21.05 2025

Reflections from the Field - A Red Team’s Perspective on Cybersecurity in Estonia

 Over the past several years, our red team has conducted extensive offensive security assessments across a wide range of entities within the country. As a red team with focus on network penetration testing, exploit development, phishing, and adversary simulation, we have walked the halls of government facilities, sat in server rooms of critical infrastructure providers, and quietly tested the digital doors of organizations both public and private. From government ministries to water plants, hospitals, airports, and telecom providers—we’ve seen what works, what doesn’t, and what could use improvement.
We’ve consistently been able to reach full compromise across many of our engagements. Not because the defenders weren’t trying, but because the attack surface was broad and often undermined by systemic weaknesses. These weaknesses haven’t been isolated to just one area. In some cases, they were technical—like misconfigured systems or poorly secured devices. In others, they were procedural—gaps between departments, unclear security ownership, or blind spots in incident response. Every assessment told a different story, but most ended the same way: we got in, moved laterally, escalated privileges, and simulated realistic adversary behavior.

These engagements have given us not only technical insight into the infrastructures we’ve tested but also a deeper understanding of the cultural, organizational, and strategic factors that affect cybersecurity outcomes. This article reflects our collective experiences as practitioners, meant to inform, and to share lessons learned with a tone of partnership and encouragement. From our fieldwork, five recurring themes have emerged that may help explain the current state of cybersecurity in the country, and more importantly, where it might be headed.

The IT–Security Misconception

There is a growing enthusiasm for technology in Estonia, particularly among the younger generation. Over the past five years, the messaging has been clear: “study IT, it’s stable, it’s the future.” However, we continue to encounter a common misconception—that IT and cybersecurity are one and the same. While they often collaborate and may share infrastructure, the skills, responsibilities, and focus areas are vastly different. IT keeps the lights on; cybersecurity ensures the lights don’t betray you to an adversary.

Many organizations still assign security responsibilities to IT teams, not out of strategy, but out of necessity or resource constraints. And in doing so, security often takes a back seat to functionality. We've seen devices left exposed, logs unreviewed, and alerting mechanisms misconfigured or absent. We often bypass security controls not because they’re weak—but because they're simply not there. A cultural shift is needed to separate the disciplines in strategy, staffing, and budget.

Legacy Thinking in Leadership

Estonia has come a long way since its Soviet past. It’s now seen as a regional leader in innovation and digital infrastructure. Yet, in some organizations, we’ve encountered decision-making bottlenecks that stem from a more rigid, outdated style of leadership. Senior leaders—many of whom come from a different era—often retain authority without adapting to the changing threat landscape. Decisions about digital transformation or security controls are sometimes made based on knowledge that’s decades old, rather than current best practices. In cultures where questioning leadership is discouraged, these outdated views become policy.

By contrast, organizations with younger, internationally experienced leadership tend to be more agile, security-aware, and prepared for modern threats. They’re often among the most secure entities we’ve encountered. Elevating new leadership and refreshing institutional knowledge can expedite a national shift in cyber resilience.

Talent Shortage and Role Overlap

Despite the growing interest in cybersecurity, there remains a significant talent shortage in the field. What we often see is that IT teams are expected to handle both day-to-day operations and security responsibilities. That’s a heavy ask—and it means things get missed. In many cases, security tools either aren’t in place at all, or they’re not set up properly. This usually isn’t because people don’t care; it’s because they don’t have the time, or the know-how, or both.

When IT teams are stretched thin, functionality naturally takes priority—keeping systems running becomes the main goal, and security gets pushed to the side. As a result, very few organizations have dedicated security personnel. Advanced capabilities like threat hunting, incident response, and digital forensics are often minimal or nonexistent.

Estonia’s technical infrastructure is mature. It’s a developed country with vibrant industry and production. But securing this infrastructure—especially in sectors like energy, manufacturing, and transport—requires not just more people, but more specialization.

The Supply Chain is the New Frontline

Even when an organization is secure, its environment may not be. We’ve seen advanced cloud implementations and well-managed internal networks compromised because of weak links in physical security, building management, or third-party service providers. Cybersecurity can no longer be confined to one department or one organization—it must be viewed holistically. The maturity of one system is only as strong as the weakest partner it connects to.

This is especially important in a country with critical systems that are often interconnected and in sectors where outsourcing and vendor relationships are common. A secure bank can still be at risk if the outsourced IT vendor managing their building’s Wi-Fi doesn't follow best practices.
Whether it’s the supply chain, physical facilities, or managed service providers, a comprehensive approach is required. We recommend a consideration for national standards or regulations that enforce baseline security not only in critical infrastructure and financial institutions but also across all third-party vendors who connect into core systems.

Culture, Personality, and the Human Element

Perhaps the most nuanced, but impactful observation we’ve made is about personality and culture. Cybersecurity is inherently confrontational. It requires people who can challenge assumptions, raise difficult questions, and push for change. In Estonia, we’ve seen a cultural tendency toward modesty and avoidance of conflict—traits that are often strengths in many areas of life. But in cybersecurity, this can lead to hesitancy, a reluctance to push back, and a preference for quiet compliance.
Convincing leadership to act on findings, allocate budget, or adopt stricter controls often becomes a diplomatic challenge rather than a strategic dialogue. Cybersecurity requires an assertiveness—a willingness to confront risk and fight for prioritization—that doesn’t always align with the local temperament.

That’s not to say the talent isn’t there—it is—but the cultural tendencies sometimes slow the pace of change. Culture shapes how organizations behave under pressure. While these traits create polite and respectful working environments, they can impede cybersecurity progress—particularly when security advocates must challenge business decisions or push for inconvenient changes.
Supplementing teams with professionals who possess that drive, even if they come from abroad, can be a temporary bridge while building domestic capacity.

Final Thoughts

There’s a lot to be optimistic about in Estonia’s cybersecurity future. The country has an impressive pool of technical talent, a robust digital infrastructure, and a maturing understanding of the importance of resilience. In several sectors—especially within government, financial services, and forward-leaning private enterprises—we’ve already seen examples of world-class cybersecurity practices. These organizations demonstrate what’s possible when leadership, strategy, and skilled execution align.

But across the broader landscape, progress won’t come from technology alone. It requires structural investment in people, policy, and process. Security must be embedded as a strategic function—not treated as an IT add-on. That means cultivating leadership that understands and prioritizes cyber risk, building specialized roles beyond generalist IT, and encouraging a culture where security advocacy is welcomed, not silenced.

From our years of testing and defending real-world systems in Estonia, we’ve seen firsthand both the incredible potential and the systemic gaps. Many of the issues aren’t due to negligence—they’re rooted in overstretched teams, limited specialization, and cultural dynamics. These are solvable problems, but they require attention.

To truly lead in this space, Estonia must focus on three key areas:

  • Talent development, with targeted investment in threat detection, incident response, and forensic expertise - functions that are currently underrepresented.
  • Cultural shifts, where security is not only accepted but expected as a business-critical voice.
  • External collaboration, whether it’s teaming up with international experts who’ve seen different threat landscapes or simply getting local industries talking to each other to share what’s working (and what’s not). A bit more openness and collaboration can go a long way in building stronger defenses.
Cybersecurity is no longer just about keeping attackers out—it’s about creating an environment where security enables growth, protects innovation, and builds trust. Estonia has everything it needs to lead not just regionally, but globally. The question now is whether the right steps will be taken to unlock that potential.

KPMG Expert: AI Solutions for Automating Routine Processes Deliver the Quickest Returns

By implementing artificial intelligence, the quickest returns are achieved thro..
AI

KPMG IT Expert: Practitioner-Trainers Make Training Engaging and Practical

IT or cyber security training is more engaging when delivered by trainers who a..

Your Partners’ Weaknesses Can Affect Your Own Security

When planning your cyber defence strategy, it’s crucial to recognise that vulne..

Bolstering Cyber Resilience with High-Quality Red Teaming

The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..
Cyber security

KPMG recognized as a Leader in Cybersecurity Consulting Services in Europe

According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.

We are excit..
Cyber security

Turn threats into opportunities

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
cyber@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
 ${item.title}
KPMG Baltics KPMG Global Privacy KPMG IT Audit
Email again:

Analysis of employee awareness

Analysis of employee awareness focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.
Email again: