Cybercrime is a global phenomenon, so it is necessary to think not about individual cases, but about the country as a whole. Estonia’s strategy for data protection and cybersecurity needs a focus on “support and control”, writes Rainer Ratnik.
Stolen legacy data, hackers and data leaks: Estonia has been hit by a wave of cybercrime, about which more and more new stories have spread in recent weeks. Could these stories have been prevented by defining and implementing a national strategy? It probably would be to a significant extent.
In practice, the current national strategy has turned into a “let’s see what happens” strategy. There is a strong danger that, in light of the latest news, this situation will move in a direction where blame cannot be allowed to wander. But more is needed, it is necessary to support companies and organizations and implement more balanced supervision.
Estonia swam against the current
The General Data Protection Regulation (GDPR) came into force in 2018 and brought about a big step forward in privacy and cybersecurity in Europe. Why? Because suddenly there was a lot of focus on data processing and failure to comply with the rules resulted in heavy fines.
While there have been reports of fines and mega-fines from Europe over the last six years, in Estonia it has been essentially impossible to impose fines for violations of data protection rules. What happens on a motorway where speed limit enforcement is excluded? Apparently, it was concluded that there is actually no speed limit.
Good and intelligent people work in the Estonian Data Protection Inspectorate, but taking into account the complexity of their tasks, the inspectorate’s budget lines are non-existent. Although, as in many countries, the mechanism of operation of the inspection could have been written in the fact that if fines are issued, this also brings in revenue for the organization.
Only prevention and vigilance protect
“Many organizations were able to look at the state with a reasonably quizzical expression as to whether data protection still matters or not.”
Not dealing is a strategy. Not investing resources in monitoring and creating adequate sanctions is largely a strategy in itself. This means that many organizations have been able to look at the state with a reasonably questioning attitude as to whether data protection is still important or not.
Fortunately, as far as sanctions are concerned, the time has come when sanctions are finally emerging. But let’s face it: the rest of Europe is six years ahead of us. This means that Estonian organizations that did not take the situation seriously are like apples to eat for cybercriminals.
It is very good and right that the prosecutor’s office and the police investigate and try to catch cyber criminals. But in the grand national strategy, this is just a small drop in the ocean, because in the case of cybercrime, as a rule, we are not talking about local digital criminals who, once caught, reduce crime.
Figuratively speaking, we are not looking for a single Pae street bomber, who, if caught, will make Estonia safer. Cybercrime is a global phenomenon. Accordingly, it is necessary to think not about individual cases, but about the country as a whole. Estonia must become an unfavorable target.
We need a strategic focus to help companies and organizations achieve a better level of data protection in terms of mindset, knowledge and technology. Unfortunately, this also requires improved vigilance.
The comment reflects the personal opinions of the author, which are not presented on behalf of someone’s interests.
2023-12-27 12:25:00
rainer-ratnik-estonia-must-become-an-unfavorable-target-for-cybercriminals-opinion