Finnish news has once again been filled with troubling news that are particularly interesting for those of us who like to make a big fuss about cybersecurity.
This past week’s news has once again been mostly filled with troubling and concerning events – which seems to be the usual news vibe – but also some that are particularly interesting for those of us who like to make a big fuss about cybersecurity.
A massive data breach in the Education Division of the City of Helsinki was caused by an outdated remote access server that was scheduled to be decommissioned. According to the city, tens of millions of files might have been compromised, but despite the large amount of leaked data, there is no evidence of misuse. The city emphasizes the importance of cybersecurity, data protection, and staff training. The police are investigating the case as a serious data breach (YLE News, June 18).
An exclusive article by Helsingin Sanomat (June 18, only available in Finnish) covered a massive data leak in May, where a car repair shop in Karkkila and a towing service in Northern Ostrobothnia found themselves in the middle of a data breach scandal. A hacker accessed the personal data of tens of thousands of people from the Finnish Tax Administration and the Finnish Transport and Communications Agency (Traficom) through the companies’ interface connections. The data breach jeopardized the personal information of up to 77,000 people, and the business owner’s little mishaps are what the police would usually call ‘interesting’.
We’ve read about these cases with a mix of horror and fascination, but they also remind us of the importance of our work for our clients. We love to talk about cybersecurity, interfaces, and data collection and storage whenever we find someone willing to listen, or at least too polite to get away. As we’ve argued before, data protection and active defense on the internet are everyone’s responsibility, and unfortunately, even ordinary companies can make national headlines due to unintended mistakes.
Data Protection is for Everyone
Sometimes small and medium-sized businesses can see data protection mainly as an extra expense and a bit of unnecessary fussing, but from our perspective, we see it like buying insurance – it’s just part of the cost of business. Especially if your services end up storing any kind of personal data, from email addresses, saved PDF invoices, phone numbers, IP addresses, or anything that might even remotely be considered identifiable data under GDPR…a potential data breach is a big deal.
The more data we collect and store, and the more interfaces our sites and services have, the bigger the target they become for bots and hackers. It doesn’t help if systems are running outdated versions of plugins, interface integrations have not been updated, or data is stored on a dusty old server. (Seriously, even if your site isn’t directly attacked, a breach on the same server could quickly jeopardize every client on it).
If you suddenly realize you haven’t checked all the updates lately or aren’t quite sure where all your services are hosted or how much protection they have, you can take a few steps to ensure things aren’t completely falling apart. (Heads up, imminent marketing talk ahead)
Order a Free Data Protection Starter Audit
If this issue hasn’t been shouted about enough, we offer free Starter Audits which checks the most immediate and obvious data protection issues. You can order a Starter Check here, all you need is your website’s URL and the email where you want to receive the report. This isn’t a comprehensive audit, but at least you can check that you’re not accidentally serving up a data breach on a silver platter.
Update Strong Passwords
Always use strong passwords, at least eight characters long, with uppercase letters, numbers, and preferably a special character to annoy the bots. Don’t use “admin” as your username, choose something truly unique. Mix in some numbers if you want an A+ grade. If you’re feeling particularly bold, you can even activate two-factor authentication, so even the Windows 95 Guy won’t get into your data stash.
Check WordPress Updates
Check if there are updates for plugins, themes, or the core. If a plugin is no longer needed, delete it confidently. Outdated versions especially can be a backdoor to your site data.
Ensure the Site has Backups
Regularly back up all files. This way, you can restore your site if an update goes wrong and locks up the entire site. It’s also a good idea to keep backups over a longer period – it’s possible that a bot that infiltrated your site added malicious code that isn’t immediately visible, and the code might get copied into the latest backups. Remember to store your backups securely. Leaving them on the same web server as your site is a bad idea.
Remove Unnecessary Users
Don’t leave unnecessary user accounts active. Each one is a risk for brute-force attacks. Don’t grant every user more privileges than necessary – for instance, not every content creator needs full admin rights.
Install a Security Plugin
Install security plugins, particularly Wordfence, which help protect your site.
If you already have all these measures in place, you can head off on holiday with 86% more peace of mind. If you need help with assessing cybersecurity, conducting a more in-depth audit of your site or services, or anything else related to your site, feel free to get in touch and send your questions.
Finland goes into a summer slumber during July (we’re still working), so Happy Summer to everyone except hackers, bots, and hybrid influencers.