Russian roulette with Swedish IT security

This text was first published in Dagens Industri on January 22, 2025

To promote digital security for businesses and organizations, we need to do what it takes to close the gap in security maturity among companies. For this, concrete support measures are needed, writes Johan Malmliden, President and CEO of Omegapoint. 

In an uncertain time of war in Europe and the Middle East, where organized cyber warfare has become increasingly common, Sweden cannot afford to stand idly by, writes Johan Malmliden, President and CEO of Omegapoint.

New figures from the Swedish Security Index 2025, released by IT security company Omegapoint in February, reveal significant security gaps at small and medium-sized Swedish companies. 59 percent lack a functioning supplier management policy and 41 percent rely on external certifications to manage security risks at their suppliers. In an era of cyber warfare, where smaller and specialized IT companies play a key role in business supply chains, we now need to take a holistic approach with the resilience of the entire chain in focus.

Business outsourcing and largely dependent on subcontractors today create long and complex supply chains. According to the MSB's report Threats to digital supply chains, this applies in particular to information flows, software and hardware, and digital services. Subcontracting and increased specialization among IT suppliers have created a landscape that the MSB describes as "a web of niche players" - where different IT companies contribute unique expertise that creates potentially dangerous dependencies.

If your business is procuring an IT system today, you can expect a number of suppliers with specialized expertise to have designed the different parts of the system. If one of these actors, for example a smaller supplier with limited resources and poor security practices, is exposed to a cyber attack, it could lead to a total IT collapse of the entire supply chain.

The Solarwinds hack in 2020 is a terrifying example. There, a threat actor managed to plant malware in the Orion monitoring tool of the US IT company Solarwind. As a result, up to 18,000 users, including several US government agencies and large corporations, risked having their digital networks destroyed when they downloaded a malware update.

Back home in Sweden, we saw a similar incident at Tietoevry last year. The IT provider, which manages sensitive data and digital services for a number of Swedish businesses, was hit by a ransomware attack that resulted in multiple downtime and potential data leaks for their clients, including Rusta, Filmstaden, Region Uppsala and Systembolaget.

The vulnerability risk of digital supply chains is thus not a new problem. The fact that supply chains are becoming long and complex is arguably a necessary evil, with the modern economy's promotion of specialization and outsourcing. However, what we see in the Swedish Security Index 2025 is that the difference in security maturity between small and large players is becoming increasingly striking. Larger companies have the resources to audit their suppliers, set requirements and implement secure procedures.

Smaller businesses, with limited budgets and skills, often have to rely on certifications - which can be insufficient. The Swedish Security Index 2025 shows that 41% of SMEs rely on certifications to manage third-party risks, compared to 30% of larger companies. The gap between these groups is growing, creating significant differences in supply chain security protection.

The threat actors are aware of this. By attacking a small player in the supply chain, they gain access to larger businesses a few steps down the line. As a result, small businesses are forced to defend themselves against threats that are actually directed at their customers or clients. This is not sustainable. We must therefore stop viewing security as isolated to our own business and start considering the resilience of the entire supply chain as crucial.

With the Security Protection Act and the upcoming Cybersecurity Act, Sweden has taken important steps in the right direction. These regulations can be a driver for improvement, but only if they are properly implemented and followed up. Improving security in practice requires a holistic approach, where every part of the supply chain can be audited and secured. To ensure that even the smallest IT suppliers in the chain comply with security requirements, the following is needed:

1. Companies and organizations need to set clear requirements when purchasing IT services, and do their own due diligence when selecting suppliers.
2. Governments and larger companies need to ensure that smaller suppliers receive the guidance and resources they need to build their security practices.

In an uncertain time of war in Europe and the Middle East, where organized cyber warfare has become increasingly common, Sweden cannot afford to stand idly by. To promote digital security for businesses and organizations, we must do what it takes to close the gap in security maturity among businesses. For this, concrete support measures are needed.

The alternative is to continue playing Russian roulette with Sweden's cyber security. The question is: can we afford to take that risk?