Survey: Finnish firms boost investment activities in information security, specialist shortage stifles success

A DNA information security survey investigated Finnish ICT decision-makers’ views on information security. The survey shows that enterprise information security investment activities have grown significantly over the past five years and will continue to do so in the coming year. Growing amounts are also spent on information security know-how and staff training. Yet, 67% of the respondents feel that a shortage of skilled persons is an obstacle on the way to good cybersecurity. 

“The fight against cybercriminals is asymmetrical – criminals can target individual weaknesses in organisations, while organisations are developing their processes on a broad scale – often with less resources. There is an increasing need for know-how and investment activities,” says DNA Vice President, Network & Cloud, Kaapro Kanto.

Kanto points out that there is no need to do everything in-house. Nearly 90% of the respondents in the information security survey reported engaging partners in information security and cybersecurity.

“A positive information security culture and information security hygiene are the top priorities for businesses. You can find help on information security both from the corporate sector, such as telecom operators and cybersecurity companies, as well as from the public side, such as from the National Cyber Security Centre,” Kanto says.

Room for improvement in preparedness and regulatory compliance

Preparedness for cyberthreats is at a poor level in companies. Less than half of the companies have a preparedness or recovery plan. Many businesses face a potential cybercrisis without being prepared at all, as only one in four practices for the crises. Kanto points out that preparedness is not just about information technology but also about other crises that companies may face, such as supply chain disruptions.

“Every business needs an action plan for the event that something unexpected happens. It’s a good idea to practice managing information security anomalies at least as a dry-run exercise, where people discuss how to identify the situation, how to respond to it and how to get back to the normal,” says Kanto.

Compliance with the NIS2 cybersecurity directive is seen as challenging by companies, with 42% of the respondents unsure whether NIS2 applies to their company. And only 15% of those who said the directive imposes obligations on their company said the company will fully reach the required level by the deadline for the application of the directive. According to Kanto, businesses should go about their NIS2 implementation through shortage and risk analyses.

“Regulation has brought new obligations to many companies, and implementation can seem challenging. While NIS2 applies only to actors critical to society, it is a good reference for companies of all sizes in implementing good information security. When the GDPR came into force, not everyone was ready, but this gap has been bridged. I think the same will happen with NIS2.”

Hybrid work and AI create new threats, but AI is also part of the solution
 
The importance of information security awareness has increased even more as hybrid work has become more common. While 73% of respondents say they understand the information security risks of hybrid work, 72% say the staff are not adequately trained on its risks.

“Hybrid work has created new kinds of threats: one must think about how working methods and tools support safe working at home, on trains and in office hotels alike. A culture that nurtures information security is essential. A culture that encourages people to learn from mistakes and be open,” Kanto says.

AI use also raises security concerns: 73% of ICT decision-makers fear that proprietary data and trade secrets could get into the wrong hands through AI tools. However, only one third of the respondent businesses have created rules and policies for using AI. Kanto points out that artificial intelligence can drastically improve work productivity, so it is worth taking advantage of with information security in mind.

“When using publicly available tools, the old and familiar principles apply: check whether the tools can be used in the company, whether contractual obligations are clear, and whether the company’s information assets are kept safe with these tools. IT, procurement and legal departments help identify risks and find reliable tools. At DNA, we have set principles that guide the use of AI, taking into account threats and opportunities. In addition, we have a team that assesses risks and guides the development of AI use,” says Kanto.

He points out that while AI poses new threats, it can also be a significant benefit to improving information security. Artificial intelligence can train staff, detect deviations and improve processes. Almost all information security products in the market already include AI. 

*DNA’s information security survey investigated how companies in Finland treat information security and cybersecurity. The survey was conducted as an online and telephone survey in September 2024, involving 157 ICT decision-makers of companies and government agencies in Finland that employ at least 10 people, with 20% representing organisations or companies employing at least 250 people. The survey was carried out by Dagmar Oy. The survey report is available here (in Finnish).

Media enquiries:

Kaapro Kanto, DNA Vice President, Network & Cloud, Corporate Business, tel. +358 40 059 9020, kaapro.kanto@dna.fi  

DNA Corporate Communications, tel. +358 44 044 8000, communications@dna.fi