Learn the principles

For organisations, digital security risk management is an essential basic activity that concerns all employees in the same way as ensuring communications, work ergonomics, or fire safety.

Digital security affects the security of the physical world the same as the security measures of the physical world affect digital security.

Digital security risk management is ultimately about protecting people and their interests, even though it is often primarily seen as ensuring and protecting the interests, tools, and processes of the organisation.

If the operation of digital platforms is disrupted due to a risk that became real, the situation may result in significant financial losses and other short- and long-term disadvantages for the organisation. Recovery from harm may be considerably more expensive than taking precautionary measures for the threats.

For example, violations may result in fines, and if the business ends due to the harm, employees are left without work.

Cyber criminals usually try to

• gain financial benefit (for example, by blackmailing the targeted organisations)
• disrupt the activities of organisations or societal or state actors
• obtain information for the purpose of using it to commit larger crimes.

• What is digital security? (Digital and Population Data Services Agency)Opens in a new window.

Open and comprehensive risk management means that your organisation identifies and is aware of the existence of risks. Your organisation must also ensure that everyone knows enough about the risks:

• management
• specialists
• other staff, and
• partners.

Today, most of the information that is important to an organisation’s business is located in digital networks or different digital platforms, such as information systems or cloud services. As several employees of the organisation process or use shared information, digital security risk management is everyone’s responsibility.

As IT experts often have special expertise in digital security issues, taking care of digital security and managing risks related to digital security are often considered to be the responsibility of the IT department alone. However, the management of digital security risks is everyone’s duty. Only the roles and tasks of risk management are different.

Digital security risk management may sometimes seem unfamiliar or difficult, and something that is not related to your own work tasks. However, everyone carries out risk management alone and together in their work. As risk management and digital security are extensive, covering the entire organisation, cooperation is a prerequisite for successful risk management.

If only one employee is responsible and competent for managing digital security risks in your organisation, the continuity of your organisation’s risk management work is threatened, for example, if the worker falls ill or changes jobs. So make sure to share the responsibility.

Risk management is the most important digital security process.

− VAHTI network (2017)

Risk management refers to actions that ensure the continuity of the organisation’s operations and aim to minimise the harm caused by risks. Actions related to risk management may be related to both the individual and the organisation.

Risk management actions include:

• observation of risks related to the use of information networks or digital devices, and
• developing the organisation’s operations based on identified risks.

Safety and security management refers to comprehensive and systematic activities aimed at promoting safety that combine

• the management of methods
• practices and
• people.

Continuity management is a digital security process that

• identifies the main risks
• assesses their impacts in the organisation and its network of actors
• creates a practice for continuing operations in the event of disruptions, and
• practises how to act in case of disruptions.

Precautionary measures are activities that ensure and enable that an organisation can operate without disruptions in both normal and deviant situations. It is important that the organisation ensures the continuity of its core activities in particular.

Precautionary measures include:

• education and training
• drills and
• risk assessment.

Information security refers to actions that ensure the confidentiality, integrity and availability of information.

Information security can be improved by:

• using strong passwords
• backing up data
• updating applications and devices.

Data protection refers to protecting people’s privacy and personal data from malpractices.

Data protection acts recorded in law include the

• lawful
• appropriate and
• transparent handling of personal data.

The digital security learning paths of the Digital and Population Data Services Agency provide tools for developing digital security competence for those working in public administration organisations. There are four learning paths of different levels:

• basic skills
• advanced skills
• expert skills
• manager skills.

Get to know the learning paths (in Finnish).

The Digital and Population Data Services Agency’s digital security development paths 1–3 provide specialists and managers who are responsible for digital security in a public administration organisation with tools for developing digital security in their organisation.

Get to know the development paths (in Finnish).Opens in a new window.

• The Digitally Secure Life training module: Digitally Secure Life (Digital and population data services agency)Opens in a new window.
• The Operate safely in the digital world course (eOppiva)Opens in a new window.
• The Digitally secure working life course (eOppiva)Opens in a new window.
• The Digital security for elected wellbeing services county officials course (eOppiva)Opens in a new window.
• The Digital security for local government officials course (eOppiva)Opens in a new window.
• The Organising digital security through architecture course (eOppiva)Opens in a new window.

• The Risk management in the digital world course (eOppiva)Opens in a new window.

• The Securing digital operations during incidents course (eOppiva)Opens in a new window.

• The ABC of data protection for public administration personnel course (eOppiva)Opens in a new window.
• The ABC of data protection 2 – deeper in data course (eOppiva)Opens in a new window.

Data protection in procurement (in Finnish)

• Tietosuoja hankinnoissa (eOppiva)Opens in a new window.
• Tietosuojan vaikutustenarvioinnit osana hankintaa (eOppiva)Opens in a new window.