Cyber risk management among tax and customs officials: the pilot study in Estonia

Abstract

Purpose The aim of this pilot study is to identify the cybersecurity knowledge and attitudes of alumni of the Estonian Academy of Security Sciences Financial College who are currently working in the Estonian Tax and Customs Board (hereinafter MTA) as public officials. The work deals with cybersecurity in the public sector, focusing on MTA employees who come into contact with sensitive data on a daily basis. Cybersecurity is an increasingly important topic in society and, more specifically, in government institutions. Design/methodology/approach The survey examines both general awareness of cybersecurity and awareness of various MTA procedures and rules and guidelines that should prevent and mitigate cyber risks in the organisation. Although it was a convenience sample used, the results of the study provide an initial opportunity to generalise the data obtained to all MTA employees. Findings The results showed that the main development needs concern training quality, understanding of internal mechanisms and adherence to risk management procedures. Improvements are required in managing access rights, providing clearer instructions and offering regular, practical training. As a result, employers will receive input and recommendations for very practical recommendations for improving MTA’s cybersecurity. Practical implications The study provides specific recommendations for the MTA, including updating training programmes with practical scenarios, strengthening information security competence among managers, involving front-line officials in security policy development and enhancing supervision and internal controls. The document underscores the critical role of the MTA as a manager of sensitive personal and tax data, implying that improved cybersecurity directly contributes to protecting citizens’ privacy and financial security and maintaining public trust in state institutions and e-services. Originality/value To the best of the authors’ knowledge, the cybersecurity and cyber hygiene knowledge of tax and customs officials has not been studied in academic research in Estonia. Researching the topic, it revealed that it has been little studied elsewhere in the world. The probable reason shows significant uncertainty in the information security management of tax and customs authorities.