Cyber crime is a global phenomenon, meaning we need to think about the whole country as opposed to reacting to individual incidents. Estonia's data protection and cyber security strategy need a "support and supervise" focus, Rainer Ratnik writes.
Stolen genetics data, hackers and data leaks – Estonia has been hit by a wave of cyber crime which has increasingly been making news in recent weeks. Could these cases have been prevented by introducing and executing a national strategy? The answer is probably that they largely could have.
So far, the national strategy has been a case of "let's see what happens," while there is now a chance of this morphing into "someone needs to take the blame" in light of recent news. What is needed is something else. We need to support companies and organizations and exercise stronger balanced supervision.
Estonia swimming upstream
The General Data Protection Regulation (GDPR) entered into force in 2018 and delivered a boost to security and cyber security in Europe. Why? Because suddenly data processing was in the spotlight and failure to follow the rules resulted in major fines.
But while we have heard news of fines and megafines issued in Europe over the last six years, fining persons for breach of data protection rules has been virtually impossible in Estonia. What happens on a highway where policing the speed limit is out of the question? It will likely be concluded that there is no speed limit.
The Estonian Data Protection Inspectorate employs smart and hardworking people, while the agency's budget has been virtually nonexistent, considering the complexity of its tasks. It would have been possible to include in the regulation of how the inspectorate works that fines also help fund the organization.
Only prevention and supervision effective
Not dealing with something is a strategy. Not contributing resources toward supervision and failing to create appropriate sanctions is a strategy in itself. It has caused many organizations to ask, quite justifiably, whether data protection is important or not.
Luckily, sanctions are slowly emerging. But let us face the truth – we are six years behind the rest of Europe. This makes Estonian organizations which have failed to take matters seriously low-hanging fruit for cyber criminals.
It is all well and good for the prosecution and the police to investigate cases and try to apprehend cyber criminals. But its effect is a drop in the ocean in the grand scheme of a national strategy because when it comes to cyber crime, we are usually not talking about local perpetrators whose arrest immediately lowers the crime rate.
Figuratively speaking, we are not looking for a lone Pae street bomber the catching of whom automatically makes Estonia a safer place. Cyber crime is a global phenomenon. This means we need to think about the country as a whole, as opposed to individual cases. Estonia must become an unattractive target.
We need a strategic focus on helping businesses and organizations achieve a better level of data protection both in terms of mentality, know-how and technical capacity. This also requires more effective supervision.
Editor: Marcus Turovski