Keva, the largest pension agency in Finland, is committed to developing its ability to prepare for and respond to cyber threats. With the help of Nixu’s extensive cyber exercise, Keva is now more prepared than ever for any unexpected situations. The core of the exercise focused on comprehensive crisis management – how the agency can make decisions while keeping everyone informed of its status, even during a major crisis.
Keva is responsible for the pensions of those who work for Finnish municipalities, the state, the state church, Kela, and the Bank of Finland. As an agency that serves 1.3 million public sector employees and pensioners, Keva handles the public sector’s employment pension insurances, the financing of pensions for municipal personnel, and investing its pension assets. In addition, Keva’s customer base includes approximately 2,000 employers, ranging from municipal organizations to state employers and parish associations. All in all, the agency treats its responsibilities and information security needs with the utmost seriousness.
Exercises play a particularly important role in the prevention of information security threats. With the help of an extensive cyber exercise organized by Nixu, Keva was able to really rehearse the most optimal ways of handling a crisis situation.
Cyber exercise = smart preparedness
Nixu’s cyber exercises allow its customers to simulate cyber attacks in imaginary scenarios and thoroughly rehearse and test the best recovery methods for various disruptions. This approach helps ensure the quality, effectiveness and appropriateness of any policies that have been created for these types of special circumstances.
In addition to identifying an organization’s strengths and weaknesses, a cyber exercise also helps its participants test what they truly remember about their crisis guidelines. Crisis situations are typically very high-pressure scenarios where the implementation of even the simplest measure is usually easier said than done. In a crisis, an organization’s employees will face several situations that will demand a clear and carefully considered division of roles and responsibilities. This is why Nixu’s exercises also place particular emphasis on communications and management.
Keva’s cyber exercise focused on the disruption management process utilized by its IT and communications units. The primary objective of the exercise was to identify any weak points in the agency’s processes, decision-making practices and communication policies – and to hone them for any future crises. The exercise scenario featured a fictitious, large-scale cyber attack that targeted the agency’s systems on multiple levels.
The end result: clarity in communications and increasingly efficient processes
With the help of Nixu’s cyber exercise, Keva was able to confirm the effectiveness of its policies and secure the continuity of its operations even in any security incidents or disruptions. Keva also gained other significant benefits from the exercise, as it allowed the agency to better understand the impacts of major disruptions, develop its internal and external communications, and clarify its decision-making processes and areas of responsibility.
The exercise also highlighted new development targets – for example, Keva realized that in the event of a crisis it could authorize its partners to communicate directly with the authorities to help speed up their decision-making processes. The lessons learned from the exercise allowed Keva to comprehensively enhance and streamline the way it communicates with its partners.
Annual cyber exercises provide security
Keva understands the vitally important role that cyber exercises play in today’s increasingly digital world. That is precisely why the agency is committed to organizing cyber exercises annually. This way, Keva seeks to ensure that it is prepared for any cyber threats it may face in any given operating environment.
“This exercise emphasized the role that communications play in the relationships between an organization’s business divisions and between one’s business partners and the authorities,” says Anu Laitila, Business Manager of Nixu’s Cybersecurity Awareness unit. “We paid particular attention to external communications, and we discovered a number of development targets that can be used to improve the agency’s communication policies, especially between its partners. As we can see from all the recent news coverage on cybersecurity, communications are vitally important both internally and externally. Poorly managed communications pose a major challenge for organizations, while well-managed communications help organizations maintain their customers’ trust, among many other benefits,” Laitila sums up.
Juha Mäkinen, Chief Security Officer at Keva, continues: “Nixu’s cyber exercise revealed that Keva has a great deal of expertise at its disposal and the ability to manage crises in a goal-oriented manner. This is possible if every person who was involved in the investigative process and in communicating about our status was always as available as they were during the exercise. However, this isn’t always the case, and we must create even stronger cooperation network models with our information security and IT partners.
The exercise we conducted now as well as those we have done in the past have allowed us to forge effective routines for managing multiple scenarios, and they have also helped us discover the facets of our decision-making process that still require a bit more fine tuning. Next time, our exercise scenario will be even more complex and demanding, as it will include even more participants. When it comes to cybersecurity, training really does count!", Mäkinen concludes.