Cyber Security in Organizations

Abstract

The cyber threat towards digital systems and organizations are increasing. WannaCry is one of the latest large-scale cyberattacks which has had a global impact. The digitalization is transforming organizations to innovate and utilize new digital technology and infrastructure. This is raising the connectivity and dependency on digital systems. Organizations, authorities, individuals, and operations are susceptible to cyber risk. Threat actors are becoming more organized, sophisticated, and cyber-crime has been commercialized. Easy access to malicious tools is one of the drivers for the increased threat. Organizations must know how to face this new cyber threat and understand how it affects their systems and operations.

The purpose of this thesis is to compare cyber security solutions and capabilities of three different organizations in the Norway. The main objective is to find industry similarities, key issues and challenges related to cyber security, and find areas of improvement. The method for this thesis is a qualitative analysis. The data is acquired through an interview process. The interview is based on a semi-structured interview guide. Three organizations from different Norwegian industries have been interviewed – Railway, Health Care, and Power Distribution.

The thesis discovers that there are many similarities in the industry solutions, and that there are challenges related to innovation vs security, security assurance and control of ICT service providers, location of ICT service providers, how change in technology also means organizational change, and that there are ambiguities in the legislations which does not ensure quality in cyber security activities. The organizations’ strengths are emergency response. The general improvement areas of the three organizations are ensuring that the organization has an updated threat picture and understands how internal factors affects the cyber risk exposure, and the development of measurable security requirements and targets. Additionally, individual improvement areas have been described for each organization.

There is a need for ICT and cyber security in education to raise the cyber security competence, as well as, bridge between traditional engineering and ICT professions to ensure a common risk language and understanding of cyber risk. There are many benefits in collaborative efforts between organizations and CERTs. Information- and experience-sharing helps create a front against the threat actors and increases the general industry security culture. Management decisions has a large impact on cyber risk exposure. Cyber risk understanding is critical for minimizing the effect of managerial decisions. The supervisory authorities must increase their industry engagement and communication efforts to ensure that a high level of cyber security capabilities are implemented in their given industrial sector. Organizations must evolve with the growing threat and the new innovative solutions. Security measures should not be implemented out of compliance, but out of self-interest. Security is a premise for a successful and sustainable future.