When you read about doping in the media, you hardly think that exposing cheaters makes doping hunters a target for cyber attacks.
In Anti-Doping Norway, the concept of "threat picture" is high on the agenda and the degree of security has been raised. In sports, there are strong, dark forces that are willing to go to great lengths to influence anti-doping work.
- We became aware that there were real threats against us at the beginning of 2020. We have been a clear voice internationally in connection with the doping case that has affected Russian sports. In this context, there have also been hacking attacks on anti-doping organizations, and in that sense this was not very surprising.
That's what Mona Kristiansen says in Anti - Doping Norway. She is the department head for the administration, and thus has the overall responsibility for ensuring that the IT solutions are secure. When they became aware of the threat picture, it was already known that the Norwegian Ski Association had been contacted by PST due to digital vulnerabilities, and that the ski association had encouraged employees to raise awareness about computer security.
Mona Kristiansen, head of department for the administration in Anti-Doping Norway.
- We have always been aware of computer security, since we have a lot of sensitive information. There is health information, intelligence information and investigative documentation. We were aware that we could be exposed, but not that it was so precarious, she says.
- Sports in Russia are enormously important, and after what was rolled up in Russia, voices there have defended themselves with, and tried to cleanse themselves by attacking others - and then for example through hacking.
Detached from the IT solutions of the Sports Association
Anti-Doping Norway is an independent organization, independent of sports. In 2019, they also broke away from the Norwegian Sports Confederation's IT solutions, and then established new and secure cloud solutions based on Microsoft 365, in collaboration with Braathe Gruppen.
- We provide a Microsoft 365 cloud service with the most advanced security features baked into the E5 license. In addition, we provide advice on this with security, and have an end-to-end responsibility where we deliver fiber access, monitor network equipment, deliver VPN, PC and client equipment and printers, says Tom Erik Wang, senior sales consultant.
Tom Erik Wang, senior sales consultant in Braathe Gruppen.
In practice, this means that we are Anti-Doping Norway's IT department, and in the wake of the meeting with PST, processes were initiated to further raise IT security.
- We have consultants who come in monthly and audit the security. We are considering all new security functionality in Microsoft 365, and recommend Anti-Doping Norway to turn on or evaluate new security functionality, says Wang.
Together with the report, we review the Microsoft Security Score, which shows how Anti-Doping Norway compares with other companies they can be compared with.
- We get to know what the threat picture looks like at any given time, and whether there have been any attempts at attack. Microsoft is coming up with new things all the time, and Braathe Gruppen gives advice on what we should put on extra security measures to increase this score, says Kristiansen.
Threats from foreign powers and the corona
During the different year 2020, a lot of work has been done with security in Anti-Doping Norway. First to meet threats from foreign powers, and then to solve the tasks from the home office in an equally secure way. A lot is about raising awareness among employees and creating a safety culture. Among other things, we have helped with the implementation of two phishing tests, where the results have been reviewed at general meetings - of course at Teams.
- We have focused on the PCs, and we have focused on the users and training, for example that they should turn off the PCs every day to get the latest updates or never land on to unsafe networks. Now we also have fleet management on the mobile phones, so we can be sure that they are up to date, says Kristiansen.
- Then we have added Conditional Access, which is a security feature in the Microsoft cloud which means that if you are not in the office, you will always be asked for two-factor authentication, Wang adds.
All new employees starting in Anti-Doping Norway must sign a security instruction for IT. We are now making new safety instructions for, and looking at, what is to be required of each individual employee.
- It covers everything from password policy and classification of documents with Azure Information Protection, to social media. Braathe Gruppen have become very well acquainted with our business and how we work, and it is a security that they have spent so much time and been so close to us, says Kristiansen.
She says that the work of establishing their own, cloud-based IT solutions in 2019 has made them well equipped for the challenges that came over the past year. The fact that Anti-Doping Norway is a small organization, and that they have had a professional IT supplier on the team, has provided a flexibility that allowed Microsoft 365 to be implemented quickly.
- When the corona hit us, it was a huge advantage that everyone was well acquainted with the Microsoft 365 solution and working in Teams. We do a lot of lecturing, and we now do that at Teams.
- I sit in an international group consisting of eight countries' national anti-doping organizations. There have also Braathe Gruppen helped and is familiar with what is happening there. What is recommended in the group helps Braathe to implement, concludes a clearly satisfied Kristiansen.
Want to know more about security in the digital workplace? Sign up for our digital threat picture webinar here. The webinar is a recording and you can watch it whenever you want.