Secure the data across your website
Your customers trust you to keep their information, and the communication you have with them, safe. An easy way to give your website added security and privacy is to enable HTTPS. HTTPS keeps the information transferred between you and your customers confidential by encrypting it. Encryption means that only the person using your website can see the information that’s being shared, and no one else along the way. This stops attackers from getting the login details or credit card information customers submit on your site.
To protect your customers’ information, HTTPS should be enabled across your entire website, including on:
- content pages
- the content management system (CMS) where you update your website
- the control panel (where you login)
- forms, particularly those collecting customers' personal information.
Google Chrome adds ‘not secure’ at the top of the browser on any page that is not using HTTPS.
Update software and devices
Running a business is hectic. There’s so much to remember and keep track of – from payroll to sales and purchase transactions and stock control. Give yourself one less thing to think about by automating as many tasks as you can, including updates.
Updates not only add new features, they fix issues or vulnerabilities that allow attackers to get your information. Most software companies work hard to make sure security holes are fixed in each software update.
As the business owner, it’s your responsibility to make sure your website’s software is updated and any security patches are applied. This includes things like plugins on your content management system and your web server.
Get PCI DSS compliant
Whether you’ve had a website for a while and would now like to accept payments online, or you’re starting out with a new e-commerce site, there are important security requirements to consider.
The Payment Card Industry Data Security Standard (PCI DSS) helps ensure online transactions on your website are safe and secure, and that your customers' card data is protected from attackers. This standard enforces security best practices that you can also apply to the rest of your business. By being PCI DSS compliant you’re well-placed to avoid a security breach that can result loss of revenue, customer trust and reputation.
Most banks require PCI DSS compliance when accepting online payments, so talk to yours about what’s involved.
Renew your domain
If your domain were to expire it would be possible for an attacker to claim it and set up their own scam website selling fake goods or serving malware using your business’ name.
Ask your domain provider about auto-renewing your domain.
Domain Name Commission's advice for domain holders External Link
Use a strong and unique login password
Logins are a particular point of vulnerability for any website. Create a long and strong login password for your website that is different from any used for other services. We recommend a passphrase of four or more words that are not based on any personal information.
Turn on two-factor authentication
Any systems you can login to over the internet are susceptible to attack. We strongly recommend adding two-factor authentication (2FA) to your website. That way, an attacker would need your 2FA code as well as your password to access your site.
Back your website up regularly
Even with the best laid plans, things can go wrong. Having a recent backup means you can restore your data quickly and easily if it’s lost, leaked or stolen, and get back up and running again.
You’ll thank yourself for having a recent back up should any of these scenarios occur:
- your web server gets hit with ransomware and stops responding
- your website’s compromised by another sort of online attack
- you accidentally delete a section.
Backups are most useful if they’re recent and cover both the pages themselves and any data your website holds, like customer databases. Ensure you or your provider set your backups to take place automatically. It’s preferable to make a couple of copies and store them in different, secure (but easily accessible) places. That way, if one backup is compromised, you have a spare.
Review your website regularly
It seems pretty obvious, but one of the best ways to keep your website safe is to keep an eye on it. The more familiar you are with your website, the more likely you are to spot something that’s out of place. Look out for such things as:
- the appearance of unfamiliar or unusual content – it might mean someone else has access to your site and is using it to host bad content
- an unexpected drop off in online sales – it could mean someone has gained access and modified your website to make payments go to their account.
Understand your privacy obligations
It’s important to be aware of your obligations under the Privacy Act, particularly those relating to the collection, storage and disclosure of customer information. You are required to include a privacy statement on your website outlining:
- why you collect customer information
- how you use customer information
- how your customers can find out what information is held by your business.
The Office of the Privacy Commissioner (OPC) has done all the hard work for you and come up with a handy Privacy Statement Generator so you can quickly and easily create a privacy statement that's right for your business.
Check out the OPC privacy statement generator External Link
For more information on New Zealand’s privacy laws and contact details for the OPC, visit their website.
New Privacy Act
On 1 December 2020, changes to the Privacy Act (2020) came into effect. The Act introduces a privacy breach notification regime. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. We recommend businesses & organisations review the guidance on the OPC website to ensure they are aware of their responsibilities and obligations.
Create an incident response plan
An incident response plan is invaluable should something go wrong. Having a step-by-step plan in place before a cyber security incident occurs will help you take control of the situation, navigate your way through, reduce the impact on your business and get back on your feet quickly. Your plan should include the contact details for your IT and communications support people.
Report incidents
If you experience – or think you may have experienced – a cyber security incident, report it to us. We’ll help you identify the issue and let you know the steps you can take to mitigate it and prevent it happening again. We’ll also use the information you provide to create advice and guidance for others who might experience the same issues. We’ll also use the information you provide to create advice and guidance for others who might experience the same issues. The more information reported to us, the better able we are to help everyone.
Top tips to protect your website
Keep your business and customer information safe by working through the steps on the 'Secure your website' checklist. Some, you'll be able to work through yourself, while your IT provider might need to give you a hand with the others.