Estonian Cyber - It’s here (but it should be bigger)


Estonia is one of the countries at the forefront of technology. The country votes online, allows you to digitally sign documents using your Government issued ID card, taxes are fully online, and even prescriptions are done electronically.

As a mentor at Startup Wise Guys as part of their great Cybersecurity accelerator programme, I’ve had the pleasure of being part of a number of startups helping them make an idea become a reality.

There is one thing however, that is quite remarkable though. Most of the companies that join this journey in Estonia are not actually from Estonia, they come from elsewhere in the world to use Estonia as a springboard.

Now, as I was drinking my Coffee this morning, I got tagged by a great friend on LinkedIn asking why this is the case, but I then immediately realised that this is going to be longer than a LinkedIn post. Hence this post.

The state of Cybersecurity

Of course cybersecurity is a challenge everywhere, but within the Estonian ecosystem, the problems and challenges that some people still take for granted elsewhere are less of a concern here. With two factor being the norm for most services, and authentication and authorisation being done from within existing, free Estonian Government backed services, there is a bit of a warped culture when it becomes to cybersecurity product creation.

Wait, what?

Let me explain. Over the years, I’ve had the pleasure of hearing a lot of cybersecurity pitches that are of an excellent calibre. However, for the most part, a lot of them come under the following second catergory.

Technically sound, socially impossible

A number of the products and ideas are designed and produced for the local Estonian or Baltic market - not Europe and the world, alike. It means the product or idea maybe excellent - but no one else needs it. This, in itself, is harmless for the most part, but it does end up with another interesting byproduct.


Figure 1. Cybersecurity in a nutshell

Disregarding the human aspects of cybersecurity problems and problems needing solutions elsewhere

I hear this more and more; in both my professional and personal life.

  1. “No one needs x because everyone has two factor”
  2. “This is so easy, anyone can do it”
  3. “Who on earth would fall for a dating scam?”
  4. “Anyone that falls for a COVID related finance scam is an idiot?”
  5. “Who on earth uses the same username and password for multiple accounts?” (Answer: most of you)

The people that fall for these types of attack are disregarded by Estonian cyber startups, mainly because the level of education within IT, both within the sector and within the general population, is of a high standard. The problem is, Estonia nor the Estonian marketplace should ever be the marketplace you are aiming for. The pool is too small, unless you intend to only remain a specialist provider as a small company. You need to think big. In addition, some of the security tools and practices that are more mainstream here are just not at an ease of use level that is acceptable for consumers whom are not IT experts.

And in the rest of the world, with the activation of lockdowns, these problems (that require innovative solutions) have skyrocketed. The ability to detect targeted spearphishing emails, facebook message scams, sms’s… the ability to help people communicate, work and play from home remotely in a secure fashion, and to work with their Government remotely by digital authentication, has never been needed so much. The market is booming with new players inventing solutions to these challenges, but the ecosystem here in Estonia, that should be rising at the same rate, just isn’t.

Lots of people are at home, they are scared about their futures, and lots of hackers are also bored. Stuck at home. Finding quick ways to get money.

What does this mean? It means that generally criminal groups have done a better job at market research than some cybersecurity startups.

The high quality of the security infrastructure of Estonia is actually (and only in this context is it a bad thing) getting in the way of actual innovation within the cyber sector for the startup scene from the grass roots level. More products and ideas are being formulated for problems that do not exist on the world stage, and problems that are seriously on the rise that need solutions, from countries do not have the security maturity of Estonia, are being disregarded.

In summary; we are ignoring the market where we need to sell because we know better. This isn’t smart.

So, what do we do about it?

Specialize, but not within IT security

More and more industries are now needing tools and advice that requires cybersecurity assistance. In the UK, the NCSC have just released cybersecurity information for Farmers. I’ve been heavily involved over the last few months (and also getting out the ol’ sea legs and giving them some practice) into the maritime cybersecurity sector.

Covid has happened, and that will have forever change the private and public sectors working practices. Some industries have been dragged, kicking and screaming, into the 21st century at breakneck speed.

These global specialist markets now need assistance. They need help. They don’t have your cyber experience. They might need your magic tool.

K.I.S.S (Keep It Simple Stupid)

Whatever product you make, if it isn’t simple, it isn’t a tool - it’s a challenge. And I think we can all agree we have all had enough of them in the last year and a half.

Know what is happening locally, but aim globally

Don’t stay in your bubble. There are certain things that will sell, and certain things that just won’t.

Let’s take the UK, for example, with the ID card. I completely agree, as an avivd user of the Estonian ID card system, it’s an amazing system and makes my life easier. However, trying to sell that to the UK Government, and its population would be a complete meltdown. We tried the ID card idea back in 2008. Why did it fail? The problem is the only place in the UK that has ever had it implemented previously was the Channel Islands. By the Nazi’s. The project was torpedoed immediately, and polling still suggests this will not happen anytime soon. However, utilising a similar system that is purely digital, that might have merit.

We need to take the ideas and knowledge from Estonia, and tailor for Global markets. We do not need to ‘cut and paste’. It won’t work


We have the expertise. We have the ecosystem. We now need to seriously look at what the market wants, not what we think they need. We also have to stop looking at how our life is in Estonia and we have to stop treating this as the norm. It really, really isn’t. And I’m saying that as I look over my desk, and see a lovely ten page document I have to fax over to the UK on monday morning, as they required a signature…