Old and New Elements of Cybersecurity

Innovation Powerhouse

The current cybersecurity landscape has forced us to learn how to cope with surrounding cyber threats. By assisting our clients and international law firms in large and complex data breach incidents, we have learned the pain points and relieving factors in the data breaches of today. Based on our experience of the busiest ever data breach year of 2022, we predict that the increase of risks and malicious cyber attacks will just continue. Our team has compiled our key takeaways into five categories of the old and new elements of cybersecurity.

Technical core elements

Cybercriminals often target the “low hanging fruits”. In order to secure employees, customers, services, business partners as well as the whole business and its continuity, it is necessary to build a strong technical cyber shield in one’s IT systems and environments. Therefore, organisations need to be familiar with the possible threats, available best practices and requirements of law whenever IT systems, products and services are sourced and upgraded. We need to think ahead – cybersecurity must carry on during the whole lifecycle of the system, product and service and beyond that. This entails updating, monitoring and assessing the security levels as well as applying sufficient and sustainable contractual terms in technology agreements.


Even the best available cyber team cannot secure the whole organisation without teamwork. Large data breaches often commence with email attacks, like phishing, which are sometimes difficult to spot among the email floods. Malicious attackers often target members that are considered either the most vulnerable, such as new employees who have not yet learned the ropes, or the most influential, such as members of the management team. Collaboration and shared responsibility forms one of the key elements in protecting the organisation. This means that all members of the organisation, as well as external partners, need to collaborate in a responsible manner towards the common goal. The privacy and security functions together with all the legal counsels of the organisation have a pivotal role to play in this continuous preventive work that entail a vast field of different tasks from sourcing procedures and internal policies to third party agreements and data protection impact assessments.


A certain level of training must be provided to all members of the organisation. Everyone should be familiar with the risks that are relevant in their area of responsibilities. In addition to the cyber threats, organisations need to be familiar with the relevant legal requirements stemming from data protection and cybersecurity legislation, including sector-specific legislation. Consequences and risks increase if a data breach incident reveals that mandatory legal requirements have been disregarded. In most cases, the management of organisation bears the responsibility for compliance with the applicable legal requirements.


Cybersecurity entails thinking ahead, constantly. According to the leading Finnish cybersecurity experts, data breaches will occur in all organisations sooner or later. It is vital to have an extensive plan for recovery measures as well, including mapping and contacting necessary external advisors from areas of technical consultancy and legal advice. Typically, organisations face an unexpected situation when the data breach notification must be filed with the competent data protection supervisory authority or authorities within 72 hours of becoming aware of the breach. Even though the notification can be filed as preliminary and completed later, the list of requested information for the initial notification is quite extensive. Sometimes, the notification must be filed in several countries by following varying local filing procedures. Our existing international networks of law firms and other experts cover all jurisdictions globally and ensure the possibility to fulfil these obligations within the set time requirements.


Cyber risks and their actualisation causes distress to organisations and their people and customers. A data breach, which involves personal data of individuals, may be a devastating shock to the involved data subjects. When resources are reallocated during incident management, external advisors may be helpful in reducing the distress, when some of the internal resources need to be allocated for supporting the organisation and the affected individuals. Managing cyber risks is not only protecting the business, but also taking care of the people, their security and wellbeing.

More by the same author

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

The Finnish National Cyber Security Centre clarifies website cookie practices

Earlier in June, the National Cyber Security Centre of the Finnish Transport and Communications Agency, which supervises the use of cookies in Finland, issued a detailed decision regarding website cookie practices. In its decision, the National Cyber Security Centre assessed the necessity of cookies, the structure of a cookie banner, the standards for the consent mechanism as well as the nature of legitimate interest in connection with cookies. We have compiled the main points of the decision into this D&I Alert.

D&I’s Innovation Powerhouse

2023 has kicked off with a bang! Our Innovation Powerhouse has been busier than ever working with cases and clients that (dare we say without sounding cliché?) inspire us every single day. Let’s take a look at what we have been up to and what we believe makes us the go-to partner for demanding clients working with innovations.

Latest insights

A year of big reforms – Review of Finnish merger control in 2023

Alert / 9 Feb 2024
Reading time 6 minutes

Update on Timing and Contents of the New Act Governing Permitting and Construction of Offshore Wind Power within the Finnish EEZ

Alert / 2 Feb 2024
Reading time 2 minutes