At a time when cyber threats and digital risks are increasing at an alarming rate, it is important for companies and organisations to take steps to protect their digital infrastructure. Supply-chain attacks – in which the attacker compromises a third-party supplier in order to obtain access to larger companies, government agencies or other vital societal institutions – have as become more common and are expected to expand in scope.
Suppliers and companies working with large organisations and governmental agencies are often the targets of these types of attacks. By compromising a weaker link in the chain, attackers obtain access to more valuable systems and data.
Cyber attacks in the future are expected to be more sophisticated and directed at a broader range of targets from smaller companies in the delivery chain to critical infrastructure and IoT units. Ransomware and state-sponsored attacks continue to comprise major threats, while new technology such as AI and machine learning are used to bolster the efficiency of the attacks.
Every type of company and organisation must be prepared for an increasingly complex and broad-ranging threat scenario in which preventative security measures and rapid incident management will be critical to minimising associated risks.
For small and medium-sized companies which might not possess the resources necessary to implement a complex security solution such as ISO 27001, Cyber Security BASIC LEVEL offers basic certification with specific measures to boost the protection of information assets.
Cyber Security BASIC LEVEL – The first certification for cybersecurity in the Nordic region
SSF 1101 Cyber Security BASIC LEVEL was created in 2018 by the Swedish Theft Prevention Association together with the Swedish Civil Contingencies Agency. The Swedish Police, Insurance Sweden, Swedish Commerce, SBSC and others also participated in this work.
The background of the standard was a perceived need to increase cybersecurity amongst small and medium-sized companies by means of specific security measures. The standard lays out the requirements for a basic level of cybersecurity for small and medium-sized companies and organisations. Certification according to the standard is the first of its kind in the Nordic region and is intended to enhance the aggregate ability of society to protect itself against cyber attacks.
Some of the major differences between Cyber Security BASIC LEVEL and ISO 27001 include the fact that the latter encompasses requirements regarding an implemented management system, processes for risk management, continuity planning and routines for incident management.
”Cyber Security BASIC LEVEL enhances your ability to resist cyber threats and increases confidence in your business amongst your customers, partners and standards authorities.”
Public procurement and cybersecurity
Government agencies have started to impose ever-more demanding requirements for cybersecurity in public procurement. This means that companies who deliver IT systems, services and products to the public sector may be required to certify their cybersecurity in order to be selected as a supplier. This requirement is expected to grow in the future, both on a national level and within the EU, also for companies which supply other services and products. Most businesses, irrespective of the industry, are currently dependent on IT systems and digital solutions in one way or another.
Many customers, particularly those belonging to the public sector or critical infrastructure, impose strict requirements for cybersecurity. In the event your system is integrated into their environments, they expect you to satisfy a high level of cybersecurity standards. In this way, certification becomes a condition for winning contracts and holding onto customers.
Swedish national cybersecurity strategy
The national cybersecurity strategy is intended to strengthen Sweden’s resistance to cyber threats with a focus on protecting critical infrastructure, state agencies and the private sector. This means that additional sectors, over and above those covered by the EU rules, may be subjected to requirements for certification and security management.
The Swedish Civil Contingencies Agency plays a central role in coordinating Sweden’s cybersecurity and implementing the EU’s NIS2 Directive. The Swedish Civil Contingencies Agency, which has been involved in the production of Cyber Security BASIC LEVEL, may impose requirements for certification for certain sectors and service providers, including security for government agencies and companies within critical areas such as energy, healthcare and transportation.
The NIS2 Directive has an indirect impact on many installation firms and inspection firms
The EU has already implemented several directives and regulations to shore-up cybersecurity such as the NIS2 Directive, which addresses risks associated with cybersecurity or threats from cyber attacks, the CER Directive, which is intended to secure the resilience of vital societal functions, and the Cybersecurity Act, which creates a framework for a certification system at the EU level in which products, services and processes are expected to require certification in order to demonstrate their security level.
The NIS2 is an update of the NIS Directive and expands the area of application to several sectors, including public administration, and is slated to be implemented in 2024. The NIS2 Directive covers various sectors and industries which are regarded as important to critical social infrastructure and digital network and information services. As suppliers to these agencies, organisations and companies, many of SBSC’s customers are directly or indirectly affected by NIS2. In addition, additional directives and rules and regulations with certification requirements are expected to enter into force.
Certifying your business creates a good basis for addressing cybersecurity and fulfilling the requirements of both the NIS2 and CER Directive.
Expected rise in requirements for certification of cybersecurity
It is likely that the EU will impose increasing demands for certification of cybersecurity with the goal of strengthening collective protection against cyber threats. The development in Sweden is heading in the same direction with national initiatives and sector-specific rules and regulations which will establish requirements for certification within IT- and information security. Swedish companies and governmental agencies will need to adapt to both the national and EU regimes in order to protect themselves against growing cyber threats.
Certification requirements will likely apply also to small and medium-sized companies which are part of larger supplier chains. These are expected to contribute to reducing vulnerabilities and make the entire delivery chain more secure.
More stringent requirements for cyber hygiene in the delivery chain
Companies and organisations outside critical infrastructure sectors will also begin to feel the weight of more stringent requirements from their customers and suppliers in terms of cybersecurity certification. This applies in particular in delivery chains and collaboration projects in which good order on the supplier level and cyber hygiene may be pre-conditions for winning a contract.
