To strengthen digital security for companies and organizations, we must take decisive action to close the gap in security maturity between businesses. Concrete support measures are needed to achieve this, writes Johan Malmliden, CEO and Group President of Omegapoint.
Security weaknesses among small and medium-sized enterprises
In an uncertain era, with conflicts in Europe and the Middle East and a rising prevalence of organized cyber warfare, Sweden cannot remain passive, writes Johan Malmliden, CEO and Group President of Omegapoint.
New figures from the Swedish Security Index 2025, published by cybersecurity company Omegapoint in February, reveal significant security gaps among small and medium-sized Swedish businesses. Fifty-nine percent lack an effective supplier management policy, and 41 percent rely on external certifications to manage supplier security risks. In a time when cyber warfare increasingly targets supply chains and smaller, specialized IT companies play key roles in organizations’ delivery chains, we must adopt a comprehensive approach focused on resilience across the entire chain.
Threats to digital supply chains
Outsourcing and heavy reliance on subcontractors have created long, complex supply chains. According to the Swedish Civil Contingencies Agency (MSB) report “Threats to Digital Supply Chains,” this especially affects information flows, software and hardware, and digital services. Subcontracting and increased specialization among IT suppliers have produced what MSB describes as “a web of niche actors,” where different IT firms provide unique expertise that can create dangerous dependencies.
If your organization today procures an IT system, you can expect that a number of specialized suppliers have designed its various components. Should one of these actors—perhaps a smaller supplier with limited resources and weak security routines—fall victim to a cyberattack, it could trigger a complete IT collapse across the supply chain.
The SolarWinds hack of 2020 is a chilling example. An attacker succeeded in inserting malicious code into the American IT firm SolarWinds’ Orion monitoring tool. As a result, as many as 18,000 users, including several U.S. government agencies and large corporations, were at risk of having their digital networks compromised when they downloaded an infected software update.
In Sweden we saw a similar incident last year at Tietoevry. The IT supplier, which handles sensitive data and digital services for numerous Swedish organizations, suffered a ransomware attack that caused multiple outages and potential data leaks for its customers, including Rusta, Filmstaden, Region Uppsala, and Systembolaget.
The gap in security maturity between small and large companies
The vulnerability posed by digital supply chains is not new. The emergence of long and complex chains is to some extent an inevitable consequence of a modern economy that encourages specialization and outsourcing. What the Swedish Security Index 2025 shows, however, is that the gap in security maturity between small and large players is widening. Larger firms have the resources to audit suppliers, set requirements, and implement secure processes.
Smaller companies, with limited budgets and expertise, often must rely on certifications—an approach that can be insufficient. The Swedish Security Index 2025 indicates that 41 percent of small and medium-sized companies lean on certifications to handle third-party risk, compared with 30 percent among larger companies. This growing divide produces significant differences in the level of protection across the supply chain.
The need for a holistic cybersecurity strategy
Threat actors are aware of these dynamics. By attacking a small actor in the supply chain, they can gain access to much larger organizations several steps removed. As a result, small companies are forced to defend themselves against threats actually aimed at their customers. This situation is unsustainable. We must stop treating security as an isolated, internal matter and instead regard the resilience of the entire supply chain as critical.
With the Security Protection Act and the forthcoming Cybersecurity Act, Sweden has taken important steps in the right direction. These regulatory frameworks can drive improvement—but only if they are properly implemented and enforced. To improve security in practice requires a comprehensive strategy that allows every part of the supply chain to be audited and secured. To ensure even the smallest IT suppliers meet security requirements, the following actions are necessary:
- Organizations must set clear requirements when procuring IT services and conduct their own due diligence when selecting suppliers.
- Authorities and larger companies need to ensure that smaller suppliers receive the guidance and resources required to establish robust security routines.
In a tense global environment, with conflicts in Europe and the Middle East and an increase in organized cyber warfare, Sweden cannot afford to stand by. To promote digital security for companies and organizations, we must take the measures necessary to close the gap in security maturity among businesses. Concrete support initiatives are required to achieve this.
The alternative is to continue playing Russian roulette with Sweden’s IT security. The question is: can we afford that risk?