When you start to work with protective security, the first step is to carry out a protective security analysis. Such an analysis is the basis for all protective security work. So, how do you do a protective security analysis?
Technological development gives us many new opportunities. The problem is that the authorities' protective security has not kept pace with this development, which means that more shortcomings and vulnerabilities are exposed to potential attackers. To avoid the gap between threats and protection continuing to grow, more security measures are needed. The basis is a protective security analysis.
What is protective security?
Protective security means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes. The technological development in recent years means that we need to broaden the concept of security. In addition, public sector organisations and private companies should now also be included within the framework of protective security.
The term ‘Sweden's security’ refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:
- Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defence (territorial sovereignty) as well as Sweden's integrity, independence, and freedom of action (political independence).
- Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary, and a law enforcement capacity at national level.
- Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at national level.
- Activities that are important for Sweden's economy: This refers to the national ability to pay.
- Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.
The new Protective Security Act places higher demands on protective security
On April 1st 2019, a new Protective Security Act was introduced in Sweden. It applies to all activities that are important for Sweden's security, for example various forms of critical infrastructure. Since these companies are not always state-owned, but can also be private actors, the new act will affect many businesses. The act entails new higher requirements regarding protective security work and is introduced in order to reduce vulnerabilities.
How do you conduct a protective security analysis?
When starting to work with protective security, the first step is to carry out a protective security analysis. Such an analysis is the basis for all protective security work. You are obliged to make a protective security analysis if you conduct security-sensitive activities to investigate the need for protective security. But how do you do a protective security analysis?
By asking yourself the following questions, you will get what is required:
1. What is the goal of the business?
Make a business description where it is clear what responsibilities and processes that exist in the business. Also note any dependence on other functions, both internal and external.
2. Which are the protection values of the business?
Think about what the protection values of the business are, i.e. what are the most sensitive parts, the parts that can affect Sweden's security if someone comes across them?
3. Which consequences can arise?
Make an impact assessment and assess where the limit for acceptance goes.
4. What is the threat?
Make a clear description of the threats and the opponent. What does the threat picture look like? What type of attacker could be considered a threat? Are there any known potential attackers and what is the threat associated with them?
5. Which vulnerabilities exist?
Perform a vulnerability analysis that shows vulnerabilities that are linked to the business's protection values. These can be used by a potential attacker, and therefore it is important to know where they are.
6. Which protective measures should be chosen?
Finally, identified vulnerabilities should be linked to appropriate protection measures. The measures can be divided into three different areas: information security, physical security, and personnel security.
Protective security plan
Once you have completed your protective security analysis, a protective security plan must be drawn up based on your analysis, which deals with information security, physical security, and personnel security. The protection plan must clarify which protective security measures that must be taken.
Solutions used when working with protective security
How to work with your protective security is always based on the Protective Security Act. Under the Protective Security Act is the Protective Security Ordinance, which itself is followed by various regulations and guidelines. These regulations and guidelines thus apply to different sectors, which means specific rules for different organisations.
The Protective Security Ordinance states that if security-classified data is to be communicated to an information system outside the operator's control, the data must be protected by cryptographic functions that are approved by the Swedish Armed Forces. VPN encryption is one such solution.
Sometimes it is necessary to communicate over the Internet, but the sensitivity of the information may prevent you from being able to openly send it to the recipient. The solution is to use a VPN encryptor (Virtual Private Network). A VPN encryptor can be used to protect your network, while connected to the Internet, by creating secure and private tunnels between a device and a network, or between two networks. This way, you can be connected to the Internet, but the information you send to other devices within the private network is encrypted and sent securely through the tunnels, resulting in traffic that cannot be read by anyone outside of your private network.
Hardware-based encryption solutions are more expensive and can be a bit more complicated to manage, but if you have sensitive information or information that needs stronger protection – making security a top priority – hardware solutions should be your choice.
In the Security Police's regulations on protective security (PMFS 2022:1) it is stated that information systems that are separated from other information systems may transmit data for import or export through one-way communication. A product that can be used for that is a data diode.
A data diode is a cybersecurity solution that ensures a one-way exchange of information. This hardware product, with its high assurance, maintains both network integrity by preventing intrusions and network confidentiality by protecting the most sensitive information.
Data diodes are the fail-safe way to protect sensitive systems and confidential data. Data diodes are hardware products that are placed between two networks. A data diode acts as a check valve whose function only allows data to be sent forward while blocking all data in the opposite direction. Since it is not software, the data diode cannot be attacked by malicious code, which also contributes to high assurance.
Read more about data diodes and how they work!
Cybersecurity today is not only a technical challenge but also a human challenge – it is a matter of security culture. Criminals do not always use only technical shortcomings but often rely on people to access sensitive data and therefore the human factor is the main cause of the most serious security breaches. Building and maintaining a strong security culture is therefore an extremely important part of the work with cybersecurity.
Security culture is the shared values, conceptions, attitudes, knowledge and behaviour of individuals and groups in an organisation focused on creating security in the business. Security culture is about how employees' values affect the way they think and act in relation to risk and security. It therefore has a great impact on how people work and influence employees on a daily basis.
To become better at security culture, attitudes and behaviours need to change. The organisation needs to see cybersecurity and security culture as an activity-critical activity and not as an isolated IT issue – it is also important that the management prioritises the issue. What should define the work with security culture is to think of security as something that enables the work, not hindering it.
Read more about how to improve your security culture here!
Do you want to know more about the Protective Security Act? Read more here!
Do you need help with your security challenges? We will help you!