For businesses and self-employed professionals, this is not only a technical issue. A trojan can lead to data loss, stolen credentials, fraud, business interruption and, where personal data is affected, a possible personal data breach that must be assessed or notified.
In this article we will discuss...
How trojans usually enter
- Email attachments pretending to be invoices, quotes or delivery notices.
- Downloads from unofficial or unreliable websites.
- Links received by SMS, WhatsApp, social networks or email.
- Pirated software, cracks or fake free tools.
- False browser, antivirus or document viewer updates.
Warning signs
Some trojans try to remain hidden, but warning signs may include unusual slowness, pop-ups, configuration changes, suspicious account access, disabled antivirus, unknown connections or files modified without explanation.
Basic protection measures
INCIBE recommends keeping devices updated, using security tools and avoiding files or links from doubtful sources. Its resources on viruses and threats and its cyberattack guide are useful for users and small businesses.
- Keep systems and applications updated to close known vulnerabilities.
- Use antimalware protection and check that it is active.
- Download software only from official sources.
- Do not open unexpected attachments, even if they appear to come from a supplier.
- Use unique passwords and multi-factor authentication for email, banking, cloud services and management panels.
- Keep backups that are protected from deletion or encryption.
- Train staff to identify suspicious emails and links.
What to do if you suspect an infection
Disconnect the device from the network, stop entering passwords, notify your IT provider or internal contact, preserve evidence and change credentials from a clean device. If personal data may have been affected, document the incident and assess the risk to decide whether notification to the AEPD or affected individuals is required.
Conclusion
The best defence against trojans is a combination of technical prevention, staff awareness and clear response procedures. Under the GDPR, cybersecurity is not optional: it is part of the technical and organisational measures expected from organisations that process personal data.
