Cybersecurity at the Crossroads - Nordics

Executive Summary

Looking back over the last 12 months, cybersecurity stakes continued to grow. The world suffered what was arguably the most significant cyber outage to date as a misconfigured CrowdStrike update took millions of Windows PCs offline. Looking a little closer to home, Sweden saw an unprecedented level of attacks once their decision to join NATO was finalized, but none of the four countries managed to avoid the attention of ill-fated actors. Several of the online attacks hit infrastructure such as government payment systems and transportation.

The rise in attacks presents a unique dilemma for the Nordics - a region long known for its early and enthusiastic adoption of digital technologies. From smart public services to connected industries, the Nordics are among the most digitized societies in the world. But without a matching investment in cybersecurity, this deep integration of technology becomes a liability, exposing governments, businesses, and individuals to significant operational and reputational risk.

“In the Nordics, DDoS attacks continue to dominate online threat activity, particularly in the Financial Services sector, where single points of failure can have serious consequences.”, says Fastly’s Joakim Sundberg. “Because these attacks require significant resources to launch and defend against, it’s critical for organizations to prioritize robust defensive strategies. This is especially important in highly digitized regions like the Nordics, where recent incidents have highlighted the risks of relying on uninterrupted digital infrastructure.”

Against this backdrop, the need for more cybersecurity and digital resilience is greater than ever - yet a closer look at the last 12 months finds security programs in a precarious position. The headwinds facing cybersecurity initiatives are more significant now than they were previously. Many of these are non-technical, covering issues such as budget scrutiny and confusion over who is responsible for cybersecurity in organizations.

The largest attacks observed in the Nordics by Fastly, and the industries they targeted the most in the past 180 days (november 1, 2024 - april 1, 2025)

As mentioned in our Global Security Report, online security is at a crossroads. To gain more insight into how corporations are dealing with key cybersecurity issues and where the industry is headed, in late 2024, Fastly worked with business and consumer market research agency Sapio to survey 1800 worldwide IT decision makers, all with an influence in cybersecurity. This report, focused on the Nordics, offers deep insights into their cybersecurity challenges and how they plan to overcome them. Here are some of the key findings:

• Security initiatives are on a knife-edge. While more IT decision makers (87%) expect cybersecurity investment to increase over the next year, the results from this spending will be under intense scrutiny. Security teams face an uphill struggle as they try to convince senior executives to continue budgeting in ways that make effective defense strategies possible. The C-suite has plenty of other priorities to address, especially in areas such as digital transformation and IT modernization, and they feel that cybersecurity initiatives slow them down.

• Organizations face challenges scaling their cybersecurity operations. As they struggle to justify their function to the board, there are also worrying signs of inefficiencies in cybersecurity. Over a third of respondents felt that they had no clear idea of where they should allocate cybersecurity resources, which correlates with a feeling of over-investment.

• The market is not providing the talent that companies need. There are also signs of an inability to scale cybersecurity efforts as capacity and complexity demands increase. Traditionally, companies have invested in more talent to try to keep up with burgeoning cybersecurity needs, but this year sees a deep dissatisfaction with the available talent pool. That calls for a rethinking of skills management practices to cope with evolving cybersecurity needs.

• Technology complexity is holding back cybersecurity efforts. The technology organizations use to fight cyber threats are also an issue as companies look to scale their cybersecurity initiatives. Businesses are also still laboring under complex, overlapping toolsets that make cybersecurity operations such as incident response more difficult. 2024’s CrowdStrike outage has thrown security products and services into the spotlight, as security leaders begin to question the risks and benefits of their cybersecurity tooling.

Recovery time

There’s no denying that 2025 is off to a turbulent start as far as the political climate goes, and the tone in the raging debates is often uncompromising, and lines get drawn fast. That alone might be enough to keep CISOs up at night, proving that they work for a company that can find itself in the crosshairs of public opinion. It’s a short distance from “all is well” to “we’re under attack”.

There is nothing that points towards the amount of online attacks getting smaller. It doesn’t really matter whether you look at it in terms of the number of attacks, the damage they create, and the amount of time it takes to mitigate them, clean up, and try to prevent them from happening again. Online attacks remain an often-used strategy to hurt businesses where they feel it the most: reputation and revenue.

We asked participants from the Nordic region how long ot typically takes to fully recover from online attacks. On average, they estimated 8.07 months. This is approximately 20 days longer than the global estimate of 7.34 months. But we should also point out that 30% of the worldwide respondents said they’ll have cleaned up within an impressive 1-3 months. 25% saw attacks that took more than a year to recover from.

So why the large delta? One answer is undoubtedly that recovery times rise as cybersecurity investment falls. We saw a direct correlation between those companies that expect to spend less in the next 12 months and those expecting recovery time exceeding eight months. The gap between perception and reality continues to grow - companies planning to reduce cybersecurity investments take nearly 11 months to recover from incidents, about a third longer than they anticipate. In contrast, organizations that maintain or increase their cybersecurity spending recover significantly faster.

Preventive measures top the list of recovery tactics

For the Nordics, the two most common responses around preventive measures are implementing stronger security (48%) and providing additional employee training (45%) - reflecting a focus on “lessons learned” and prevention of future attacks. Both are quite a bit higher than the worldwide results - 43% and 41% respectively. While there is nothing unusual in the response with the highest priority, some may find that it’s surprising to see additional training rank this high. We believe there are two reasons for this: companies are still adjusting their security procedures to accommodate a flexible culture when it comes to where you work. Secondly, social engineering is increasingly being used as the hunting ground for inroads, and with work being conducted all over the place, training on how to be more vigilant is needed.

Fewer companies in the Nordics region are prioritizing specific actions that aid incident recovery, such as restoring from backups (34% - down from 38% worldwide) or communicating with stakeholders (39% - up from 34% worldwide). Forensic analysis - critical for pursuing legal action against malicious insiders or external attackers and for regulatory reporting - is the least commonly cited, at just 20%, down from 25% worldwide. On a positive note, 34% of respondents are allocating additional budget toward incident response playbooks and supporting tools.

When surveyed, most Nordic businesses rely on internal resources for recovery, with 59% turning to their IT teams. Only 33% engage external cybersecurity firms for support. Fewer than one in three respondents opted to use cyber insurance to offset costs, a number we expect to continue to decline, as the average cost of a data breach in 2024 reached an all-time high of $4.88 million.

Finally, the Nordic countries show less loyalty than the rest of the world when it comes to their EDR vendors. 32% of respondents said that in light of recent security events, they are considering changing vendors. Still, many keep using their existing tools and instead look for ways to better utilize or optimize them. 44% of the Nordic respondents answered that this was their preferred approach.

Confidence vs. Reality: Are Organizations Overestimating Their Infrastructure Security?

Security incidents have long been a part of everyday life for IT professionals, and almost every company has experienced them. Worldwide, only one in ten of those polled has not. For the Nordic region, the number is only 4%. In the past year, on average, the organizations we polled had 40 known incidents. American businesses were the ones most affected; they experienced one incident per week, and with 64 incidents over a 12-month period, larger organizations were even more exposed owing to their greater attack surface and possibly the reach of their brand.

It bears repeating that an incident isn’t necessarily the same as an online attack. In fact, of those asked, 23% of Nordic businesses answered that they had incidents due to misconfigurations, with software bugs coming in at an astounding 37%! Yet, patches and IT changes often arrive too slowly, creating security gaps for 25% of the companies polled. Embracing Secure DevOps (SecDevOps) can help prevent bugs upfront and accelerate fixes for vulnerabilities that slip through.

An additional key issue is the tension between manual and automated processes. Manual steps contributed to 28% of incidents, with 22% of respondents reporting problems due to reliance on employees manually enforcing security policies, rather than embedding security into their technology solutions.

Cyber incidents wreak financial havoc

No matter who or what is the cause of a cyber incident, many Nordic companies end up with significant revenue losses. 26% of those asked could see the effect on the bottom line. Worldwide, companies lost an average of 3% of revenue when there were financial losses. Although it’s less measurable in terms of cost, downtime is another big consequence, closely followed by data loss.

It’s important to remember that online security incidents pose significant legal and regulatory risks. 15% of respondents in the Nordics reported compliance violations, while 17% indicated that customer accounts had been compromised, which could lead to breaches of privacy laws.

Reputational damage is also a major concern, affecting 17% of Nordic organizations. Additionally, 21% experienced a decline in customer trust, and similarly, 21% noted a decrease in customer satisfaction. These issues have a direct impact on customer retention, with 15% of organizations reporting an increase in customer churn following an incident.

Confronting the Next Wave of Threats

Concern over cyber threats remains high. The rise of automated attackers is particularly troubling, with 38% of respondents saying it keeps them up at night. Many question whether their current security tech stack can keep pace: 29% cite a lack of automation in their defenses, while 30% are held back by sluggish change management processes. In fact, automating cybersecurity is the second-highest security priority over the next 12 months, identified by 23% of the Nordic respondents. The anxiety is casting a shadow over innovation. While digital transformation promises growth, 40% worry that expanding their software footprint and digital infrastructure will increase their exposure to attacks, especially since 31% are concerned they don’t have the experience to secure modern and complex architectures. More broadly, 53% believe they are unprepared to face sophisticated threats, and 51% say their internal cybersecurity technologies aren’t strong enough to protect them.

Is Cybersecurity Spend Keeping Pace with Rising Risk?

Effective cybersecurity doesn’t happen without appropriate investment. As threats multiply and adversaries grow more sophisticated, organizations must continue to commit meaningful resources to the defense of their online storefronts and infrastructure. Yet despite strong intentions, the data we see reveals critical shortfalls.

In 2023, 75% of respondents indicated plans to increase cybersecurity spending. One year later, half reported underinvesting in key areas. In their own words, this is raising concerns about exposure to threats. This sentiment is particularly acute in the U.S., where 61% of organizations acknowledge gaps, correlating with the region’s high incident volume. The number for the Nordic region was much lower at 41%.

Interestingly, worldwide, 71% say their current investments align with strategic objectives (64% for the Nordic region). So why do so many still feel underinvested in online security?

Investments Are Hard to Justify

Tight budgets aren’t the only reason respondents have trouble securing funds earmarked for protecting against online threats. The answers revealed that cybersecurity is often seen as an obstacle to working on other priorities. An astonishing 43% of respondents’ senior executives worry that this very issue could slow down innovation. IT modernization is a significant component in digital transformation efforts, and 48% feel that investments in cybersecurity hinder that initiative.

Cybersecurity professionals must justify their costs to the C-suite, but 48% fail to do so. While 76% of the Nordic respondents feel their investments have supported revenue and growth goals, confidence that they have quantified the ROI from cybersecurity spending is moderate, at 62%. Part of the problem is understanding where to spend those dollars; 36% said they had invested far too much, with no clear plans on where to allocate resources.

Trimming Security Budgets Is a Shortcut to Exposure

On a positive note, 85% of Nordic respondents plan to increase their cybersecurity investment this year, sharply up from the 76% who reported the same intention last year. However, given that half of the companies this time around say they’re still under-invested, intentions alone may not translate into reality.

It’s also good to see that only 7% of organizations expect to reduce cybersecurity spending. While that number might seem high, this doesn’t mean that those respondents will scale back their level of protection. Those companies may be shifting to lower-cost solutions, consolidating vendor contracts, or exploring open source alternatives.

Optimizing spend is sensible. But the data shows that this cost-cutting cohort may be paying the price: Those expecting to scale back budgets experienced an average of 68 security incidents in the past year - 70% more than the overall average of 40. That raises important questions about the hidden costs of cutting corners.

Risk Analysis: The Foundation of Smart Cyber Investment

Maximizing the impact of cybersecurity spending starts with a mature approach to risk analysis. By identifying the most significant threats to their specific environment, organizations can target investment toward preventative and response efforts that deliver meaningful protection.

Risk is a language the C-suite understands. Cybersecurity leaders can bridge the gap by highlighting high-level risk mitigation metrics that clearly demonstrate how security enables safe innovation and business transformation.

Collaboration with engineering and production teams is also key. Embedding security earlier in the development lifecycle - particularly through automation - can make protections more effective, less disruptive, and easier to scale.

The Cybersecurity Skills Gap: A Growing Threat in itself

Professional skill shortages continue to be a significant obstacle in cybersecurity, and the Nordic region is no exception. Nearly one-third (32%) of organizations cite a lack of the necessary expertise to address modern security threats. Compounding the issue, 46% acknowledge underinvestment in cybersecurity talent, both in terms of hiring and compensation. As a result, training and talent acquisition have become the top priority for 29% of organizations when looking at the coming twelve months.

The consequences of a cybersecurity talent shortage can be severe. Organizations not only become more vulnerable to cyberattacks, but also face longer response times and higher costs when incidents occur. These challenges place additional strain on existing teams and can hinder ongoing preventive efforts.

A significant contributor to the gap may be a misalignment between where companies are searching for talent and where qualified professionals actually reside. Over half (54%) of organizations in the Nordic region report that the talent pool lacks the specific skills they require, and only 11% say they are not facing significant issues in hiring for cybersecurity roles.

As many in the industry can attest, the development of security talent is not immediate. Turning recent graduates or entry-level hires into effective team members requires considerable time and effort. These individuals must not only acquire technical expertise with the organization’s tools and systems but also develop a nuanced understanding of internal workflows and company culture.

These challenges are expected to become more pronounced as organizations grow. Operating in larger, more complex environments adds pressure, particularly for less experienced hires. 16% of respondents identified “inexperience with large-scale technology infrastructures” as a significant barrier to success within security teams.

There are signs of improvement, though. Fastly’s head of sales in the region, Joakim Sundberg, points out: “Like many regions, the Nordics are currently facing a shortage of trained cybersecurity professionals. However, growing awareness is driving positive change. For example, Nordic military services have rolled out expanded programs to train the next generation of cybersecurity experts.”

Addressing these issues requires a deliberate and sustained focus on nurturing talent pipelines, investing in upskilling programs, and aligning recruitment strategies with actual organizational needs.

Alternatives to External Recruitment

Companies should direct their skill development efforts toward internal improvement, given the existing challenges. There are several options:

Upskilling. The existing workforce can learn new responsibilities because they already understand your company culture and have a basic understanding of your operational systems and processes.

Mentoring. Junior employees learn valuable skills through on-the-job training provided by experienced staff members, which helps them develop into successful professionals.

Cross-functional collaboration. Security teams that communicate better with IT, compliance, support, and product development teams will develop employees who understand security’s role within different organizational functions. The organization should consider implementing secondments within this framework. The ultimate goal should be to expand both skillset and responsibilities into non-security teams. The integration of security knowledge between product development teams enables them to implement secure-by-design principles during their development process.

Internal recruitment of staff who work across different functions provides multiple benefits. Such a practice demonstrates that every employee must contribute to security responsibilities. The initiative helps organizations advance their digital transformation goals. An integrated security culture supports the digital transformation process while addressing the security concerns of 40% of companies who believe their vulnerability to attack will rise during this period.

Mapping the shift in accountability

When a cyber incident happens who gets held responsible? Regulators now direct their accountability judgments to the chief information security officer (CISO). In October 2023, the USA-based SEC prosecuted not just SolarWinds but also its CISO, Timothy G. Brown, with fraud and internal control failures. Although most charges were later dismissed, the regulatory bodies have used new language to define the liability of CISOs explicitly.

An Empty Response to CISO Liability

Most organizations have implemented policy modifications to reflect the changing accountability structures, according to 94% of respondents. Numerous organizations implement changes that lack genuine substance. The most commonly implemented measure, which grants CISOs attendance rights at strategic discussions, stands as an unremarkable development (48%).

Some measures are defensive or box-ticking exercises. The 37% of organizations that plan “increased scrutiny of security disclosure documentation from supervisory agencies” are simply committing to rule compliance. The same proportion of organizations plan to provide legal defense to their cybersecurity employees for potential agency investigations. Among the surveyed group, only 21% of respondents stated that CISOs face legal obligations for cybersecurity standards.

“These security measures are nice, but little more than self-preservation”, says Fastly CISO Marshall Erwin. “Those aren’t actually improving your security posture.”

Who Does the Buck Stop With?

A major problem stems from an unclear distribution of cybersecurity incident responsibility among different parties. The organization lacks an explicit cybersecurity leader because multiple staff members at various levels demonstrate minor accountability responsibilities. According to the survey results, the CISO ranks second in accountability (19%), with security engineers taking first place (21%). Security managers come in third at 16%.

Some positive indicators exist. The increasing number of teams taking on cybersecurity accountability demonstrates that incident responsibility now extends past traditional security roles, which include application developers (12%), platform engineers (9%), and site reliability engineers (6%).

These theoretical results would create universal responsibility among all individuals. In practice, it means no one is. Only 32% of respondents clearly identify roles and responsibilities for cybersecurity. A lack of clear ultimate responsibility exists for nearly twothirds of organizations, since 46% experience unclear cybersecurity incident accountability. At the end of the day, someone needs to take responsibility.

Employees in the Cross Hairs

The entire organization needs to understand security as an organization-wide responsibility while providing employees with the authority to execute policy. Social engineering attacks stand as the most feared security threat for the upcoming year, according to 34% of respondents. The transition to hybrid work environments has created new security challenges because 67% of organizations expect their remote workers to become attack targets.

The majority of organizations (77%) confirm they properly explain cybersecurity compliance to their entire workforce. The approach appears successful because 72% of employees outside IT state their work affects cybersecurity, and 68% of staff members comply with cybersecurity rules. The main challenge stems from insufficient cybersecurity education, which 54% of the Nordic organizations face.

The ability to follow established rules depends on having sufficient resources to do so. The resources needed to support cybersecurity efforts are not available to more than one in four companies, according to 73% of organizations. Reporting procedures are not always clear. The majority of respondents (73%) confirm that incident reporting follows a straightforward process accessible to all staff, but non-IT employees lack confidence in identifying and responding to security threats (64%).

Choosing the Right Tools for a Shifting Landscape

Cybersecurity threats require continuous evolution, which demands corresponding updates to our defensive tools.

34% of the Nordics organization polled identify social engineering as their main security concern. The two major security threats include phishing as well as business email compromise and ransomware attacks (the latter being the second most feared threat at 23%).

Multiple security threats converge into an intricate environment, which complicates the situation further. The threat of account takeover identified by 24% of respondents originates from phishing attacks. Data exfiltration (a worry for 24% of people) is a common outcome of ransomware compromise.

The recent SolarWinds hack and Kaseya ransomware attack have led organizations to identify third-party compromise as a major security concern, according to 23% of respondents. More recently, third-party breaches exposed Amex credit cards, and UnitedHealth’s breach disabled major parts of the healthcare infrastructure.

Investing for Protection

The broad investment of organizations into protection measures includes strategic purchases of products and services aimed at countering threats. Organizations show positive investment trends toward contemporary authentication systems, which rank as the primary two investments at 32%. Identity and access management tools, together with multi-factor authentication, will help organizations fight against social engineering attacks that serve as the foundation for many other security threats.

The growing danger of API exploitation makes many organizations reconsider their security measures through API gateway security investments, which reached 29%. A total of 30% of organizations have purchased web application firewalls. The investment in WAF products exceeded the 24% of organizations that expressed concern about web application exploitation, yet these products serve as standard defensive measures against multiple attack types, including small DDoS events. Web application and API security solutions receive an average yearly investment of $1.58 million from organizations.

We were surprised to find DDoS investments in ninth place, at 31%, and bot mitigation near the bottom at 15%. Bots serve as primary instruments in credential stuffing attacks, which frequently lead to account takeover incidents.

The investment went toward incident response services to manage cybersecurity incidents. Risk transfer stands as one possible approach, which shares the top investment rank with modern authentication at 32%, along with cyber insurance. Organizations choose to prevent cyber threats and respond to incidents through managed security services companies, since 33% of respondents have adopted this approach.

Organizations that choose security outsourcing often work with multiple service providers, since 30% of all survey participants adopted this approach, while 29% placed their security response under a single external service provider. 14% of organizations choose to unite their security response activities under internal teams, while 22% split their security response activities between internal teams and external partners.

The Current Security Tools Remain Difficult to Integrate With Each Other

The use of duplicate tool sets creates difficulties for respondents. On average, organizations make use of 7.85 network and application security solutions, while the Nordic region stands out with 9.4 solutions. The 45% tool redundancy rate shows improvement from the 41% observed during the previous year.

Rewriting the Security Playbook: Centralized and Built-In from Day One

If there’s one key takeaway from our latest survey, it’s this: businesses are caught between escalating cyber threats and limited cybersecurity budgets. While 75% of those polled recognize cybersecurity as essential, half admit they still feel vulnerable due to underinvestment. Many plan to increase spending, but history shows that intent doesn’t always lead to action. A major hurdle? Justifying the cost to senior leadership, who often see greater value in directing those funds elsewhere.

The reliance on fragmented and overlapping tool sets exacerbates this problem because these cybersecurity franken-stacks are both expensive and complex to integrate and maintain. They are also a natural consequence of reactive cybersecurity strategies that evolve piecemeal over time to track a changing threat landscape.

Time for Security by Design

Organizations must innovate to tackle burgeoning security risks more efficiently while stopping costs and complexity from spiraling out of control. This demands a standard mechanism of identifying and mitigating threats that they can apply across the whole business.

Toolset consolidation is a key component of this mechanism, as it helps to reduce complexity and cost. It requires mature risk management, mapping tool functions to risks based on each risk’s impact and probability. This will vary based on factors such as sector and company size (see box: Thinking Vertically).

The other requirement is a set of universal principles for security, and the will to apply them in the development of everything from customer-facing products and services through to interrnal workflows. Applied from the design
stage onward, this will strengthen security from the inside out.

Implementing this security by design concept into software architecture is a priority for just 25% of our respondents, ranking sixth among other mitigations. That’s understandable, because it’s a cultural change as much as a technical one, and those are difficult to engineer.

We also face another problem: 36% of our respondents feel that cybersecurity is a waste of time and budget that would be better spent elsewhere. Those feeling that way are far more likely to decrease their cybersecurity investment (55%).

Lack of cybersecurity visibility among senior executives is a problem here, warns Erwin. “If your security program is effective, then you are mitigating a lot of risk and reducing the likelihood of compromise or incident. However, your leadership will not see that value directly,” he says.

This attitude will be more difficult to change, but mapping a direct line between cybersecurity investments and quantifiable risk-based outcomes is the first step.