Blogs

“Often, personnel get talked about in a complicated manner about the technical details of information security, when it should be clearly stated what role each employee has in the organisation's information security chain”, explains Pia Satopää.

“Common sense is a huge part of information security” – cybersecurity lecturer Pia Satopää knows where room for improvement lies

AI-assisted information security attacks, deepfake scams, and the CrowdStrike case have made headlines in the field of cybersecurity. How do constantly changing and developing technologies affect cybersecurity, and where do we focus on information security? Pia Satopää, an experienced cybersecurity expert and lecturer, sheds light on the current situation in cybersecurity.  

“Technologies used both in protection and attacks are developing at such a pace that even the newest information may quickly become outdated. The vulnerability of one service provider can, at worst, have a widespread impact on society, and this is particularly concerning at present,” begins Pia Satopää, lecturer in cybersecurity at Turku University of Applied Sciences.  

Such threats are called ecosystem-level threats. An ecosystem-level threat refers to a broader, comprehensive impact that targets the entire digital infrastructure and the networks of different actors – from health and safety to the electricity grid and clean water.  

One success is enough for the attackers, but the defence must succeed every time. 

A good and scary example of this is the CrowdStrike incident in 2024, where a faulty update to a cybersecurity company's software resulted in an estimated 8.5 million software crashes. The outage disrupted the operation of hospitals and airports, among other things.   

“Such threats make us wonder if we have a sufficient understanding of the dependencies between different actors and systems and their management. Organisations should, therefore, consider whether they can recognise dependencies in, for example, supply chains. In the future, I would like to see more management of entire supply chains and threat-oriented risk management from all companies y, instead of point-based risk management,” says Satopää.   

The NIS2 directive takes a broad position on this. The directive sets a new minimum level of responsibility for cybersecurity risks for operators, including subcontractors, and increases reporting obligations. In addition, companies must develop basic cyber hygiene practices and invest in cybersecurity training.  

Cybersecurity should be part of every process  

Satopää has considerable experience in the field of information security for several decades. He worked for the Finnish Defense Forces in several information security departments, most recently as head of information security. She gave up the title when Turku University of Applied Sciences contacted her and asked if she would be interested in building a cybersecurity master’s degree program – and she is still on that path.  

“Often, personnel get talked about in a complicated manner about the technical details of information security, when it should be clearly stated what role each employee has in the organisation's information security chain”, explains Satopää.  

When it comes to training future cyber professionals, Satopää sees it as important that they should be able to see a broader picture of the situation and form a comprehensive understanding of information security in various organisational functions.  

“Nobody has the capacity sufficient to monitor every latest technical development. We can make various protection, contingency and continuity plans, but they can fall apart without regular practice and testing. The challenge of cyber and information security is to get out of their silo so that they are part of every project and process in daily operational activities. One success is enough for the attackers, but the defence must succeed every time.”  

Satopää is concerned about the geopolitical situation and the threats that arise when attacks aim to affect states' critical infrastructure. There are constantly better deepfakes to manipulate people and making them is no longer difficult. They can cause instability in the security situation and directly influence politics.  

“It would be extremely important to achieve stronger cooperation between different parties. We have learned a lot from Ukraine, for example. However, we need more information exchange between governmental bodies and the private sector, both nationally and internationally. A lot of work has been done for this for a long time.”  

“Humans are the only common factor in information security”  

Satopää is a firm advocate of human-centred information security. Technology is developing, and at the same time, it is becoming more and more difficult to access the target through technical protections. Therefore, one of the most effective ways to attack an organisation is through a person. We should focus on how to train employees in the field of cybersecurity.  

Satopää sees artificial intelligence as an excellent tool for identifying and combating security threats, as it can tirelessly analyse deviations. She also dreams of using AI in the training of new cyber professionals, where an artificial intelligence-assisted training program would apply things that are currently on the surface. But what advice would she give each of us when it comes to information security?  

“A significant part of information security is common sense: it's important to pause and think, and to dare to criticise and question sources. The greatest information security resource is people: every employee is a sensor that examines the environment, and this resource must be utilised. As one of my students said, humans are the only common factor in information security. A person is in every gap, whether it's software or a device – so a person should always be at the centre of information security.” 

 

Can AI address the cybersecurity skills gap? And how can AI help combat deepfake scams? Download the Technology Trends 2025 report to find answers to these and many other questions!