"It's the attitude, stupid!" Working on the human element in cyber incidents across the government and essential services
What I have planned to explore during my presentation is two solutions we are currently working on in Estonia that will increase the preparedness of our critical infrastructure.
Firstly, I will introduce a cyber hygiene awareness and training platform that we have commissioned in Estonia for the use of our critical sectors and government officials. We, as the cybersecurity agency in our country, have recognized how big unknown the human element is in most of the incidents we have seen happening here, also impacting our critical sectors. So what has been done is the development of a hygiene awareness and training platform by Cybexer Technologies, that focuses on changing the human element of the incidents and that specifically puts a lot of focus on changing the attitude of users or breaking the „Human Firewall“. This emphasis comes from the understanding that sometimes the attitude of people can be an equal cyber risk - comparable if not bigger than - for example, poor knowledge or experience. So in our new cyber security strategy 2019-2022 a much bigger focus is put on that. Besides such a platform becoming mandatory across the government officials, in 2018 the trial usage across the medical sector was a success as well. Besides benefiting all organizations using that in improving the skills of users and helping with their risk management, what it gives us, is a better picture of risks across our constituency. For each IT-security or risk manager in organizations it gives quite a specific picture on human risks (while preserving necessary privacy), so they know as a result which areas should be a focus set in improving the digital skills or knowledge about security policies.
Secondly I will shortly introduce a project that our government and national CERT, CERT-EE, is developing to enhance the cyber security in our essential services. Its called S4A or Suricata4All. CERT-EE is offering it to the essential service providers a solution for them to use the monitoring tool to enhance their security by analysing their traffic against the rule-set given and updated by CERT-EE. For our service providers it makes a voluntary additional automated security layer while enhancing the situational picture of our cyber security service as well.