial entities and places a strong emphasis on managing supply chain security. DORA recognizes that financial institutions rely on a complex network of third-party providers, and these relationships introduce unique cybersecurity risks. DORA requires financial entities to evaluate and manage the risks linked to ICT third-party providers, such as cloud services, software vendors, and other tech suppliers. This includes conducting careful assessments of these providers and ensuring they meet cybersecurity standards.
DORA's requirements aim to build a secure and resilient financial sector by addressing risks associated with ICT third-party providers. By ensuring accountability for both financial institutions and their key third-party providers, DORA strives to establish an ecosystem where supply chain security is essential to the operational resilience of the EU’s financial system.
AI + cybersecurity = ?
There is a lot of discussion of AI in the context of information security and this was also clearly reflected in many aspects and presentations at the event, including the AI-driven NDR, the future prospects and the risks and opportunities of AI. As AI more or less gradually takes its place in professional and everyday life, its importance for information security will also become more significant. AI presents opportunities, but equally it raises concerns. AI is transforming cybersecurity, creating both new opportunities to strengthen defenses and new risks that organizations must address.
AI has multiple opportunities when we speak of cybersecurity. AI can for example identify and analyze vast amounts of data at speeds far beyond human capabilities, making threat detection as well as malware and phishing detection much faster. AI can also be useful in improving organization's incident response, reducing response time and minimazing overall impact. Possibilities for AI are countless, and it will be interesting to see what the future holds.
But when we speak of the of the opportunities with AI, we'll also need to discuss about the risks and threats. Ai can be used to boost various cyberattacks, and without a doubt cybercriminals can work their ways to "trick" AI with manipulation. AI is also not foolproof - it can give false information and mislead. Last but not least of the threats mentioned here, AI rises the data privacy concerns, especially with sensitive information. Organizations must ensure data is handled in compliance with privacy regulations.
At the end, the key for success is awareness. One possible way to go is to learn to harness the benefits of AI in cybersecurity while managing the risks. Ideally, AI could be used not as a replacement, but as a support for the human element in information security.
Cyber resilience
Cyber Security Nordic also brought up cyber resilience, discussions especially focused on Finland and Nordic countries. Cyber resilience is essential because no organization can be entirely immune to cyber threats. A resilient organization can avoid extensive damage from incidents, continue serving customers with minimal interruption, protect its reputation, and reduce financial losses. As cyber threats continue to evolve, especially with the increasing complexity of supply chains and remote work environments, organizations are prioritizing resilience to ensure long-term security and stability.
- Risk Management: Big part of cyber resilience is identifying potential threats and vulnerabilities, evaluating their impact, and implementing measures to mitigate risks. This includes continuous risk assessment to stay ahead of emerging threats and ensure that all assets, especially critical ones, are well-protected.
- Incident Response: Preparing for a swift, effective response when an incident occurs. Incident response plans should include specific protocols, assign roles and responsibilities, and ensure that response teams are trained and ready to act. The goal is to contain and mitigate any damage as soon as possible.
- Business Continuity: This aspect focuses on maintaining operations during an attack and swiftly recovering afterward. Business continuity plans keep essential functions running, while disaster recovery plans restore data, systems, and operations after an incident.
- Continuous Monitoring: Monitoring systems continuously for anomalies helps detect and respond to incidents early. Threat intelligence enables organizations to stay informed about new and emerging threats, allowing them to adapt defenses in real-time.
- Regular Testing: For example, simulating attacks, such as penetration tests or running incident response exercises, helps evaluate an organization’s readiness and resilience and identifying weaknesses in the response plan and provide opportunities to refine and strengthen it.
- Supply Chain Security: Yes, the topic we previously discussed is also a major part of cyber recilience - Ensuring that third-party vendors and partners also maintain strong cybersecurity practices is crucial.
Thanks for many great encounters at our stand!
We want to sincerely thank everyone that came to meet our team at our stand. 👏 We have 2 really active days full of great customer discussions.
Some of the most highlighted topics our customers were interested in included:
- Automation & AI: Especially how to use them when getting started in compliance work to reach some first results, answer security questionnaires sent from own customers and later how to finetune maintenance and improvement of an ISMS.
- Vendor security assessments: We recently launched these features that clearly have garnered the interest of many information security responsibles. We got many ideas on how to finetune vendor assessments and are already working on further enhancements. 👍
- Integrations: Many of our users who have already gotten further in their ISMS journey were wishing for possibilities to pull more content from different systems into the ISMS to streamline monitoring, metrics, evidence collection and continuous improvement.
Other honorary mentions go to CRA (EU's Cyber Resilience Act that sets cybersecurity requirements for products with digital elements) and managing information security in bigger corporate groups, where the central unit does something and subsidiaries need to do the rest. For the latter we've also recently published first features for.
All of the above will certainly be themes our team will be continuing with. Join the discussions e.g. in Cyberday Community's development ideas forum or follow our team's development items on our weekly newsletters!
Our message: ISO 27001 on steroids - surviving the regulatory storm wave
As a strategic partner of the Cyber Security Nordic event, we also had a change to get up on the stage and give a keynote. Our CEO and Co-founder Ismo Paananen took the stage with the topic: ISO 27001 on steroids - surviving the regulatory storm wave.
European organisations are facing a wave of new cyber security regulations. NIS2, DORA, CRA and many others are creating a new demand for organisations to comply with the law and ever growing customer requirements. The regulation is not only affecting the directly named industries, but also a huge number of companies playing a role in the supply chain. ISO 27001 is the battle tested approach to tackle these challenges, but the implementation needs enhancements to cover all the needed aspects. Ismo presented how to comply with all the needed requirements and even create business value using a lean approach to ISO 27001 with regulatory additions.
Proving information security can be challenging in some situations, without a good comprehensive overview. Endless excel spreadsheets, implicit legislation and countless pages full of legal text. Not to mention the challenges of ongoing monitoring, maintaining compliance and staff awareness and training. Cyberday has set out to find a better way to do this.
Ismo's speech was a whole circle; talking about his passion to security and the challenges organization may face with compliance matters, and the Cyberday way, how organizations can create unified plan based on selected frameworks. With solutions like Cyberday, organizations can better prepare for the unknown, keep a track on their compliance and security measures and share awareness among employees. It was great to see Cyberday presented in the main stage, and Ismo's insightful keynote was very well received by the audience. Thank you to those who were there to listen!
We also published a blog post: Navigating the Cybersecurity Maze: Master NIS2 with the help of ISO 27001 for the event, where we cover some of the same themes as discussed. Directives such as NIS2 can require procedures for specific areas of information security, but can't/won't specify what these procedures should be. Voluntary standards such as ISO 27001 can go further, and state what those sufficient measures could be.
Cyber Security Nordic, in collaboration with FISC and FiBAN, organized Pitch Finland Cyber Security, a pitching competition searching for pioneering solutions with the potential for international growth. The competition is open to cybersecurity companies, teams, and organisations. We were honoured to be among the five finalist. We received some very good feedback on our pitch, and that couldn't have gone better. Congratulations also to Siren Anti-Cheat for the interesting solution and great job for the winning team!
Final thoughts
Overall, Cyberday's time in the event was a great success, and our team had a great occasion to meet our acquaintances and partners, as well as new connections. During the two days, we were able to listen to countless interesting speeches, meet other representatives of the industry, and also get to know and team up with our own staff. Perhaps we will see you again next year! If you didn't get a chance to meet us at the event, or want some more insights, we are here! Our team is happy to help you in the chat on the right corner bubble, through email team@cyberday.ai, or you can book a short call with us when it's most suitable to you here.
See you in Cyber Security Nordic 2025! ⭐️