Skip to main content
invest in estonia


How Estonia uses cyber hygiene as the cornerstone of cyber security

Like never before, technology advances at a rapid pace. The Internet of Things (IoT), Artificial Intelligence (AI), self-driving cars, android-based humanoid robots are not merely science fiction anymore. With new technologies there need to be improvements made to cyber security as well. Security in the technology field is not just keeping software up to date but having trained people using computers. Cyber security experts see cyber hygiene as the cornerstone of cyber security.

You can always have the latest and greatest security patches and software installed on your machines but when the person using them has not had the proper training and opens every spam email they get then you basically have no security at all. Having trained employees is the most cost effective way of keeping your business up and running 24/7 without the extra need for expensive soft- and/or hardware cyber security solutions.

Estonian businesses and government offices have been trained in cyber hygiene

The private and public sector in Estonia have started to understand it. About a year ago, thousands of government officials had to go through a web-based test that gave them a score on their knowledge of cyber hygiene. In the age of technological advancements, cyber hygiene is something so essential that even everyday Facebook users need to know it like the back of their hands.

The development of the test in question was initiated years ago by the Estonian Ministry of Defence, they were also the first client to use the test on their employees. The company behind the test is called CybExer Technologies and by now they have lots of clients in Estonia and elsewhere starting from the Tartu municipality and ending with the Latvian Ministry of Defence.

Most of us don’t even think twice when we are handed a USB thumb drive and are told that there is something of our interest on it. The same applies to emails. A lot of internet users open up every spam email they receive and don’t see it as a risk.

The test presents the user with different scenarios, after reading it the user needs to answer some questions and in the end they are given a rating of their knowledge in cyber hygiene. The parts that need some improvement are marked in red.

Klaid Mägi, the Executive Vice President at CybExer, joined the company in February, and due to his previous position as the head of the Incident Response Department (CERT-EE) at the Estonian Information System Authority (RIA) he knows many examples of bad cyber hygiene where a wrong click on a website or an email could have a big impact. Unfortunately, Mägi is not allowed to give any examples of incidents that have occurred but he can affirm that lack of knowledge in cyber security has cost time and taxpayer money.

‘We sometimes feel embarrassed because the test seems to be too basic but just as the Emergency Service still have to explain to people the necessity of smoke detectors, we have to ensure that the basic truths of cyber behaviour are clear. Estonians use ID-cards daily and, by nature, the ID-card requires two-factor authentication. Our experience shows that even heavy ID-card users don’t know what the two-factor authentication is and don’t use it elsewhere,’ says Mägi.

During our interview, Mägi is using his personal laptop which has a protective film on the screen which makes it possible to see what’s on the screen only when directly looking at it. When you are at an angle you see a blacked out screen. This is also part of good cyber hygiene. The same can be said about laptops, tablets and smartphones that have been encrypted.

‘To advance cyber security as an industry we ask our clients to make their incidents public, only then can others learn from the mistakes. If we just say that cyber threats are real and you need to protect against them then nobody listens. You need to give them examples so they can imagine being in that kind of terrible position.’

Next generation of business leaders are taught the basics of cyber hygiene

Last autumn, the Estonian Business School (EBS) in collaboration with Estonian cyber security companies BHC Laboratory and CybExer Technologies added cyber hygiene as part of EBS’s curriculum for MBA in Digital Society. The new curriculum educates the managers and leaders of the world of tomorrow. Last July, when the curriculum was announced, Toomas Danneberg, Vice Rector for International Collaboration at EBS, said that the role of a university is to keep up to date, and to be a step ahead of what is happening in the business sector.

‘Cyber security in business has been a distant, complicated and technical topic, which is why businesses are now sensing their vulnerability. Cyber security in business is one of the strategic areas of modern companies, without which it is not possible to survive in an increasingly digitized world. Our duty is to give leaders the knowledge and experience they need, and we are happy to say that we are able to achieve this with internationally recognised partners from Estonia,’ Danneberg says.
The collaboration is built on three levels. First, BHC and CybExer support the new curriculum. Secondly, EBS will be promoting the cyber hygiene e-learning test environment platform that has been developed by CybExer, in an international network of universities offering business study modules.

And thirdly, the partners are collaborating on a cyber defence training simulation for the business sector. The aim is that EBS’s international partners, companies and corporations could test their capabilities in handling actual cyberattacks. This development is based on an internationally acclaimed cyber war learning platform developed by BHC and intended for governments, security authorities and organisations.

Just recently, Danneberg participated as an observer at Strategic Decision Making Exercise on Hybrid/Cyber Threats in Vienna. The exercise was carried out in cooperation with the Defence Ministry of Austria, European Defence Agency and other public and private sector organisations. Altogether, observers from 21 countries participated, including from EBS and the representatives of our partner in Vienna − WU Executive Academy.

Cyber security as a web-based game

If the CybExer test is meant for the everyday computer user, also known as the end user, then there is another Estonian company focusing on developing game-based online cyber security training for developers, devops and security experts.

RangeForce is a company that simulates cyber battles to train IT professionals on cyber security. The company was founded in 2015 and the headquarters is located in New York but the development is run from Tallinn.

RangeForce sees every IT professional as a defender in a cyberattack. Training people is done in a simulator where the user can have hands-on experience wherever possible to measure the results. As the solution is web-based there is no need to download any additional software.

One of the biggest clients of the company is Barclays bank, which used their service “Global Siege” to test employee skills across the globe. The simulations took participants from across the globe through three challenging rounds with the aim of advancing their skill sets through practical, real-life scenarios.

The qualification round began gently with multiple attempts permitted over a two-week period. The second round saw qualifying participants defending the IT systems of a fictional country called Utopia. Twenty-eight of the best defenders were selected for the final round, which took place simultaneously around the globe over four hours.

Last year RangeForce’s CEO Taavi Must was recognised as one of the Financial Times’ New Europe 100: eastern Europe’s emerging technology stars.

Last summer, RangeForce made it to the top 10 of NATO’s Communications and Information Agency’s inaugural Defence Innovation Challenge. The challenge was aimed at accelerating transformational, state-of-the-art technology solutions from small business and academia in support of NATO C4ISR and cyber capabilities.

Although there are companies working against cyberattacks and educating people on cyber hygiene the potential risks are not going away anytime soon. Just like in the physical world, we always need to protect our belongings from people who would like to illegally possess them. The best protection against cyberattacks are people who have knowledge of cyber hygiene, starting from the bottom and ending with the CEOs and other managerial staff.

Secure and fast customer onboarding experience

you are running an online business you need to have a quick and easy way to securely onboard your customers. One of the most innovative solutions comes from a company founded two years ago in Estonia − Veriff.

At first, Veriff had only one main purpose, to make it possible to open a bank account from behind your computer without visiting the bank office. That functionality has been available to Estonians for a while now. The service works by scanning both your face and identification card using video. According to the company, it’s harder to defraud video than uploaded photos.
Veriff has made a couple of changes to expand its business and now offers identity verification services for websites or mobile applications to verify driving licenses, passports or ID-cards.

For the past three months, Veriff’s team has been located in the United States to take part in the American seed accelerator Y Combinator. According to Kaarel Kotkas, the founder and CEO, big news is coming from Veriff in the first half of 2018.

News & events

Need more information?

Need more information?

What is it like to run a business in Estonia? How to benefit from the e-solutions and the efficiency of our business culture? What are the opportunities in specific sectors? Who to partner up with?

The Estonian Investment Agency’s team is happy to help you via its complimentary e-Consulting service, organize online or offline follow-up events such as virtual investment visits and guide you through the fairly simple process of investing in Estonia.

Request e-consulting