• October 1, 2023
• By Cyberarch Admin

In response to the growing threat of cyber incidents in Estonia, the Information Technology and Telecommunications Association (ITL) conducted a pioneering initiative to assess the level of cybersecurity awareness among Estonian companies. This initiative involved benevolent cyberattacks on three volunteer companies to shed light on critical vulnerabilities. Despite prior agreements with the target companies, all simulated attacks were successful, underscoring the need for increased cybersecurity vigilance.

Key Highlights:

• Estonia has witnessed a surge in cyber incidents, resulting in substantial financial losses for companies, amounting to approximately 1 million euros annually.
• ITL orchestrated benevolent cyberattacks on three participating companies to raise awareness about cybersecurity risks directly affecting businesses.
• The experiment highlighted that even with prior knowledge of the attacks, all incursions succeeded, potentially causing significant harm if carried out maliciously.
• A team of cybersecurity experts from prominent organizations, including SK ID Solutions, CYBERS, CybExer, CYBERARCH (Cyberarch Consulting), Wisercat Estonia, and ITL member companies, executed highly realistic attacks.
• These benevolent attacks aimed to mimic real-world cyber threats, emphasising the importance of proactive cybersecurity measures.
• ITL’s information security advisory board stressed the shared responsibility of ICT service providers in bolstering cybersecurity practices.
• Educational videos and easy-to-understand guidance were developed based on the attack scenarios to assist small and medium-sized enterprises (SMEs) in safeguarding their data, employees, customers, and financial assets.
• Participating companies, such as Mobire Eesti AS and EstHus, recognized the need to continuously enhance their security posture, emphasizing the critical role of service providers in protecting customers.
• Finants ja Marketing OÜ highlighted the importance of practical cybersecurity recommendations for companies facing similar challenges.
• The State Information System Board acknowledged the significant impact of cyber incidents on Estonian companies and the importance of sharing lessons learned to boost cybersecurity awareness.
• The participating companies continue to collaborate with ITL members to rectify identified security vulnerabilities and plan preventive measures.
• ITL intends to prioritise awareness-raising initiatives and practical seminars in partnership with professional associations and business networks to foster a culture of cybersecurity vigilance.

In recent years, there have been many cyber incidents in Estonia, which have caused considerable damage to companies. 1 million euros is the amount that Estonian companies hand over to cybercriminals every year . In order to raise companies’ awareness of cyber security and the business risks directly related to it, ITL organised benevolent attacks on three volunteer companies as an experiment. The companies that took part in the campaign agreed that they were being “attacked”. Despite this, all attacks succeeded. If the attackers had not been benevolent, companies would have suffered real damage that would have crippled their business for a shorter or longer period of time.   

 Teams consisting of top specialists from various cyber security companies and RIA belonging to ITL organised completely realistic attacks on the car rental company Mobire Eesti AS, the accounting and marketing support company Finants ja Marketing OÜ and the wooden house manufacturer EstHus OÜ . Benevolent attacks were developed and implemented by security specialists from SK ID Solutions, CybExer, Cyberarch Consulting, Wisercat Estonia and several other ITL member companies, who have repeatedly encountered similar attacks in real life.  

The daily work of specialists in companies dealing with cyber security is to help clients find out their level of cyber security and make the necessary suggestions and developments to improve security. “ITL did the same in this six-month campaign. Because cybercrime is a real thing with real business risks, the well-meaning attacks were also real. “I believe that Estonian entrepreneurs now better understand what dangers may lie in wait for them. Based on these real cases, we also clearly understood that as ICT service providers, we ourselves have an obligation to do our part of accounting better, and that is why we have started to develop good practices for the provision of several services,” said Kalev Pihl, head of ITL’s information security advisory board .    

In order for others to learn from the valuable life experience, educational videos were created based on the attacks and advice was prepared in simple language , which makes it easier for small and medium-sized companies to protect their data, employees, customers and money.   

Andrus Valma , chairman of the council of Mobire Eesti AS , said that since they offer service for renting thousands of cars internationally, mainly through digital channels, reducing cyber threats is very important. “We applied for this campaign to test our vulnerability. And while we were aware of the potential attacks, we only learned about them after the attack was over. We realised that our security level needs to be increased, and making the company cyber-secure is a job that really never ends. In other words, in order to protect customers, service providers must also be chosen critically.”   

OÜ EstHus board member Diana Sosnovski participated in the digitisation with the team in a master class, after which it was realised that their company does not have enough competence to resist cyber attacks. “That’s why we applied as a ‘victim’ to increase our team’s knowledge and level of cyber hygiene. We were attacked physically or by a cyber criminal can be very resourceful in his attack. For example, with the help of a small diversion, they managed to install a device imitating the company’s Wi-Fi in the office.”  

According to Kaire Tammer, CEO of Finants ja Marketing OÜ, internet security is theirs was relevant in the company. “I have consistently kept this in focus, because communication with customers takes place over the web, we use various software and apps and a cloud server. Although we were also aware of the threat of ITL attacks, they created a very realistic feeling at times attacks of hollow feeling. I think that the first practical recommendations on how to improve your situation or how to get going with cyber security would be very useful for every company. We hope that through these videos and advice we can also help others.”    

Märt Hiietamm, head of the analysis and prevention department of the State Information System Board , stated that RIA receives daily reports of situations where cyber incidents have caused significant damage or inconvenience to Estonian companies. “Companies that participated in the ITL program received valuable lessons and tips from the project, shared them with the public by sharing, the awareness of companies grows more widely. You don’t have to move all the buckets yourself, so other companies can learn from the experience of others. October is cyber security month, companies should keep an eye out for other cyber security awareness campaigns, you’re not an IT whiz.” 

According to Kalev Pihla, three companies currently continue to cooperate with ITL members, to fix identified security holes and plan the next actions to prevent accidents and attacks. “Since the person is often the weakest link in the cyber security of companies, the focus must be on how to reduce the probability of attacks, precisely awareness lifting. In cooperation with professional associations and business networks, we also want to conduct practical seminars to pass on the learning experience,” said Pihl.   

The following participated in the campaign: Estonian ICT cluster, CGI Eesti AS, Cybers OÜ, Cyberarch Consulting OÜ, CybExer Technologies OÜ, Lean Digital OÜ, Microsoft Estonia OÜ, OIXIO AS, Riigi Infosüsteimi Agency CERT-EE, SK ID Solutions AS, Swedbank AS, Wisercat Estonia OÜ. Communication partners: ITL, Cybers OÜ, RIA, Elisa Eesti AS, Swedbank AS, Microsoft Estonia OÜ. Video production: Vaas OÜ. The production was financed by the European Regional Development Fund within the framework of the Estonian ICT cluster project.