Finnish government launches information security voucher scheme

Finland’s government is offering businesses financial support to help them improve their cyber security

Finland has launched a voucher-based scheme to help companies embrace best practice systems to reinforce their IT network and information security defences.

The Information Security Voucher (ISV) scheme was rolled out on 12 December by the Ministry of Transport and Communications (MTC) in collaboration with the National Cyber Security Centre (NCSC).

The scheme offers fixed-term support that can be used by enterprises, in particular small to-medium-sized enterprises (SMEs), to upgrade their IT networks and information security capabilities using capital investments to boost in-house expertise. Specifically, the scheme aims to financially support efforts by SMEs to enhance both cyber security preparedness and capabilities to protect IT networks and systems against hybrid and other cyber threats.

“Ensuring that enterprises have access to a high standard of cyber security plays an important role in improving overall security in society,” said Timo Harakkaa, Finland’s transport and communications minister. “The voucher system is a new and significant tool for businesses of all sizes. We view this initiative as Finland leading by example for other European Union member states to follow.”

The ISV scheme is intended to raise the general standard of cyber security preparedness among SMEs in sectors identified as being “critical” to the functioning of Finnish society. At its core, the scheme aims to help SMEs build in-house network security capabilities to offer better protection against hybrid threats.

MTC’s fixed-term ISV support scheme offers two categories of voucher. The first offers a voucher worth €15,000, and the second category is intended for larger enterprises and carries a maximum value of €100,000.

The Category A ISV, worth €15,000, is tailored for SMEs and can be applied to a wide range of funding uses, including the auditing and evaluation of information systems, the in-house training of personnel and competence development. It is open to enterprises with up to 250 employees, an annual turnover of €50m, or a balance sheet total of up to €43m. 

The Category B ISV is targeted at medium to large enterprises that have reached a more advanced stage in cyber defence. The €100,000 ISV is designed to bolster IT network and information security capabilities while also enabling companies to fund threat modelling and testing cyber attack prevention tools and methods.

Based on the MTC’s ISV operating model, Finnish companies can use a voucher to cover up to 70% of the total capital cost of information security projects. The operating model requires companies to meet the other 30% of the project’s capital cost. The total funding cost of the ISV scheme has been written into the MTC’s budget for 2022-2023.

The MTC is adopting strict criteria in its approach to issuing ISVs, especially in respect of regulating companies that can apply for the vouchers. The scheme is restricted to enterprises that are considered “critical to the functioning of society” and that operate in sectors including IT, food and energy supply, financial services, defence materials, chemicals, water and waste management, logistics, news media, forestry, the construction industry and healthcare.

Competence-based cyber defence offers the best long-term solution to protect Finnish enterprises from cyber threats, said Sauli Pahlman, the NCSC’s deputy director-general.

The NCSC, which operates under the direction of the Finnish Transport and Communications Agency (Traficom), estimates that more than 10,000 denial-of-service (DoS) attacks were made against the websites and online services of organisations in Finland in 2021.

DoS attacks, and blocking efforts, are a growing threat and a daily challenge for businesses in Finland, said Pahlman.

Read more about Finland’s government tech initiatives

“It is important that enterprises build in-house competence to protect their operations from cyber attacks,” he said. “Denial-of-service attacks, which are among the most common threats that enterprises face in Finland, are activities that we consider to be located in the grey zone between cyber and information influence. Based on our experience, the action of a DoS is intended to send a message rather than cause real long-term damage.”

The NCSC is running a number of initiatives alongside the ISV scheme, including a programme of joint desktop cyber exercises involving companies from designated critical sectors, such as financial services. The initiative is tailored to create an information exchange system that comprises tutoring, mentoring and best practice, as well as setting out the roles of the relevant Finnish authorities that are tasked with defending against, and responding to, cyber disruptions.

The NCSC established an Information Sharing and Analysis Centre (ISAC) in 2020 to support enterprises operating in the 10 designated critical sectors. These sectors are represented within the centre by information exchange groups, which function as cyber security cooperation bodies for individual industries.

The role of the NCSC makes it possible to improve the mutual preparedness and communication of ISAC-mentored industries through intensive cyber training, said Jussi Leskinen, who leads the financial sector team at ISAC.

“The value of training cannot be overstated,” he said. “It provides the opportunity to trial new processes and test the functionality of old solutions in new scenarios. The work carried out in ISAC’s joint exercises is done collectively. This increases the learning value and makes it even more effective.”

The scope and solutions-development role of ISAC was expanded by the NCSC in 2022 to make it more sharply focused on delivering a user-friendly and easy-to-access training model that could reach organisations at different skill levels in cyber threat management competence.

Leskinen added: “The ISAC is an ideal meeting point to exchange experience and best practices. It is a forum where IT and network security professionals get to know each other and become more confident about sharing mistakes made and lessons learned from cyber attack situations. We get to hear from companies that may have gone through a cyber threat experience that others have yet to face.”

The ISV scheme is the latest in a series of high-profile initiatives by the Finnish government to help strengthen the information security systems employed by indigenous enterprises, while simultaneously accelerating the digitisation and artificial intelligence (AI) capacities of these same businesses.

In October, the government received the final report for the Artificial Intelligence 4.0 programme. This will provide a roadmap for new AI and digital measures in 2023-24, setting out the key areas for development, as well as the objectives and initiatives to enable Finland to achieve new targets in digital and green transitions.

The digital transformation ambitions embedded in the AIP 4.0 programme form part of the Finnish government’s broader Digital Compass Project, which presents a national strategic digital roadmap through to 2030. The roadmap will form the basis for future government policies to drive Finland’s digital transformation and offer strategic direction to linked national development works.

Read more on IT risk management