There are many ways attackers might target your business. Some are more obvious, like if your business loses money or you are suddenly unable to access your online systems. Other attacks are harder to detect, for example, an attacker may use your website or network to attack others. Luckily, there are things you can do to help prevent your business being the target of an attack.

To reduce your chances of experiencing any kind of online incident, everyone in your business needs to be aware of the risks and commit to safe practices. Make sure you set aside time to educate yourself and staff on new threats and regularly check-in with any questions or concerns.

Safeguarding yourself from cyber security threats can be easier than it seems. Some simple measures to significantly reduce risks include:

• Backing up systems and data regularly.
• Encrypting important systems and data.
• Keeping all software up-to-date.
• Installing security software to protect from viruses and other malicious programs.
• Using strong and unique passwords or passphrases across all your accounts.

Top online security tips for your business(external link) — Own Your Online

Get Cyber Smart(external link) — CERT NZ

What to do if you've been hacked

Storing and backing up data

Protecting business data

Protecting customer and employee information

Scammers are often inventing new ways to try and trick people and businesses. But scams usually have common characteristics you can look out for.

Scams usually start when someone makes unexpected contact with you. This could be in person, by phone, letter or email.

In exchange for money or private information, they may:

• make you an attractive offer, eg connections to angel investors if you pay an upfront finder’s fee, or access to crypto currencies
• say you urgently need important products/services, eg critical software updates 
• pretend to be someone they’re not, eg your bank, a supplier or a senior leader within your own business.

If you think you’ve been scammed

1. Stop all contact with the scammer.
2. If you’ve provided any financial details, call your bank.
3. Report the scam.

You can’t blame staff for getting things wrong if they don’t know the rules or understand what the risks are. Take time to educate your staff and make sure all your employees, and anyone else who may have access to your IT systems, are aware of the common characteristics of a scam, how to detect cyber security risks and how to avoid them.

It’s a good idea to:

• Get staff to read the content on this page so they are familiar with common risks and how to avoid them.
• Make sure staff know when it’s appropriate to share private information and financial details, and with who.
• Set policies around payment for products and services.
• Set out the dos and don’ts for new staff as part of getting them on board.
• Keep regular updates about new security risks and scams.
• Create a password policy
• Have a cyber security policy.

Educating your staff about online security(external link) — Own Your Online

Create an online security policy for your business(external link) — Own Your Online

Create a password policy for your business(external link) — Own Your Online

Here are some common ways scammers and hackers may target your business. But remember, different scams are always being invented. A good rule of thumb is if a deal sounds suspicious or too good to be true, it probably is.

Malicious spam emails

What is it?
Any unexpected email from someone asking you for money or personal information.

What to do:

• Don’t reply — if you do, it confirms your email address is active and ready for further 'offers'.
• Don’t open attachments from senders you don’t know — the same goes for clicking on links, which can infect your computer with malicious programs.
• Don’t forward hoax emails — if you get an email that looks like a hoax, it probably is.

Note: If you do receive an out-of-character request for private information or money from a sender you recognise, it always pays to verify with senders over the phone.

If you aren’t sure if the person who has contacted you is genuine, a little investigation can put your mind at ease.

Depending on how they made contact, there are a number of ways you can check their legitimacy:

• Never assume a company is based in New Zealand just because its website address ends “.nz”.
• Check payment pages are secure. Look for the padlock symbol used on websites, and make sure the URL begins with “https” — the “s” stands for secure. Only make payments if it’s a transaction you initiated. Remember, a padlock symbol doesn’t necessarily mean the website is legitimate.
• Do an online search for the company’s name online and the word “scam”. You may find stories from people caught out by a similar scam.
• Always check contact details, especially if it’s only a mobile number or an email. Do an online search on the company name to check if the contact details given match those on its website. This is because scammers sometimes pretend to be from legitimate companies or organisations. 
• If you call and can’t get through, or it goes to an overseas call centre, it may be a scam.

Search for a company(external link) — Companies Office