News Pricer.lt

Prekybos naujienos

Cybersecurity issues: companies lack resources to implement Estonian E-ITS standard

Проблемы с кибербезопасностью: у предприятий недостаточно ресурсов для внедрения эстонского стандарта E-ITS

According to Estonia’s largest IT and telecommunications company Telia, the Estonian Information Security Standard (E-ITS), which entered into force last year, does not in itself guarantee cybersecurity and, due to the extensive preparatory work, has left companies with mixed feelings. While the three-tier Information System Security Reference System (ISKE) was used to ensure the information security of state and municipal databases in Estonia from 2003 to 2022, the new E-ITS standard was introduced last year to improve the level of information security in both the public and private sectors. Unlike its predecessor, E-ITS was intended to simplify the implementation of the management system by ensuring a broader scope of application, clearer requirements, and better protection for both the institution and the information. It was also expected to make information security issues more accessible to smaller organisations. “In summary, there are no right or wrong standards and frameworks – it is important to understand the standard and apply it consistently. The standard itself does not guarantee cybersecurity in a narrow or broad sense; it requires consistency. And consistency, as we know, takes time and money. Unfortunately, this is often the problem,” said Martin Paas, Head of Cybersecurity and New Business at Telia. He added that even those who have previously used the ISKE system are faced with the need to evaluate and implement E-ITS measures, and the amount of work is significant. The biggest challenge is creating an information security management system. Although in principle, ensuring the cybersecurity of an institution as a goal seems simple, everything is complicated by the fact that, in addition to protecting technical solutions, it is also necessary to install security updates, train users, evaluate and analyze logs, respond to incidents – and this list is far from exhaustive. “Since E-ITS is essentially a risk-based standard, the service owner must be able to assess the risks associated with it. Since not all risks have the same probability and impact, they must be managed continuously,” Paas explained. In companies with a chief information security officer, the implementation of E-ITS usually does not cause any serious problems. However, difficulties arise where working with the information security standard has become the responsibility of a person without an IT education or where an employee is involved in its implementation in parallel with his or her main job responsibilities. “In most cases, problems arise with the creation of an information security management system, and in this case, copying solutions from other companies may not produce the expected result, since the document is created for the sake of the document itself,” Paas explained. According to him, people often turn to IT service providers for help, but they cannot help if the company does not have a list of technical measures that the IT service must comply with, and the company itself often does not know how to prepare it. Outsourcing information security services could be a solution, but most often companies are afraid of the associated costs. “However, preventing incidents is always cheaper than reacting to them,” Paas noted. “Targeted implementation of measures leads to costs, but a risk-based approach allows them to be managed wisely.” Read RusDelfi wherever you like. Follow us on Facebook, Telegram, Instagram and even TikTok.

News source

Dalintis:
0 0 balsai
Straipsnio vertinimas
guest
0 Komentarai
Seniausi
Naujausi Daugiausiai įvertinti
Inline Feedbacks
Rodyti visus komentarus

Taip pat skaitykite: