The Many Layers of Information Security
Although perfect protection from cyber threats is impossible, you should always do your best. The new documentary series by DNA Business presents an overview of the basic concepts and solutions. DNA Business information security expert Petri Ramu emphasises the importance of protecting the boundary layers of the network i.e. those between the public internet and the company's local network: "Protection should start with the basics. First, protect your boundaries and their services. Next, protect the vital systems surrounding the core business, as well as the connections of those systems. This is enough to reduce the risks significantly and secure the company's valuable data." Personnel should also be trained. The awareness of the personnel about information security risks is directly proportional to how easy it is for different threats and attacks to penetrate the company's systems. Protection is more than technology and expertise; it is also everyday practices and operating models. "Maintaining information security is a continuous process. It is not just about imagining risks and threats, but rather a solution-focused approach to information security," says Ramu. The protection of networks relies heavily on situational awareness. Situational awareness allows the events of the network to be understood. If there is no clear picture of the events in the network, security breaches cannot be detected or isolated. The company can use their situational awareness to determine if their critical data is threatened. "Companies should understand which processes are the hard core of their business, and therefore what data or information is the most critical. It is easier to set up protection when you know where your defences should be concentrated," says Ramu, describing the difference between critical and non-critical company systems. This is also precisely why the company's business management should be up to date on information security: it is their job to determine what information must be protected to safeguard the core business processes. This allows experts to build systems that have the correct levels of protection. Sometimes, critical material is hard to identify and external specialists may be required. Cyber threats are constantly increasing and evolving. For example, the use of networked consumer products in denial-of-service attacks will increase without a doubt. To compensate, companies should seek help from partners and service providers so they can have adequate protection against these new cyber threats," says Ramu, commenting on the future operating environment. ;
Companies should start their protection with the basics – they will get you far. Critical data can only be effectively protected if business management also understands the basics of information security.
Information Security Is More Than Firewalls and Antivirus – Organisational Commitment Is Key
The more digital a company's business becomes, the higher the risk posed by cyber threats. How much business can be moved online or within reach of the internet, if this exposes your business to completely new vulnerabilities? Petri Kairinen, CEO of information security consulting company Nixu, sees it as a balance between risk management and new technology: "In theory, you can protect yourself from cyber threats completely, but only if you are willing to give up the opportunities of digitalisation. This is not viable in practice, so it comes down to choosing your level of risk: what do you want to protect against, how do you prepare, and what measures should you take." Preparation works against cyber threats Like any other threat, cyber threats are mostly a case of preparing and predicting. No protection is perfect, so that leaves detection and reaction: when something does happen, the company must have the appropriate measures prepared and ready for quick deployment. Due to the broad nature of cybersecurity, it cannot be the responsibility of just one part of the company. "The chain must account for human behaviour, processes and subcontracting chains." Information security is more than firewalls and antivirus protection. Even so, a deeper understanding of that technology is also required," says Kairinen, describing the comprehensive approach to security. From theft protection to protecting digital business The last ten years have seen a marked increase in the understanding companies have of information security. It was previously seen as something very tangible, such as protecting customer databases from theft. Nowadays, the emphasis is more on protecting the whole business, and the digital elements in particular. "Technical experts have understood the importance of information security for a while, and as business operations become digital, management is becoming interested as well. The financial consequences are in a whole different category than what they were a decade ago," comments Kairinen on the change in attitude. The entire organisation must commit to information security Information security is a challenge for companies: Hackers only need a single weak point to access the system. After that, protection measures may fall like dominoes. The initial weak point could be an information system, but also an internal practice or even an individual employee. This is the reason the whole organisation must contribute to cybersecurity, and not just the technical experts or hardware. Even so, Kairinen wishes to reassure: "Our company thinks about this every day, of course. But one should not worry about it too much. If you have a good plan and the motivation to carry it out, then information security is just another task." The future may offer relief in the form of artificial intelligence. Advanced algorithms can help detect attacks more effectively and more quickly. "Our industry is in constant motion with new evils lurking around the corner and old protection becoming obsolete. You simply find new ways to adapt," says Kairinen, referring to the endless game of cat and mouse played by cyber criminals and cybersecurity companies. ;
The more digital a company's business becomes, the higher the risk posed by cyber threats. Like any other threat, cyber threats are mostly a case of preparing and predicting.
Northern and eastern Finland lead the world in mobile services
Finnish Shared Network Ltd, owned by DNA and Sonera, completed a massive project last autumn, building faster data connections with an improved coverage in northern and eastern Finland. The project improved the speeds of mobile connections, especially in remote regions, more than tenfold. “World-class 4G services are now also available in rural areas,” says Jarkko Laari, director of radio networks at DNA. 1,700 new base stations In 18 months, Finnish Shared Network built approximately 1,700 base stations, covering more than 760,000 people in northern and eastern Finland. They also cover Finland's most significant ski resorts. The network uses the latest next generation LTE Advanced 4.5G technology. In addition, the GSM and 3G networks were modernised in the regions. “DNA and Sonera use the shared mobile network to offer their services to their customers. Thanks to close cooperation between the two operators, the new mobile network was built quickly and cost-effectively. It improves our ability to develop services in the regions, also in the future,” Laari says. Benefits also at ski resorts The shared network improves the coverage of voice and mobile broadband services in northern and eastern Finland. The higher network coverage and transfer capacity mean that different mobile apps work better than before. It also helps travellers to enjoy even better connections. Special attention has been paid to locations that attracted large groups of people during holiday seasons. “For example, we built an additional capacity for Lapland's ski resorts to guarantee functional high-quality services, also during the busiest winter holiday season,” Laari says. Reindeer Coop warns motorists The improved coverage of DNA's connections allows people to use new mobile apps, even in more sparsely populated areas. One of these is the Porokello (Reindeer Coop) project of the ELY Centre of Lapland, in which a thousand professional motorists produce real-time information about reindeer on or close to roads. Its real-time reindeer warnings are available to satnav systems of almost all vehicles via the V-Traffic service. This traffic information reaches nearly half a million people in Finland. As the project proceeds, it will be possible to receive warnings on mobile phones by using a free app. The Reindeer Coop software also includes an expansion, which provides DNA with measured information about network coverage from the Reindeer Coop terminals of the professional motorists involved in the project. This information supplements the data collected by DNA's field team. “This coverage information helps us to develop our services to be even better,” Jarkko Laari says. ;
Northern and eastern Finland received mobile connections that are among the fastest in the world. They also benefit DNA customers visiting ski resorts in Lapland.
DNA Business Newsletter
Subscribe to the DNA Business newsletter and be among the first to hear about the current topics in the industry.
Coders met at Ultrahack
Ultrahack, held under Slush, attracted a group of coders from all parts of the world to develop solutions for corporate challenges. DNA also threw in a challenge. Ultrahack 2016, a hackathon leading to Slush, was held at Vallila Konepaja in Helsinki. It was the final of the largest hackathon tournament in Europe. During the weekend, more than 560 software developers from 29 countries attempted to solve challenges presented to them by different companies. The objective of Ultrahack was to come up with new financial and social innovations, and to offer a stepping stone for new talent. The event had attracted a diverse group of skilled coders: student teams, startups and also larger companies. Innovative ideas for DNA's challenge Tiina Rytkönen, head of online development at DNA, describes the Ultrahack atmosphere as innovative and inspired. “We wanted in because this event is a perfect match with DNA's values and its new way of carrying out agile business. The event was fun and relaxed, while the teams also worked long hours to solve the challenges,” Rytkönen says. DNA challenged the teams to create ideas to develop the coverage maps located on DNA's web pages. “Coverage maps allow us to open interfaces to external software developers. We wanted to hear new ideas in order to make our services more transparent towards our customers.” At Ultrahack, teams innovated the use of positioning data in coverage maps. They also thought of ways to develop the services as a bi-directional channel, where customers could provide DNA with information about Internet connection speeds in specific locations. “Our primary objective is to provide our customers with better information about the coverage of DNA's mobile network, whether they are driving across the country, at their summer cottage or skiing in Lapland,” Rytkönen says. The map developer wants to join the race DNA's partner at Ultrahack was Karttakeskus, which provided the teams with the coverage maps and other material via its map service. “It was fun to be part of this event, where the innovating teams were fully focused on these challenges,” says Tero Dubrovin, service manager at Karttakeskus. Dubrovin also received many new ideas from the event. “For example, we could develop map customisation, so as to produce a different map design, according to the user and purpose of use,” Dubrovin says. Dubrovin got so enthusiastic over Ultrahack that he may take part in a future tournament as a competitor. “During the weekend, I started to think that I could take up one of these challenges as a coder and put up a skilled team.” In addition to the finals held in Helsinki, different Ultrahack tournaments were organised in seven countries in Northern and Central Europe during the year. The chain of events will continue when Ultrahack 2017 will be launched at the beginning of the year. ;
Ultrahack hackathon put coders to the test. But, what is a hackathon?
Finnish startups to hit
Finland is a country of innovation, also raising global interest. Photo: Ville Lehvonen
Digitalisation is proceeding at full speed in every field – also in sports. Finnish SportIQ develops motion sensors to help track the movement of players and sports equipment, for example, on a basketball court. The sensors are attached to the ball and players' gear. They wirelessly transfer data to a system, in which this data can be utilised in real time, for example, in TV broadcasts. This analysed data helps players to review their performance and coaches to improve the tactics of the team. The SportIQ application has already been successfully tested in the Finnish basketball and ice hockey leagues, but the company is looking for bigger arenas. “Our main markets are in the US, because that is where the big bucks are,” says Harri Hohteri, CEO of SportIQ. A smart ball keeps the score SportIQ applications are also making their way to consumer markets. The company, together with sports equipment manufacturer Wilson, has developed a smart basketball equipped with a small motion sensor which is able to keep the score and identify shooting distances. Data is transferred via Bluetooth from the ball to a mobile phone, where an app analyses the performance of individual players. “For example, players can instantly see at what distances they can score and what they need to do better. The app's features have been designed especially for younger players. Our aim is to lure them from computer games towards sports.” A major partner required for success The sports equipment business is dominated by major global corporations. According to Harri Hohteri, it is difficult for small startups to break through on their own. “For example, it wouldn't have been profitable for us to make a smart basketball on our own, but we needed to find a partner which already has a strong brand and a good relationship with consumers.” Wilson, owned by Amer, is the first major international partner of SportIQ. Hohteri believes in the strength of partnerships as the Finnish company is looking for opportunities for growth from other sports in addition to basketball. Business ideas, based on data connections In addition to SportIQ, business ideas of many other promising startups are based on data connections. A good example of this is Naturvention Oyj, a Jyväskylä-based company which manufactures indoor green walls. The roots of plants based on a culture medium contain microbes that disintegrate any adverse compounds in air. Green walls are monitored and adjusted remotely via the mobile network. The Naava technology is the only air purification method in the world which adapts to the indoor climate. The smart green wall generates exactly the correct types of microbes to use the chemicals contained by air as nutrition. According to the company, the innovation purifies indoor air more than a hundred times more effectively than regular plants. Furthermore, Roadscanners from Rovaniemi uses data connections in its tools. They are used to control the condition of roads, railways, streets and airports. For example, the company has developed sensor technology which helps to predict any need for road maintenance. What is unique about this invention is that it helps to build an accurate digital image of road structures. Preventive maintenance based on sensor data produces significant annual savings in paving costs. It also improves road safety and comfort. ;
How to get the most out of the Internet of Things
Companies can only get the most out of digital services once they have changed their everyday activities to support new operations. The Industrial Internet is currently talked about through technology, even though technology alone cannot bring the desired benefits to companies. Significant benefits can only be achieved once companies have transformed their everyday activities ready for the world of digital services. Five key rules of thumb are listed below. 1. Guided by strategy, supported by technology During changes, technology may take the lead from strategy so that development does not move forward on the strategic path. No matter how busy they are, companies should stop and think about how technology best serves the strategy and business. At the same time, they should think whether technology can sometimes by such a strong factor that strategy needs revising, as well. “This may be the case if the strategy does not enable the utilisation of the opportunities presented by the digital age. Mainly, companies can get far by harnessing technology to serve their existing strategy,” says Marko Yli-Pietilä, business development director at consulting company Midagon. After all, the strategy rather than technology sets limits for development. 2. Set clear goals for development The IoT goals of companies can be roughly divided into three levels: At the first level, services are boosted, for example, so that customers can get quicker, or even preventive, maintenance. The next step is to change the business idea so that a company starts to sell a machine it has manufactured as a service. The most ambitious goal is to carry out a change to revolutionise the way everything is done in the industry. “It is important to see what the goal is, even though it often changes along the way. If the goal is not ambitious enough, there may not be enough motivation to reach it,” says Tapio Haantie, development manager in charge of DNA's IoT range. 3. Be prepared for a long journey The bigger the change is, the more companies need to change their operating methods, and the more they require new expertise. For example, Siemens sells trains to railway companies as a service, for which it is paid according to the quality of its operations. Technology is making this more and more possible because, using remote connections and sensor technology, device suppliers are able to anticipate problems and fix them as quickly as possible. “Such a development may require years to take place. Companies cannot change their operations on such a total scale in a blink of an eye. Instead, the change should be started by a suitably sized pilot,” Yli-Pietilä says. 4. Change your processes and evaluate your expertise When a manufacturing company starts to change its operating model, it also needs to reshape its processes. Services are sold and bought differently from devices. For example, the company needs new agreement templates, incentives and even new talent. It needs to understand its customers' business operations more comprehensively or its services will not satisfy their needs. The company should also assess whether there is enough expertise in its current partnership network. What is particularly important is to develop expertise in analytics because inventions are developed by analysing data. “Understanding of analytics should also be developed within companies; after all, analytics forms the core of business,” Haantie says. 5. Develop together Customers should be engaged in the development of digital services at as early a stage as possible. The development path has its twists and turns, and it rarely starts in the right direction. Customer feedback is the best tool to point the way. What is more, employees should be engaged early. Digitisation changes job descriptions, which may result in clashes. That is why, shop stewards should take part in development work. “Employees also offer important practical insight which, if ignored, may result in a situation where new solutions are used incorrectly,” Yli-Pietilä says. Tapio Haantie also places emphasis on this. “The personnel form the first target group to whom developers need to be able to sell the change.” ;
The benefits of digitalisation cannot be converted into cash flow, unless service development takes the ideas of customers and employees into account.
New doors opening up for cybercrime
New channels quickly open up for cybercrime, but the means of protection are also becoming more varied. This is what Petri Ramu, product manager in charge of DNA's information security services, stated at the cybersecurity seminar of Finnish hospital districts on Wednesday. The new possibilities opening up for cybercrime are side-effects of the Internet of Things. According to Gartner's assessment, for example, the number of connected devices will triple by 2020. On many devices, information security is weak or even non-existent. Unprotected devices are excellent tools for denial-of-service (DoS) attacks. In September, a DoS attack considered to be the largest in the world was discovered where, according to unconfirmed sources, nearly 150,000 Internet cameras and digital recorders were utilised. Attackers may use such ordinary devices, such as baby monitors or industrial control units. Targeted attacks are thoroughly planned operations, the objective of which is to quietly transfer information from internal networks of organisations. In this case, attackers aim to remain hidden in these networks. Because the malware used by attackers is customised, regular antivirus software offers no protection. Commercial attacking services are also available for more incompetent criminals, also offering support services to their customers. Remember to pay attention to Dave! More and more services are also available for defenders. For example, telecom operators are offering a service which automatically detects and weakens DoS attacks and filters malware. DNA detects such attacks every day. When it comes to defence, investments in technology alone are not enough; defenders must also know how to use this technology. While technology may fill its role in defence, people draw a larger picture of the attack, and people cannot be replaced by mere technology. Not everything can be protected with full certainty. That is why it is important to assess what data and what functions are critical. The ground rule is that it is vital to protect boundary areas of the network using information security solutions between the public Internet and the internal network. Similarly, basic solutions include the identification of applications, the prevention of attacks and the filtering of malware. If software is properly updated, the area susceptible to attacks will be significantly smaller. Not even the best firewalls, encryption methods or antivirus programs offer help if people do not follow their instructions. Most vulnerabilities are caused by negligence or carelessness. For example, this is possible when “Dave” finds a golden USB stick marked “management salaries” from his company's parking lot and inserts it into his computer. Other common causes are email attachments, interesting websites and social media. Personnel training is an important part of information security. When employees understand the generality and consequences of possible attacks and their consequences, they will no longer undermine strict routines. Other significant steps in terms of information security include: Information security planning at the beginning of digital projects Plans required for the management of information security risks from the operator you are working with Repair of basic technical issues Verified information security on all employee terminals Classification of data on the basis of its criticality and definition of the correct storage location for each criticality class Secured identity and management of user rights These steps help organisations towards a higher level of information security to reduce risks, secure uninterrupted operations, increase reliability in the eyes of customers, and reach business goals. ;
The range of tools for cybercrime increases but, if you play it smart, you can avoid any pitfalls.
Olli Rehn: Competence is the most important raw material for the new type of work
"In the digital world, inequality can increase if the winners get a huge income and the losers are left with nothing but crumbs." Olli Rehn
The challenges of digitalisation can be turned to opportunities with competence, says Minister of Economic Affairs Olli Rehn. Finnish working life will change in unexpected ways during the next 10–20 years. Automation, robots and digitalisation create many new opportunities and challenges. “We must turn that threat into an opportunity. It creates a lot of pressure for renewing life-long learning as well, to allow people to update their skills continuously,” says Minister of Economic Affairs Olli Rehn. According to Rehn, competence is the most important raw material for the new type of work. The pressure to carry out reforms includes the entire education system, from the first year of school to adult education. The task of primary school is to provide tools for learning, to allow people to renew themselves throughout their career. One of the government's spearhead projects aims to make this possible. “We are promoting building a digital learning environment in schools in a way that gives our future employees and entrepreneurs the tools to survive in a digital environment.” It is true there are differences in the speed at which municipalities – which are responsible for organising basic education – are building digital learning environments. The reason for this is that the resources available to each municipality are different. Kauniainen, for example, has been a pioneer, but also Vantaa, which operates on a larger scale, has been building new services at a good pace. “I wish that, in addition to the government’s spearhead projects, municipalities would also invest in creating digital learning environments.” Adopting the use of digital methods in schools is also being accelerated by the HundrED project, supported by DNA, which is providing support for one hundred schools in utilising new ways of learning. The national data exchange layer connects public services Learning is, therefore, a central tool for the new work, but structures are also important. According to international comparisons, Finland’s public sector has been proceeding on the path to digitalisation at a good pace. However, many things have also progressed slowly. Olli Rehn remembers how he travelled around Europe 15 years ago as a member of commissioner Erkki Liikanen's team and talked about the eEurope programme. At that time, the central theme was electronic public administration services. “It was an unpleasant surprise that the level of discussion was pretty much the same 15 years later when I returned to Finland more permanently.” The fragmentation of structures has been one hindrance to utilising digitalisation in public administration. However Rehn is an optimist who sees this challenge as an opportunity that can be utilised better in the future. One step in the right direction was establishing the National Data Exchange Layer, through which citizens can use the public and private services they require. This requires, however, that both public and private organisations connect their services to the data exchange layer. “In regards to that, municipalities and also the state have still a lot to improve and areas where they can do things faster. The social welfare and health care reform is creating many new opportunities for this.” Rehn reminds us that digitalisation is also creating new kinds of social discussions about equality. In a digital world, inequality can increase if the winners get a huge income and the losers are left with nothing but crumbs. “This is why the government has started a pilot project to test how systems such as basic income could ensure that work is motivating and, at the same time, income is distributed more equally.” Photo: Sakari Piippo ;