Artificial intelligence has already significantly transformed the cybersecurity landscape, and its impact continues to grow. Attacks are more sophisticated, more targeted, and easier to execute than before. In this blog post, I examine what cybersecurity looks like today and what challenges the rapidly changing operating environment brings to organizations. In August, we will host a webinar on this topic, where my colleague Matias Haapaniemi and I will delve deeper into the subject. Register for the webinar here.
The Threat Landscape Has Changed
The threats facing organizations are no longer just random malware or generic phishing messages. Attackers leverage artificial intelligence to research target organizations, tailor messages, create voice and video scams, and identify vulnerabilities.
Despite all the hype, the majority of attacks still rely on familiar weaknesses: unpatched systems, weak authentication, unmonitored logs, and deficiencies in practices within the organization and its stakeholders. When cybersecurity fundamentals are in order, an organization still has strong prerequisites for effective protection.
Criticized EU Regulations
Regardless of industry, companies are increasingly technology companies. Core business pillars rely heavily on information technology; if IT fails, business continuity is often jeopardized. Despite this, the IT industry itself remains relatively lightly regulated. Compare this to the pharmaceutical industry, for example, where even individual small processes are strictly supervised.
If you ask me, the IT industry should have minimum cybersecurity requirements regardless of organization size and criticality. Requirements such as NIS2 would establish a baseline upon which every organization could build its own protection and preparedness for various cybersecurity incidents.
EU regulation has been criticized for weakening the competitiveness of member state companies. I see it the opposite way: well-structured regulation strengthens business continuity and increases organizational resilience in various disruption scenarios, thereby providing a competitive advantage.
Minimum Level
The minimum cybersecurity level for an SME does not necessarily mean a heavy governance model or extensive investments, but rather a few critical practices that must genuinely be in order. The minimum level includes up-to-date patches, multi-factor authentication, adequate logging and monitoring, managed access rights, functional backups, basic change management, and staff ability to recognize the most common scams and respond to various incident scenarios. The minimum objective does not need to be perfect protection, but rather a baseline that significantly reduces the most likely risks and ensures that the organization can continue operations even during disruptions.
Update management
Most exploited vulnerabilities have been patchable for months before attack waves. For an SME, a clear rhythm is sufficient: workstations and servers on an automatic update cycle, external services and network devices on regular review, and a separate handling process for critical vulnerabilities. What is essential is that there is an agreed functional process for updates and a clear responsible party to oversee it.
Logging and Monitoring
Logs do not help if no one monitors them. For an SME, the minimum level means that logs from key systems such as Microsoft 365, Entra ID, network devices, and endpoint protection are collected in one place and anomalies generate alerts that are responded to with appropriate methods.
Microsoft 365 Environment Hardening
Microsoft 365 is one of the most important systems for most organizations and a common target for attacks. Default settings are not sufficient to protect the environment, nor does the license level automatically elevate security. The minimum level includes multi-factor authentication for all users without unnecessary exceptions, conditional access policies to restrict unrecognized or high-risk sign-ins, blocking legacy authentication, etc.
Change Management
In an SME, change management does not mean a heavy ITIL model, but rather knowing what changes in the environment, who made the change, and on what basis. The minimum requirement is that significant changes, such as access rights, firewall rules, and integrations, go through an agreed channel and are documented.
Partner and Vendor Assessment
Attacks through partners and vendors have become more common. When access to one environment is successful, the attacker often attempts to progress through it to other targets. Therefore, an organization should maintain an up-to-date list of partners who have access to its systems or data, and ensure that contracts define at least the key cybersecurity requirements and the obligation to report incidents without delay.
Understanding your own IT environment and data
You cannot protect what you do not know you own. Up-to-date visibility into systems in use, applications, user accounts, and data location and criticality is a fundamental prerequisite for cybersecurity. Particular attention should be paid to where business-critical information is located, who has access to it, and how it is protected regardless of environment.
Training Your Own Organization
Technical controls alone are not sufficient if staff do not recognize risks in their daily work. The minimum level includes regular and practical cybersecurity training, where staff learn to better recognize phishing messages, other scam attempts, and incident scenarios, and know how to report them quickly.
Summary
A strong cybersecurity posture does not mean expensive investments or heavy processes. A solid foundation is built on managed access rights, up-to-date patches, functional monitoring, and staff ability to recognize risks in their daily work. In the age of AI, threats are evolving faster than before, but the foundation of cybersecurity remains the same: know your environment, protect the most critical points, and ensure that the fundamentals are genuinely in order.
Above IT serves as a valuable resource for IT departments, empowering your organization’s IT professionals to stay at the forefront of Microsoft technology development and maintenance! Follow us!