- From the point of view of risk management, 100-percent protection can never be guaranteed, but the company must make a decision based on its risk assessment how much money and resources it is ready to invest in its cybersecurity, answers Tero Kokkonen, Director and docent of cybersecurity, Institute of Information Technology, Jyväskylä University of Applied Sciences (JAMK).
- If there’s not enough in-depth, in-house cybersecurity expertise, it is wise to hire an expert and dependable partner for help. When choosing a partner, you should of course pay attention to the service provider's references.
The responsibility for the whole setup, however, still rests on the shoulders of the company itself.
- The more there are different systems in use within the company, the more important is the understanding of the overall architecture of the company's information systems and their cybersecurity, Kokkonen reminds.
A good level of basic cybersecurity competencies should always be maintained throughout the organization.
- Whether it is a large or a small organization, the competence of the personnel and the cybersecurity education or training offered to them are very important. Regardless of their role, every employee should know the basics of cybersecurity and be able to identify cyber threats, for example phishing messages, Kokkonen describes.
Tero Kokkonen, Director and docent of cybersecurity, Institute of Information Technology, Jyväskylä University of Applied Sciences (JAMK)
Audit, protect and practice
The everyday focus of startups and growth companies is often on product development, sales and financing. However, it would be a good idea to always give cybersecurity issues a similar priority, especially when systems change, and processes become more complicated as the company grows.
- For present-state mapping, especially for growth companies, for example the self-audit model FINCSC (Finnish Cyber Security Certificate) developed by JYVSECTEC (Jyväskylä Security Technology), the cybersecurity research, development, and training center of JAMK’s IT Institute, is well suited. FINCSC is perfect for organizations of all sizes, regardless of their industry, says Kokkonen.
One notable guideline for the development of FINCSC has been to keep its costs low, which makes it an ideal audit model for small companies as well.
- The audit is based on a self-assessment that can be completed electronically, and its review by the assessment institution, Kokkonen adds.
Cybersecurity training is an excellent means of preparation. The exercise allows simulating a real situation in advance.
- Practicing different scenarios makes it easier to react in case of a real situation: key personnel know how to act and, for example, handle crisis communication correctly when the situation is ongoing. The company can also recover from the attack more quickly, says Elina Suni, Project Manager, JAMK IT Institute.
Elina Suni, Project Manager, JAMK IT Institute
Every company is a potential target
For the safe use of health data, the most important thing is always careful planning and anticipation of information and cybersecurity. A cyberattack in which criminals encrypt data important to an organization's business and demand a payment for returning the data is called a ransomware attack. The criminals can also threaten to share the data publicly if the ransom is not paid.
Elina Suni points out that companies that use health data in their business may be targeted by ransomware, because health data is considered valuable. Of course, you can also be targeted by chance.
- Anticipation and preparation play a very important role in a company's cybersecurity, Suni emphasizes.
Jyväskylä University of Applied Sciences has created a cyber incident management manual for healthcare providers (available only in Finnish).
– The manual gives instructions for preparing for cyber incidents, managing and responding to cyber incidents, and recovering and learning from cyber incidents. I also recommend that health professionals familiarize themselves with the material, Suni advises.
Got interested? Enrolment to Seed Village's program Data in the Health Business is open until October 2
Health and sports companies that use data in their business can get good sparring by applying to the Seed Village program. Read more on Kasvu Open's website and apply! The application is open until October 2, 2022.
More information about Seed Village in English from
Teo Tarri, Kasvu Open
044 493 8567, firstname.lastname@example.org
JYVSECTEC, operating in connection with the IT Institute, helps companies and organizations increase their competencies with cybersecurity exercises conducted in a closed environment at JYVSECTEC's premises. The exercises organized in the Cyber Range training environment typically last from 1–2 days to large national exercises lasting a week. In addition, the unit offers research and development activities around these topics.
Read more about JYVSECTEC's services: https://jyvsectec.fi/services/exercises/overview/ and Cyber Range environment https://jyvsectec.fi/cyber-range/overview/