Cybersecurity is the company's biggest business risk, not an IT problem

While cybercrime consumes ten percent of the global economy, many Norwegian leaders believe they are 'too small' to be hacked. Hugin.io founder Jørgen Færevaag warns against useless paper mills, a naive culture of trust, and boards with no IT oversight.

If you sit on a Norwegian board and believe your IT department has full control of your cybersecurity, Jørgen Færevaag has bad news for you. Cybersecurity is no longer an isolated IT problem. It is the company's single greatest business risk.

'But cybersecurity is simply a very immature industry,' says Færevaag. 'It’s an industry characterized by technicians talking to other technicians, who aren't understood or taken seriously by management. The understanding of why these measures are being implemented from a company perspective is, in most settings, completely absent.'

He is one of the founders behind the Norwegian cybersecurity company Hugin.io.

They saw a pressing need for a solution that actually worked for the backbone of Norwegian business: small and medium-sized enterprises. The answer was an automated platform that monitors the company's systems and provides management with a continuously updated map of their actual digital vulnerabilities.

The choice of name is likely no coincidence. In Norse mythology, Odin's ravens, Hugin and Munin, fly out into the world every morning to observe everything that happens. When they return, they whisper their findings in Odin's ears to give him a complete overview and wisdom.

Now, the software is set to do the exact same for Norwegian boards and companies that are currently groping in the dark.

'The security industry is built by and for the world's largest companies,' says Færevaag. 'If you're publicly listed or have defense clients, you've had to be in control for decades. But if you're a bit smaller? Then you've talked to the IT manager, who pointed to an IT partner, who wrote on their website that they deliver "security." That's the level we're at today for most small and medium-sized businesses in Norway.'

The Paper Mill That Costs Millions

As the threat landscape has now escalated, driven especially by AI technology, it is precisely the unprepared small and medium-sized businesses that are the most lucrative prey for hackers.

However, trying to solve the problem with traditional methods can become an unnecessary nightmare for the company's finances.

'When management realizes they need to do something, they often call one of the big consulting firms. A couple of million kroner and six months later, they're left with a hundred-page PDF report,' says Jørgen Færevaag.

'It doesn't sound like the problem is solved then?'

'Oh no,' says Jørgen Færevaag, quickly adding: 'No, it just gives them a long list of new problems to solve. The conclusion is they've spent millions and gotten exactly zero improved security.'

Many end up chasing an ISO certification, which Færevaag partly dismisses as a bureaucratic 'paper mill' in the initial phase.

'You get better documentation, but you don't get technical control. The challenge is that most simply lack a map of the terrain.'

'What do you mean?'

'You don't know what's dangerous, and you barely know what digital assets you actually have. But not having control of this nowadays is like going to the general assembly and saying, "I'm not so good with accounting, so we haven't really checked it." It's unacceptable.'

Cybersecurity is no longer an IT problem

With the introduction of the EU directive NIS2, the responsibility for IT security and value chains is placed firmly where it belongs: with the board and top management.

Færevaag believes cybersecurity must now go through the exact same maturation journey that Health, Safety, and Environment (HSE) did a few decades ago.

'HSE started as some annoying paperwork in a corner that people felt got in the way of operations,' says Jørgen Færevaag.

'But today, it's a natural, integrated part of any serious company. Cyber needs to get to that same point. It's not a separate thing the IT manager handles; it's about being a reliable partner.'

Cybersecurity does not happen in a vacuum. One of Hugin.io's partners in the health sector recently experienced in a brutal way just how vulnerable the supply chain has become. A manufacturer of medical equipment was hacked, and malicious actors inserted malware into a completely ordinary software update that was pushed out to hospitals and health providers.

'In this area, things can get really harmful quickly?'

'Yes. These were serious criminals, and Interpol was involved. At several large European organizations, file transfers of sensitive personal data out of the company suddenly started. Fortunately, we and the supplier discovered it quickly, blocked the systems, and pulled the plug on the PCs before our clients' data was lost,' says Jørgen Færevaag, before drawing the unfortunately obvious conclusion:

'If it had gone on for one more day, the result could have been catastrophic.'

Fact Box: How the Board Can Take Control of Cyber Risk

Jørgen Færevaag's three tips for leaders who want to stop groping in the dark:

• Overview: Don't hide behind the IT department or expensive PDF reports. Get a real, technical map of your company's digital assets and vulnerabilities. Cyber is now the board's full and sole responsibility.
• Basic Security: Close the door with multi-factor authentication (MFA) and clean up your SaaS solutions (like Microsoft and Google). Tighten up who can share open files outside the company; that stops most simple attacks.
• Preparedness: Do you have a backup that actually works if you get locked out of your CRM system tomorrow? Test that the backup can be restored, otherwise it's worthless.

The Internet Isn't Norwegian

Norway is built on trust. We trust our neighbor, and we instinctively trust a colleague who shares a document because 'the job needs to get done.' We've probably all been there. Or we share with a client outside the company because... well, they need the document!

But Færevaag warns against blindly carrying this physical trust into the digital sphere.

'The Norwegian society of trust is our greatest strength,' says Færevaag, and continues:

'But cyber is a global domain. The internet is not a "Norwegian internet." If you get on a bus full of strangers, you usually take your own seat. You certainly don't accept an unknown USB stick from the person next to you. So why do we do it digitally?'

'You mean we are simply a bit too naive?'

'Yes. People think a USB stick is just an innocent storage device. But to a PC, it looks like a computer system. It can pretend to be a keyboard, open a web browser, download a virus in the background, and just like that, the entire network is compromised. So just drop the USB sticks.'

'You mean, all USB flash drives?'

Jørgen Færevaag slowly shakes his head.

'Just don't ever fucking do it.'