To promote digital security for businesses and organizations, we must do what is necessary to close the gap in security maturity among businesses. This requires concrete support measures, writes Johan Malmliden, President and CEO Omegapoint.

Security vulnerabilities in small and medium-sized businesses

In an uncertain time of war in Europe and the Middle East, where organized cyber warfare has become increasingly common, Sweden cannot afford to stand idly by, writes Johan Malmliden, President and CEO Omegapoint.

New figures from the Swedish Security Index 2025, as the IT security company Omegapoint released in February, reveals significant security gaps in small and medium-sized Swedish companies. 59 percent lack a functioning supplier management policy and 41 percent rely on external certifications to manage security risks in their suppliers. In an era of cyber warfare, where smaller and specialized IT companies play a key role in businesses' supply chains, we must now take a holistic approach with the resilience of the entire chain in focus.

Advertisement

Threats to digital supply chains

Companies' outsourcing and widespread reliance on subcontractors today create long and complex supply chains. According to MSB's report Threats to digital supply chains This applies in particular to information flows, soft– and hardware and digital services. Subcontracting and increased specialization among IT suppliers have created a landscape that MSB describes as “a web of niche players” – where different IT companies contribute unique expertise that creates potentially dangerous dependencies.

If your business procures an IT system today, you can expect a number of suppliers with specialized expertise to have designed the various parts of the system. If one of these players, for example a smaller supplier with limited resources and inadequate security procedures, is exposed to a cyber attack, it could mean a total IT collapse throughout the entire supply chain.

The Solarwinds Hack 2020 is a frightening example. There, a threat actor managed to place malicious code in the American IT company Solarwinds monitoring tool Orion. As a result, up to 18,000 of its users, including several US government agencies and large companies, risked having their digital networks destroyed when they downloaded a software update containing malicious code.

At home in Sweden We saw a similar one. incident at Tietoevry last yearThe IT provider, which handles sensitive data and digital services for a number of Swedish businesses, was hit by a ransomware attack that resulted in several outages and potential data leaks for their clients, including Rusta, Filmstaden, Region Uppsala and Systembolaget.

The security maturity gap between small and large companies

The vulnerability risk with digital supply chains is therefore not a new problem. The fact that supply chains become long and complex can be argued to be a necessary evil, with the modern economy promoting specialization and outsourcing. However, what we see in Swedish Safety Index 2025 is that the difference in security maturity between small and large players is becoming increasingly noticeable. Larger companies have the resources to audit their suppliers, set requirements and implement secure routines.

Smaller companies, with limited budgets and expertise, often have to rely on certifications – which may be insufficient. The Swedish Safety Index 2025 shows that 41 percent of SMEs business lean toward certifications to manage third-party risks, compared to 30 percent among larger companies. The gap between these groups is growing, creating significant differences in supply chain security protection.

The need for a holistic approach to cybersecurity

Threat actors are aware of this. By attacking a small player in the supply chain, they gain access to larger operations a few steps further down the chain. The result is that small companies are forced to defend themselves against threats that are actually directed at their customers or clients. This is not sustainable. We must therefore stop seeing security work as isolated to our own operations and instead start considering the resilience of the entire supply chain as crucial.

With the Security Protection Act and the upcoming Cybersecurity Act Sweden has taken important steps in the right direction. These regulations can be a driving force for improvement, but only if they are implemented and followed up correctly. To improve security in practice, a holistic strategy is required, where every part of the supply chain can be reviewed and secured. To ensure that even the smallest IT suppliers in the chain meet security requirements, the following is needed:

• Companies and organizations must set clear requirements when purchasing IT services, and do your own due diligence when choosing suppliers.
• Authorities and larger companies need to ensure that smaller suppliers receive the guidance and resources they need to build their security routines.

In an uncertain time of war in Europe and the Middle East, where organized cyber warfare has become increasingly common, Sweden cannot afford to stand idly by. To promote digital security for business As individuals and organizations, we must do what is necessary to close the security maturity gap among companies. This requires concrete support measures.

The alternative is to continue playing Russian roulette with Sweden's cyber security. The question is: can we afford to take that risk?