A data breach is the nightmare of every company. The idea that someone can steal your company’s and customers’ data, prevent you from accessing the data, or send messages on behalf of the company makes even the most hardened executive sweat. Fortunately, however, data breaches are relatively rare – or are they?
No, they are not. Data breaches are constantly occurring but we hardly hear about any of them. The reasons are obvious: few people want to announce to the world that they have been the victim of a data breach and, on the other hand, criminals know just the right amount of money to ask for in ransom, so it is tempting to get it over with by doing what the criminal demands.
All companies would, however, like to protect themselves against a data breach, but where to start? The most sensible thing to do is first to look at where the weakest point usually is, in e-mail.
In general, we recognise very well typical phishing messages: an invoice that should be opened, voicemails, a Microsoft password about to expire. All this aims at trying to get the user to click on a link that will take them to a login page. There, the user unsuspectingly gives a username and password, which can then be used by the criminals. Later, these credentials are used to access the company’s network.
“If a company begins to receive such emails, that is already a warning sign. If phishing messages begin to arrive at an increasing rate, this already means that the company has been assessed as vulnerable and worth targeting by phishing. As a result, you should take immediate action and first consider whether your company is really prepared for a data breach,” says data security specialist Ville Soikkola. A particularly dangerous misconception of companies is “we don’t have anything to hide in our email messages.” Even if that is the case, the organisation still has very much to lose, for example the trust of customers and stakeholders. If a criminal is able to send phishing messages to your customers in your name, the customers are much more likely to be taken in by the phishing – and then the damage can only be greater. We not only expose our own organisation to attacks, but also those of all our stakeholders. The criminals do not necessarily want our data; all they want is the trust of our customers.
The good news is that it is very easy to improve e-mail data security. “Very simple and even free-of-charge measures can already have a great impact on improving your data security,” says Soikkola. “The first step is to find out whether your own internal email security is in order, whether you have staff guidelines under control and, in particular, whether they have been updated over the years. Getting the basic issues in order is not complicated and, at the beginning, the steps are exactly the same for everyone. For example, Microsoft 365 licences come with a number of security mechanisms, but they won’t help if you don’t enable them. There is also the common misconception that security functions like multi-factor authentication can hinder or slow down the progress of work. These days, this is not the case as it is very easy and quick to use them.”
If you don’t really know where to begin, a good partner like Itaito can help your company in data security issues. It’s also worth utilising all possible Microsoft data security functions, as technology companies are constantly striving to remain right on the cutting edge and to develop their own services. But they can’t enable services and functions on behalf of the customer. So stay active yourself!
You can read more about functions related to Microsoft licences in our previous blog: Easy security enhancement.
What should you do, if you notice that phishing for your data has succeeded? The most important thing is to act quickly. The unfortunate thing is that data breaches often happen completely unnoticed, and criminals can spy on and monitor the movement of data for a long time without anyone even noticing. Things usually go like this: First, they log in to your environment and then, over a longer period of time, they monitor, for example, who pays the bills and what kind of messages are sent in connection with billing. When a pattern is clear, the attack is carried out. Thanks to good background work, the messages look genuine and are easily approved.
If you have even the slightest suspicion that your login details have fallen into the wrong hands, you should immediately begin to investigate online events. Have there been any suspicious logins from countries where the user should not have been? What has actually been done using the usernames? Are there any abnormal activities? This investigative work might sometimes be a little laborious but, in terms of costs, it is always just a fraction of the damage that a possible data breach can do to a company.
Protecting proactively from data breaches is always easier, cheaper and more effective than trying to repair the damage after a breach. It is always most sensible to begin eliminating problems with the help of a professional, to acquire data security training as necessary, to protect your data network with authentication and other data security measures, and also to constantly engage in security development work. Once you get a competent partner to help you, everything becomes much easier: Itaito experts are always up to date on how to make the services that come with Microsoft licences work best for you, and how to continue to develop your IT environment so that there are no security gaps. Feel free to contact us if you are concerned about data security issues in your organisation!
Read more about Itaito’s IT services in here.