Firstbeat Technologies
Working in partnership with Nordhero, Firstbeat Technologies has just completed a full cybersecurity upgrade project on schedule with better than expected outcomes, and complete with its own digital escape plan.
Setting up a full-scale plan for disaster recovery was one of the key technical achievements of the project. Now, if there’s ever a major issue, like a cyberattack or even something as extreme as war or natural disaster, Firstbeat has the ability to move everything to a different AWS region, essentially another country, with minimal or no disruption.
“It’s like packing up and moving your whole operation across the border, but without the baggage,” jokes Jermu Mäkinen, Operations Officer, Firstbeat Technologies. “We will still stay in the AWS Cloud, but now have the added flexibility to relocate our environment to another region if needed.”
The core driver for the project came from rising customer demands around privacy. New regulations, such as the EU’s General Data Protection Regulation (GDPR), which focuses on risks related to data breaches and the unauthorized use of personal data, and the Corporate Sustainability Reporting Directive (CSRD), which imposes stricter guidelines on data privacy and security, have both played a role. These regulations, along with a recent spate of high-profile data breaches and ransomware attacks around the world, have pushed privacy issues to the forefront.
“We’re seeing more and more malicious groups targeting companies, exploiting vulnerabilities to gain control over their data, and then demanding ransoms,” says Teemu Niiranen, who led the cybersecurity upgrade from the NordHero side. “Even in Finland, we’ve seen cases where companies were locked out of their own systems. It’s a global threat now.”
Firstbeat is the leading provider of physiological analytics, offering cutting-edge solutions for both professional sports and wellness coaching. The company’s two core products include Firstbeat Life, which delivers personalized stress and well-being insights for various types of health and wellness services and employee wellness programs, and Firstbeat Sports, an elite performance management platform that helps coaches optimize training, recovery, and overall performance for athletes.
Even in Finland, we’ve seen cases where companies were locked out of their own systems. It’s a global threat now.
According to Mäkinen, over the past five years, Firstbeat’s clients have become increasingly aware of cybersecurity issues, leading to heightened requirements for vendors like Firstbeat, who now face more frequent audits and detailed security questionnaires before clients will make any purchasing or partnership decisions.
“As our customers have become more cybersecurity-conscious, their expectations for vendors have grown,” Mäkinen says. “This project was a way to meet, and even exceed, these expectations, especially focusing on strengthening our disaster recovery processes, which is a critical requirement in today’s security environment.”
The three-month project, which kicked off in May, laid out two main goals: The first was to enhance Firstbeat’s disaster recovery capabilities. This involved strengthening the system’s resilience so that, in the event of a significant incident, the company could quickly recover and minimize disruption.
The second goal was to strengthen Firstbeat’s overall security posture. “That means improving the company’s visibility and control over cybersecurity aspects, so they can get a clearer understanding of their current security status and prioritize further improvements,” explains Niiranen. This was to ensure that Firstbeat is not only prepared for unexpected incidents but also continuously refining its security measures to address new and emerging threats.
While the team hit all the classic milestones – planning, implementation, testing, and finalizing the documentation – the biggest challenges came during the handoff between implementation and testing. For example, a key hurdle came up during disaster recovery testing, when the solution was deployed to a new AWS account and region. The existing infrastructure and code hadn’t been fully prepared for such a move, leading to several necessary tweaks in both the source code and configuration settings to ensure the solution could run smoothly across different account and region combinations.
“The testing phase is where things always get interesting,” says Niiranen. “We had a solid plan, but the adjustments we had to make were crucial to ensure seamless performance in any AWS environment.” And even though the technical details got pretty complex, the goal was always simple: to be able to protect Firstbeat’s client data no matter what.
“That’s why the disaster recovery plan we put together is so important,” Mäkinen affirms. “It’s something we can’t fully explain to every client in technical terms, but we can present them with a top-level version that shows we’re ready for anything.”
Even though the technical details got pretty complex, the goal was always simple: to be able to protect Firstbeat’s client data no matter what.
During the upgrade, the team initially planned to roll out a pilot implementation for multifactor authentication (MFA). The goal was to enhance security by adding a secondary layer of protection beyond the traditional SMS-based authentication. “In today’s systems, passwords alone aren’t enough. You need a secondary code, often sent via SMS,” Mäkinen explains.
The upgrade brought in time-based one-time passwords (TOTP) as an alternative solving a significant challenge faced in regions where SMS messages are unreliable often due to local telecom restrictions. TOTP generates a 6-digit code through an app, ensuring users have secure access even when QR codes or SMS aren’t viable.
“We got more than we expected from this phase,” Mäkinen recalls. “By implementing TOTP, we were able to offer a more secure and flexible authentication method, bypassing the pilot phase and going straight to market.”
Now, in countries where SMS services are difficult to access, Firstbeat will be able to offer TOTP-based authentication as a secure alternative. “This is going to be a huge benefit for us,” Mäkinen adds.
The project has just wrapped up, and customer feedback is encouraging. “I know a lot of our clients have been waiting for this kind of proof, and they’ve been really supportive throughout the whole process,” Mäkinen says. “It’s a win for their business and ours.”