City of Malmö shows why cybersecurity must be practiced - not just planned

In November 2024, the City of Malmö conducted a phishing test among 3,500 employees. The purpose was clear: to measure the organisation's resilience to one of the most common methods of attack - phishing. The results were telling. The test, which was supposed to last 72 hours, had to be stopped after 27 hours, by which time more than one in three employees had already clicked on the fake email.

This incident is far from unique. Every week, Swedish organizations are exposed to thousands of phishing attempts, often as a first phase of larger attacks. One click is all it takes for an attacker to access login credentials, install malware or use the email account as a springboard for further attacks. For a municipality, this poses a direct risk to citizen services, sensitive data and business continuity.

Figures from Swedish Safety Index 2025 underlines the seriousness. Eight out of ten decision-makers in critical societal activities assess the threat to Sweden as serious or very serious. At the same time, many feel that the gap between vulnerability and actual ability to deal with cyber threats is growing.

The threat landscape is changing - and becoming more personal

This vulnerability is exacerbated by new and more sophisticated threats. One example is so-called infostealers - malware that silently steals login credentials, cookies and other sensitive data from computers and browsers. The stolen information is then used in secondary attacks, where the attacker already has a head start because they can log in as an authorized user.

Infostealers are often spread via phishing emails or malicious links, making human error the decisive factor. Technical protections are important, but they rarely stop a user letting the attacker in.

Why plans are not enough - skills must be practiced

Many organizations put a lot of emphasis on technical solutions, policies and processes. But reality shows that people are often the weakest link. A documented security approach on paper means little if staff do not know how to act in an emergency.

The City of Malmö's test is a clear example. By subjecting themselves to a simulated attack, they got an honest picture of the human factor in their own organization. According to the Swedish Security Index, there is now a growing awareness of this - more organizations describe themselves as "deliberately incompetent". In other words, they have started to understand their own shortcomings. And that is a necessary first step towards improved resilience.

Three concrete measures to strengthen security

1. Regular stress tests and simulations - not to find scapegoats, but to measure real capabilities and identify areas for improvement.
2. Training on how attackers manipulate people - understanding social engineering and new threats such as infostealers makes it easier to take the right action.
3. A safety culture that encourages dialogue - create an environment where it is okay to ask, hesitate and report suspicious events.

Conclusion: dare to test before the attackers do it for you

The biggest mistake an organization can make is to rely on plans that have never been tested in practice. Conducting simulated attacks is an effective way to both measure capability and create organizational learning.

Want to close the gap between threat and capability? Start by putting your business to the same test that threat actors are already planning for you. It's not just a safeguard against the next attack - it's an investment in trust, continuity and security.