It’s a lot to think about, but if you’re just getting started we’ve got your back. Here are our top 11 tips for simple, practical steps you can take to help keep your business safe from attack. A printable version of this guide is available at the bottom of the page.
1. Install software updates
Keeping your devices and software up-to-date is one of the most effective things you can do to keep your system safe. You need to make sure:
- your devices are still supported by the manufacturer, and get software updates (patches) for their operating systems
- you install any patches to the operating systems as soon as they’re available.
Patches aren’t just about adding new features to software, they often fix security vulnerabilities too. Attackers could use these vulnerabilities to gain access to your system. Installing patches which fix them is a simple way to prevent this happening.
What to do
- Set your system preferences to install any new patches automatically if you can. Some systems may need to have their patches tested before they are rolled out. If they have to be tested, make sure your IT support provider has a plan in place to apply them within a few weeks of release.
- Make sure any servers or computers that you manage for your business run on operating systems that are still supported and patched.
- If you provide mobile devices to your employees, make sure they also use operating systems that are still supported. Ask your staff to install any patches as soon as they're available.
- If staff use their own devices for work (BYOD devices), make sure they're running supported operating systems and software before they access your business network. Make sure they keep their devices up-to-date too.
2. Implement two-factor authentication (2FA)
As part of your business strategy, you need to think about how to protect both your systems and your customers’ accounts. Implementing 2FA is one way to do this. It means that anyone who logs in to your system will need to provide something else on top of their username and password, to verify that they are who they say they are. You can implement it on internal systems and your customer-facing systems.
You can mitigate credential reuse, sophisticated phishing attacks, and many other cyber security risks by using 2FA.
What to do
- Enable 2FA on your key systems, like your:
- email services
- cloud aggregator services, for example Office 365, GSuite, or Okta Cloud Connector
- document storage
- banking services
- social media accounts
- accounting services, and
- any systems that you use to store customer, personal or financial data.
- Make sure you enforce the use of 2FA for each user in the system.
- Consider not using systems that don’t support the use of 2FA. They should be a requirement for any new system that your business uses. Make it mandatory, not optional.
3. Back up your data
If you run a business, you know how important it is to keep your data safe. If it’s compromised in any way — if it’s lost, leaked or stolen, for example — you need to make sure you have a backup, or copy, available so you can restore it.
You’ll need to back up all of your data. Think about the data which is:
- provided from customers or staff; such as employee or customer personal details, customer account credentials
- generated by the organisation; such as financials, operational data, documentation and manuals
- system-based; such as your system configurations, and your log files.
What to do
- Set your backups to happen automatically so you don’t have to remember to do it. How often you do them depends on how important your data is. If you have new customer data coming in every day that would be impossible to re-create, set your backups to happen a few times a day.
- Store your backups in a safe location that’s easy to get to — and isn’t on your own server. Ideally, you need to store your backups somewhere offline. If you use a memory stick or external hard drive to store your backups, make sure you disconnect it from your network every day.
Storing your data in the cloud is an option for businesses. If you decide to do this, it’s important to note that restoring your website from a cloud backup may be a slow process. It could take a while to get your business back up and running.
4. Set up logs
While using the previous steps can help prevent a cyber security incident, logging can help you find out:
- when an incident may be about to occur — for example, when you’ve had multiple failed logons to your network, or
- when an incident has occurred — like a logon from an unknown IP address in Uzbekistan.
You can set logs up to alert you to any unusual or unexpected events that you need to know about.
What to do
Set up logs for:
- multiple failed login attempts, especially for critical accounts. This includes cloud aggregator services like Office 365 or GSuite
- successful logins to your CMS and changes to any of the files in it (if you don’t change them often)
- changes to your log configurations
- password changes
- 2FA requests that were denied
- anti-malware notifications
- network connections going in and out of your network.
You can set the logs up to notify you about any unusual events by email. Set email notifications up for events that shouldn’t happen often, like multiple failed logons or denied 2FA requests. Setting up notifications for everything means you could get flooded with emails, and it will be hard to know when something goes wrong.
Store logs in a safe location and make sure they’re encrypted. Access to the logs should be limited to only those that need it. Consider archiving them to offline storage and keeping them for a while (like a couple of months) in case you ever need them. Your IT service provider can help you with this.
5. Create a plan for when things go wrong
No matter how well you prepare, sometimes things go wrong. Even if you outsource your IT support, security incidents are still your problem. If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running.
Having a clear plan in place will help you through what could be a stressful time. It’ll help your team respond to an incident quickly, and improve your business's resilience.
What to do
Take the time to create an incident response plan for your business. Our guide will help you understand:
- what you need to do if you’re targeted by a cyber security attack, and
- what plans to put in place so you’re prepared for this kind of event.
6. Update your default credentials
Default credentials are login details that give the user administrator-level access to a product. They should only be used for the initial setup, and then changed afterwards. Unfortunately, this doesn’t always happen, which can cause problems later on. Default credentials are easy to find or guess or find online. Attackers could use them to get into your system.
What to do
- Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset. If you find any, change them. Make the new passwords long, strong, and unique.
- Use a password manager to store your usernames and passwords. That way, you won’t have to remember them all, and they’ll be encrypted so no-one else can access them.
7. Choose the right cloud services for your business
Running a business is hectic. Using cloud services to manage your IT needs can make a lot of sense. Among other things, it gives you:
- access to software without needing to buy it yourself
- access to your data from any device, at any time
- storage space and backups for your data.
There’s a lot of cloud services providers out there, and you need to make sure you choose the right one for your business. It’s important to know that they take your security needs and your data seriously. Before you commit to a particular provider, make sure they can give you the kind of services and protection you need.
What to do
Ask your cloud services company:
- if they’ll back up your data for you, or if you have to do it yourself
- if they offer the option to use 2FA (if not, see if there’s another provider who does)
- if they’ll notify you of a security breach if it happens
- what happens to your data if they’re bought out by another company, or if they go under
- if they have a public security policy, and a way for you to report security problems to them — for example, through an abuse@ or security@ email address. If not, that should be a red flag for you.
It’s a good idea to check where the servers that they use to hold your data are located too. This is known as jurisdiction. Often, the servers will be based in the UK, US, or Australia. If jurisdiction is important to any of your customers or contacts — if they don’t want their data held overseas or in a specific country, for example — you’ll need to know this information up front.
8. Only collect the data you really need
It’s important to only collect the data you really need from your customers. Your level of risk is based on the amount of data you have — the more you collect, the more valuable it is to an attacker. This means you carry a higher risk if you’re targeted by a security incident. By only collecting what you need, you reduce your risk.
What to do
- When you get new customers or clients, make sure you only save and store the information from them that you need. Be clear about why you need it.
- Make sure you’re encrypting any data you collect. This includes while it’s:
- in transit — for example, collect data from your customers through an HTTPS form
- at rest — when it’s stored in a database.
The Privacy Commissioner has built a tool, Priv-o-matic, to help you create a privacy statement that you can share with your customers. You can use it to tell them how you’ll collect, use and disclose their information.
9. Secure your devices
Enable anti-malware software on any device that accesses your business data or systems. It prevents malicious software — such as viruses or ransomware — from being downloaded. This includes both company owned devices and any BYOD devices that belong to your staff. Malware’s easier to avoid than it is to fix, and there are some simple things you can do to minimise your risk.
What to do
- Use the security features that come as a default with your computer’s operating system. This includes Windows Defender for Windows 10 devices, or Gatekeeper for OSX. Otherwise, use software that can detect malware and that gets updated regularly.
- Don’t let your staff access your network with devices that are jailbroken or rooted. Their devices should only use apps downloaded from their phone provider’s app store, like the Apple Store or Google Play Store.
10. Secure your network
With cloud systems being used so much these days, business networks are much smaller than before. Cloud systems are all internet based, but some organisations may still have a few servers hosting software that’s only accessible from the office. Others may host their web applications in a cloud environment like Amazon Web Services (AWS).
You need to think about the connections both going in, and going out, of your business network when you start thinking about how to secure it. Firewalls help control where connections go, and proxies can act as an intermediary between different computers or networks. For example, you can use a web proxy to send traffic from your business network to the internet, and it could filter that traffic and prevent any bad traffic — to sites hosting malware, for example — from getting through. A VPN can help you access your business network remotely if you needed to.
What to do
- Limit access to the internet-facing parts of your network to only those who need it. For example, if a server on your network does not need to be accessed from the internet and does not need access to the internet, make sure it's:
- on its own VLAN, and
- protected behind a firewall to control what can talk to it and what it can talk to.
- Use a VPN if you need to remotely access systems on your business network. Make sure the VPN software you use requires 2FA so employees need to authenticate with a username, password, and another form of authentication. Using a VPN means you don’t have to expose different servers on your network to the internet, and you can control remote access through one point.
- Use separate VLANs for your business network to control what parts of the network can talk to other parts. For example, you should put servers with sensitive data on a separate VLAN from the one that your employees’ computers are on. You can use firewalls to control how those two VLANs talk to each other.
- Talk to an IT or network engineer to explain what your business does, and what you use your business network for. They can help you configure any separate networks or network devices that you may need to protect yourself.
TIP: As your business grows, so will your network, information, and systems. That means you’ll need to take bigger steps to protect your business. Our Critical Controls provide information about what the next steps look like, and how IT practitioners can implement them.
11. Manually check financial details
A lot of business takes place over email, and it can be hard to tell when an email recipient’s behavior is ‘phishy’. If you're doing business online and you get an unusual or unexpected request, check it manually before you go ahead with the transaction. This means checking the request with the person or company you're dealing with through another channel — by phone, for example. Having manual checks will prevent you from getting caught up in online fraud, like invoice scams.
What to do
- Have a clear process for how you make sensitive business transactions or changes. Determine what’s sensitive for your business, like a monetary threshold or a high quantity of goods, for example. Make sure these thresholds are clear so your staff know when to raise a red flag.
- Use a separate channel of communication to verify a transaction or change before it happens. For example, if you’re doing business over email, follow up with a text message or phone call.
- Have a clear point of escalation for your staff. For example, if a staff member receives an email that looks like it's phishing, make sure they know what to do. Put a process into your incident response plan. Your process should include reporting it to CERT NZ.