Keeping your information secure both at home and at work | Traficom
Skip to main content
Transport and Communications Agency

Keeping your information secure both at home and at work

By taking the necessary care and learning a few basic skills, you can ensure that your personal data is protected online. A combination of common sense, strong passwords, and regular updates to your applications and devices goes far to keep you cyber secure.

When you are aware of good information security practices, you can manage your privacy and protect yourself against online scams both at home and at work. In addition, a basic understanding of key information security phenomena helps you keep up with the possibilities and dangers of the internet. It is also important to know which steps to take and who to contact in case of an information security incident.When you are aware of good information security practices, you can manage your privacy and protect yourself against online scams both at home and at work. In addition, a basic understanding of key information security phenomena helps you keep up with the possibilities and dangers of the internet. It is also important to know which steps to take and who to contact in case of an information security incident.

Unnecessary fuss or serious business? - Why is it important to protect yourself?

Using the internet makes you a potential victim for a cybercriminal. Criminals seek to steal money, information, your identity, or access to valuable information. Other possible motives include harassment and attention.

Criminals are not necessarily interested in you or your business specifically but they can still use your inadequately protected devices for criminal purposes.

Therefore, it is important to protect devices connected to the internet against use by malicious parties. Internet modems, televisions and printers are just some examples of devices that can be taken over by criminals. In the worst-case scenario, if a criminal uses your internet connection for malicious purposes, your service provider may have to disconnect it.

Personal data and banking credentials can also be stolen using malicious software, or malware. Email accounts captured through phishing can be used both to read messages and send new phishing emails to other victims. Having perpetrated a security breach, the attacker may either destroy or encrypt all files including backup copies, which makes the device in question unusable.

But what do I have to lose?

  • Money, your identity, and other sensitive information

Criminals are after your valuable property.

  • Internet connection

Criminals could use your internet connection for malicious purposes.

  • Reputation

Crimes committed and damage inflicted in your name are embarrassing and harmful.

Undoing the damage caused by a cybercriminal is both difficult and expensive, and there is no guarantee that all stolen information can be recovered. In addition, losing sensitive information can be frustrating.

Information security at home

Almost everybody has accounts on online services and social media platforms. We are often more concerned with the user-friendliness of these services and accounts than their security. Losing the information on an account can, however, cause significant harm, embarrassment, or expenses. Protecting yourself and your information is not difficult, and it only takes a few simple steps to make your life online more secure.

Top tips

  • Step 1

    Passwords

    A good password is sufficiently long and complex. Create a unique password for each service. As memorizing strong passwords for every service is impossible, you can use a password management tool.

  • Step 2

    Click with caution

    Files attached to emails can contain malicious software or links. In addition, harmful links circulate on social media and other websites, and can also spread via text messages. Various pop-up windows designed to attract clicks from internet users can also expose their computers or mobile devices to malware.

    If you are unsure of the sender or content of a message, verify it by contacting the sender by phone, for example. If you encounter a suspicious link, do not click on it.

  • Step 3

    Avoid scams

    If an offer sounds too good to be true, it is most likely a scam. No responsible person, business, or authority asks for your passwords or banking credentials by phone or email. There is nothing wrong with being reasonably cautious.

  • Step 4

    Use two-factor or multi-factor authentication

    You can make stealing your accounts significantly more difficult by using two-factor or multi-factor authentication with your email and social media accounts. Make sure that you know how to regain access to your accounts in case they are stolen despite your precautions.

  • Step 5

    Remember backup copies

    Make backups of your most important information and cherished photos on a USB stick or other storage device and keep it in a safe place. This ensures that your information is not irretrievably erased even in the event of damage to the originals.

  • Step 6

    Report your observations

    If your device starts behaving in an unusual way, contact your internet service provider immediately. Also notify them in case you accidentally click on a suspicious link or enter your username and password into a service whose trustworthiness you doubt. The faster the notification, the more likely it is that the extent of possible damage can be limited.

    Also bear in mind that you can always contact the NCSC-FI, the police, and consumer protection authorities for help and additional information. Authorities treat all of your information with strict confidentiality.

Top tips

  • Step 1

    Passwords

    Use sufficiently long and complex passwords. Keep shared passwords as well protected as personal passwords.

  • Step 2

    Learn good information security practices and follow them

    In addition to your employer’s information security policies, you can find instructions and guidance regarding secure use of the internet and email on our website.

  • Step 3

    Authentication

    Use two-factor or multi-factor authentication.

  • Step 4

    Updates

    Updates protect your systems in case vulnerabilities have been identified. If such vulnerabilities are left unpatched, they can allow criminals access to the network and information of your workplace.

  • Step 5

    Processing of sensitive information

    Make sure that confidential information such as customer information and business secrets are carefully protected and that unauthorized persons do not have access to your business’ information systems.

  • Step 6

    Managing incidents

    Learn your employer's policy regarding the steps to take in case of incidents. Make sure that you know who is responsible for information security.

  • Step 7

    Backup copies

    Remember to make backup copies of your files regularly. Backup copies allow you to recover your information if your computer is damaged, or if your files are locked or corrupted by malicious software.

Shared resources and systems

  • Step 1

    Website maintenance

    Vulnerabilities are often found in website publishing platforms, which makes them common targets for data breaches.

    We recommend enabling automatic updates on all of your organization's devices and information systems.

  • Step 2

    Open online services

    All services connected to the internet are of potential interest to criminals, and almost all businesses have such connected services. If necessary, use the services of an information security expert to identify vulnerabilities.

  • Step 3

    Shared accounts

    Enable two-factor or multi-factor authentication. Have the confirmation code required to complete authentication sent to a phone number or email address to which all relevant personnel have access. Usually only one contact can be added.

    The passwords of shared accounts must be kept secure with the same care as personal login information. And while writing the shared password down on a note on the wall makes it easy to remember, it is also there for anyone to read.

  • Step 4

    Information security risks

    Risks are caused by inadequately secured devices and systems as well as the actions of employees. Make sure you are aware of responsible practices.

    Discuss the following questions at your workplace:

    • Is it necessary for all personnel to have access to all the information being processed?
    • What kind of information are personnel allowed to communicate using a specific application?
    • What are the policies and good practices for using computers, mobile phones, applications, and software?
  • Step 5

    Travelling safely

    Make sure that your laptop and mobile devices are not lost while travelling. Do not leave your devices unattended. Unfamiliar USB sticks and other storage devices can install malware onto your device or copy files from them.

    Wireless internet connections (WLAN networks) in hotels and public places can also constitute an information security risk. Open wireless networks are easy targets for eavesdroppers, with man-in-the-middle attacks revealing the user’s internet browsing to the attacker.

  • Step 6

    Cyber espionage

    Cyber espionage is the act of attempting to gain access to secret information held by businesses or organizations. Espionage usually begins with a phishing email that contains malware designed to steal login or other information. The target of the attack possesses information of interest to the attacker regarding political decision-making, the economy, technology, or other sensitive topic.

    It is possible to stop a targeted attack even if the first phase of the intrusion, i.e. the contamination of the user’s workstation, is difficult to prevent. In order to ensure that attacks are detected, it is important that information systems’ log data is comprehensive and actively monitored.

    Taking the necessary steps to ensure a high degree of information security reduces the risk of cyber espionage.

If you receive a suspicious message

Do not open

Do not open the message or any attached links or files.

A strict NO to add-ons and installations

If you accidentally open an attached file, do not give permission to activate add-ons or install software.

Do not enter your login information

If you accidentally click on a link that takes you to a website asking you to enter your username and password, do not do so.

I was a victim of a cyber attack. What should I do?

If the attack in question was a data breach into your organization’s systems or a denial-of-service attack on your website, contact the system administrator first and then alert the police.

By contrast, if the attack targeted your personal email or social media account, it is a criminal matter and should be reported to the police.

In both cases, we recommend filing a police report.
Reporting an offence online
Contact request, Victim Support Finland

In urgent situations, the person in charge of information security can request help from our duty officer at

Include the following information in as much detail as possible:

  • nature of the incident
  • technical details
  • time at which the incident began (and ended, if applicable)
  • contact information of the administrator and/or service provider.

Protecting your social media accounts

Social media accounts are fun and useful as long as you have control of them. Cybercriminals seek to capture social media accounts in order to commit identity theft, extortion, or other forms of fraud using your information. Sometimes accounts may also be captured simply for the purposes of harassment.

In order to protect your accounts, enable two-factor or multi-factor authentication on all social media platforms and on those email accounts that you use to log in to them. Multi-factor authentication prevents the majority of attacks on social media accounts.

Criminals are interested in email accounts used to log in to social media accounts and recover passwords. Make sure that you have control of your accounts and that others do not use them. Take particular care to secure those email accounts that you use to log in. If they are captured by criminals, password recovery requests can help them gain access to all the platforms on which you use the email address in question as your username.

Criminals can also target unused, forgotten accounts, as they can be used to log in to services and perpetrate scams in your name.

Key information security concepts

Two-factor or multi-factor authentication means that a user’s identity is verified using two or more authentication methods. In addition to usernames and passwords, other authentication methods include one-time codes sent to the user’s device, and biometric identifiers such as fingerprints.

If you receive a confirmation request on your device while not attempting to log in, it is likely that someone else is trying to gain unauthorized access to your account. If this happens, change your password. If such a message is sent to a device at your workplace, make sure you also notify the risk management team. While two-factor or multi-factor authentication does not eliminate all risk, it is usually enough to prevent isolated instances of illicit activity.

If you receive an email asking you to change your password despite not requesting a new one, do not click on the link in the email. The most secure way to change your password is on the website or application of the service in question.

How multi-factor authentication works:

Enabling multi-factor authentication:

When logging in to the service, you have the option of enabling multi-factor authentication. When asked whether you would like to enable multi-factor authentication, select yes.

When asked to add alternative authentication factors and a recovery address, add several. Alternative authentication factors can be necessary if you lose your phone or other primary means of verifying your identity, for example. A second recovery email address may be needed if you are for some reason unable to access your primary email account.

If you do not add any alternative authentication factors, recovering your account is difficult and time-consuming. The service provider may ask for a copy of your passport, photograph, or other piece of evidence. While this may be obligatory in order to recover your account, make sure to take the necessary steps to protect your sensitive information when sending the required documents.

Use:

After you log in to your social media account and enter your username and password, you will be asked to verify your identity using another authentication mechanism. This could be a usb key, key list, application, text message, code sent to your phone, etc. If the authentication factors match, you will be granted access to the service.

After the first login, many services allow users to designate the device in question as trusted, which lets you access the service using only your password on subsequent logins on the same device. However, additional authentication factors will be required when logging in from new locations and on new devices.

Make sure to also protect important email accounts

Criminals are interested in email accounts used to log in to social media accounts and recover passwords. Make sure that you have control of your accounts and that others do not use them. Take particular care to secure those email accounts that you use to log in. If they are captured by criminals, password recovery requests can help them gain access to all the platforms on which you use the email address in question as your username.

Lifecycle of email accounts

Criminals can also target unused, forgotten accounts. They can be used to capture accounts on platforms to which you log in using the email account in question. Delete any accounts you no longer use, as criminals can register outdated email addresses in order to use your accounts and perpetrate scams in your name.

Do I have control of my email account?

If you suspect that someone else is using your email account, log out of the account and change your password.

Passwords are the keys to your personal accounts. A good password is easy to remember, difficult for outsiders to guess, and sufficiently long.

You should choose a unique password for each service you use. However, the large number of services available today makes remembering all combinations of usernames and passwords virtually impossible. To combat this problem, we recommend using a password management tool. They allow users to store their most important passwords and associated usernames behind a single password.

Make sure that all of your personal accounts and information are secure. Think about whether your account activity and status updates need to be visible to everyone, or whether their visibility should be limited.

Follow the security recommendations given by Twitter, Facebook, and other platforms, even if doing so affects their user-friendliness. For more information, see the services’ information security and privacy settings.

Public social media accounts can be used for data collection purposes, so think carefully about what you choose to share with the world. For example, an “empty house” status update can result in burglars targeting your home, particularly if you have also shared your address on your public profile.

Public location information can be used to identify your current location even if you have not shared it exactly, as pictures associated with your publication and any visible landmarks can give away a lot.

If your interests are known, malicious parties can send you targeted emails inviting you to either open an attached document or click on a link. An ill-advised click can then expose your device to malware and phishing.

If your user account falls into the wrong hands, scam messages can be sent in your name.

Microsoft Office 365, DropBox, One Drive, Google cloud, Amazon – What should be stored in the cloud?

Cloud services are convenient, as necessary information is accessible from almost anywhere and from a range of devices.

Consider the seriousness of the risk associated with losing information stored in the cloud. The risk can be considered small if losing your information is likely to result in mere annoyance. By contrast, the associated risk is significant if the lost information could be used to steal your identity. Such information includes a complete employment history or passport copy.

Many cloud service providers design their services with information security as their goal, but large amounts of concentrated data can attract criminals. The decision to store sensitive and valuable material in the cloud must always be made carefully, because even secure cloud services are not immune to breaches. Also make sure to check which limitations apply to how your stored information is used in order to ensure that it cannot be accessed by third parties.

When a criminal exploits the gullibility or generosity of people with the intent to deceive or mislead, this is referred to as social engineering. Deception and phishing are also markedly less expensive than other criminal activities such as hacking an online platform by exploiting security gaps.

It is particularly easy for a malicious party to falsify the kind of information we usually trust or do not think to check on websites. As an example, consider fraudulent websites. While they can appear almost identical to the original, extra characters or words in the browser's address bar often reveal them as scams. The NCSC-FI’s website, whose actual URL is “https://www.kyberturvallisuuskeskus.fi”, could appear as “www.kyberturvallisuus.keskus.fi”, “www.kyberturvakeskus.fi”, “www.1.kyberturvallisuuskeskus.fi”, and so forth.

In most cases, scammers are after information that would allow them to make money by criminal means. Here are some examples of scams designed to exploit our natural generosity or trust:

  • You receive an unusual message from a friend or acquaintance asking you to open an attached document.
  • You receive an email written in natural and fluent language, seemingly sent by a friend or acquaintance, in which you are asked to open an attached file by clicking on a link.
  • You receive a phone call from a scammer impersonating a police officer and asking you for your banking credentials or credit card information.
  • An uninvited guest attempts to enter locked premises by impersonating a maintenance worker, for example.

You can verify the authenticity of a message by contacting the sender by phone or other means, after which you can safely open the message or file attached to it.

Never enter your user credentials or reveal them to third parties especially if you are asked to do so by email, or click on the “OK” button in a pop-up window that suddenly appears on your screen asking you for permission to access features on your device or to download an application or piece of software.

If possible, always report any attempted scams or scam messages. Doing so can help prevent others from falling victim to criminals.

Page was last updated