4 “Hot Potatoes” in Cybersecurity You Should Fix Before the Year Ends

J&Co Uutisankkuri

Author: Maxemilian Grönblom, Developer & Partner, J&Co Digital

Cybersecurity is generating more discussion than ever. New tools, evolving legislation, and the daily rush create an environment where data protection can easily falter if operations are not managed systematically.

Here are four hot potatoes identified by J&Co’s cybersecurity team that every organization should address as quickly as possible.

1. Establish a clear AI policy

As enjoyable as it is to harness AI as a thinking assistant, its use always requires deliberate caution. Tools like ChatGPT and other generative applications are used to create text, analyze data, and write code. At the same time, using them can expose a company to data leaks if proper guidelines are not in place.

Example: Apple has restricted its employees’ access to generative AI tools, such as ChatGPT and GitHub Copilot. According to the company, the restriction is based on concerns that data entered by employees could end up in the hands of external service providers or even in training datasets, potentially leaking the company’s confidential information. At the same time, Apple began developing its own AI instead of allowing employees to use open external tools. In this way, Apple serves as an example that while there is a desire to leverage AI, its use requires restrictions and, in some cases, dedicated infrastructure.

An AI policy defines which AI solutions an organization uses, what information can be entered into them, and who is responsible for monitoring their use. When the guidelines are clear, employees can use AI both effectively and safely.

2. Enable two-factor authentication (2FA)

Several cybersecurity authorities, including Traficom and NCSC-FI, have stated that two-factor authentication (2FA) could have prevented a large portion of data breaches in recent years. The extra verification step acts as an additional lock—one single confirmation can determine whether an email inbox or cloud service remains secure.

A typical breach begins with an email through which an attacker obtains the user’s username and password. If logging in also requires a separate verification via a mobile app or physical key, the attack is immediately stopped.

Many large companies, such as Google and Microsoft, have reported that two-factor authentication prevents over 90% of account takeover attempts. The same protection works for smaller organizations—the solution doesn’t require a complex system or major investment, only the decision to implement it.

The safest approach relies on two physical devices, for example, a computer and a phone. SMS verification alone is not sufficient if the attacker also controls the mobile subscription. An authenticator app, such as Microsoft Authenticator or Google Authenticator, provides significantly stronger protection.

Two-factor authentication should be enabled in all key systems: email, project management, cloud storage, and social media accounts. One extra click at login can reduce risk manifold. moninkertaisesti.

3. Move your passwords to a password manager

The browser’s built-in password manager makes daily life easier but weakens security. If the browser is compromised, an attacker can gain access to all stored passwords at once.

Cybersecurity companies continuously report cases where criminals have accessed users’ accounts using passwords stolen from the browser. This highlights the importance of using dedicated password managers.

A practical example: several data breaches revealed in 2023 and 2024, such as the Raccoon Stealer and RedLine malware campaigns, succeeded in stealing passwords and cookies saved in users’ browsers. The malware then forwarded this information to criminal networks, which used it to log into email services, social media accounts, and cloud services.

We ourselves use and recommend password managers like Bitwarden, which store data encrypted and suggest strong, unique passwords for each service. Their use also prevents password reuse, which is one of the most common cybersecurity risks. Additionally, password managers make it easier to manage and revoke access rights when employees move between roles.

4. Train your staff to recognize phishing

Phishing remains the most common method for breaching systems. Fraudulent messages increasingly appear legitimate and contain convincing details.

According to reports from the Finnish Cybersecurity Center (Kyberturvallisuuskeskus), over 80% of attacks against organizations begin with email. Training and exercises significantly reduce this risk.

Many Finnish companies regularly conduct phishing simulations, tracking how many employees click on links and how vigilance improves over time. As awareness grows, mistakes decrease rapidly, and cybersecurity improves without major investments.

At J&Co, cybersecurity sits on every developer’s desk.

At J&Co, cybersecurity is embedded in every line of code. Our security team meets regularly to monitor current threats, share insights, and develop common practices.

Cybersecurity is visible in J&Co’s daily operations through secure customer solutions. When the client’s own processes, training, and monitoring work in parallel, you can sleep peacefully at night.