In association with
Protecting business data
As data breaches and online threats become more common, it’s important to take active measures to safeguard critical systems and sensitive information. These practical cyber security and data safety tips will help you keep your data safe and secure.
Know the risks
Proper storage and regular backups will help protect your important information from system failures or improper use. But an increasingly complex online world means you need to also protect your data from unauthorised access, whether it’s an accidental breach by someone in your business or by a hacker.
Ignoring cyber security threats and data breaches puts your reputation — and bottom line — at risk.
Recovering from a cyber attack or data breach could be an expensive undertaking. Take precautions so you don’t fall victim.
Consider doing a cyber security risk assessment about your business. It will help you identify what you value, what your risks are and how to mitigate them.
Online security risk assessments for your business(external link) — Own Your Online
Cyber security: What is it?
Cyber security is about protecting information, devices and systems from unauthorised access, attack or other risks.
Common threats to a business’s data and systems include:
- Data breaches: When private information is released into an unsecured environment. This could be done on purpose or by accident.
- Malware: Malicious software designed to damage or harm a computer system. Ransomware is a type of malware that denies a user access to their files or computer systems unless they pay a ransom.
- Denial-of-service: Attacks that aim to restrict or impair access to a computer system or network. Typically, the aim is to prevent legitimate users from accessing websites or payment services.
- Insider threats: Someone who has inside knowledge threatens your business.
Own Your Online has more details on common cyber security threats to New Zealand businesses, including how to prevent them and what to do if they happen to you.
Common risks and threats for business(external link) — Own Your Online
Get protected(external link) — Own Your Online
Assess your weak points
To best protect your systems and data, you need to identify and address your vulnerabilities and your important assets.
To work out whether you are doing enough to protect your business from cyber security incidents, use Own Your Online’s security risk assessment. The assessment will help you better understand both your business processes, and the systems and data that’s important to secure.
Online security risk assessments for your business(external link) — Own Your Online
If you have lots of holes and don’t know how to manage them, consider paying a security specialist to help you set up a security process.
Restrict access to your systems to those who really need it.
This makes it harder for attackers to find an account with access.
Wherever you store personal information, your customers trust you to protect it.
Plan to protect important data
Protecting important data is all part of continuity planning — being prepared to recover from any problems. Follow these steps:
- Identify everything that holds vital data. This is the information, records and systems that you can’t do without, or would be most damaging if lost.
- Make protecting vital data a priority. Put extra security measures in place to protect sensitive data from different kinds of threats. This might be customer details, confidential agreements, financial records and any trade secrets or other intellectual property.
- Plan ahead for different scenarios. Map out a step-by-step approach of what to do if important data is lost, breached or hacked. You will be able to respond quickly — and have a better chance of minimising any negative impacts. Don’t just think about it. Write it down.
- Make sure staff know what to do. This includes training or check-ins, and making sure passwords are protected and updated.
- Put your plan into practice. Test different scenarios regularly. Make any changes to your plan if it doesn’t work as expected.
Secure your small business network(external link) — Own Your Online
The Office of the Privacy Commissioner also has a step-by-step toolkit on how to plan and respond to data breaches.
Privacy breach guidance(external link) — Office of the Privacy Commissioner
Make sure all staff and systems have unique passwords.
It’s easier for cyber attackers to gain access to shared accounts because the password is often weaker or it’s easier to find. It’s easier for computers to run a task and guess lots of passwords, so the stronger the better.
How to create good passwords(external link) — Own Your Online
Cyber security steps
There are a number of easy things you can do to protect your information. The key is to commit to safety measures. If you have staff, make sure they are trained and kept up to date on any new risks or protective steps.
Passwords and passphrases
- Always use strong passwords or passphrases to protect your devices and data.
- Use passphrases, rather than passwords. Passphrases are unique, at least 15 characters long and a combination of different character types, for example, IAte23OfDiana'sSandwiches!.
- Change any default passwords and usernames that come with a new device as soon as you get it.
- Don’t use the same password or passphrase for more than one of your systems or staff. Hackers could get into all your most sensitive information in one hit.
Create a password policy for your business(external link) — Own Your Online
Do not store passwords or passphrases on your online systems or devices — this makes them too easy to find. Instead use a password manager. There are many free or low-cost options available. Make sure you choose a reputable one.
Using a password manager in your business(external link) — Own Your Online
Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.
Change these to strong passwords or passphrases — and make it part of your off-boarding process to change them each time someone leaves the business.
Secure your small business network(external link) — Own Your Online
Software updates
Software providers release regular software updates to fix and bugs or weaknesses that have been found. It’s one of the easiest and best things to do to mitigate against cyber attacks. You may want to put off software updates for later, but it’s time well spent to keep your systems safe. This includes updating everything – your devices, printers, routers, and internet connected TV. Own Your Online recommends turning on automatic updates, so you don’t have to think about it.
If your device alerts you to an update, don't ignore it.
The latest updates or versions often fix any new vulnerabilities to cyber attacks.
Encryption
Add a further security layer by encrypting data with a key. Check if a cloud service will do this for you, or you can look into free software that will help you do this yourself.
Antivirus protection software
Installing paid antivirus software on computers is an easy way to protect your data. Keep your software up-to-date to fight off the latest malware. Install patches and updates from your internet service provider.
Consider getting protection from malware, a term covering software threats, including:
- Viruses: Code that can copy itself and infect computers and other devices.
- Trojan horses: Programs designed to breach and take over parts of a system.
- Ransomware: Software that blocks access to a computer until a ransom is paid.
- Spyware: Software used to secretly get information sent from a computer about how it’s being used.
- Adware: Software that automatically downloads or displays often unwanted adverts.
Digital Resources has more tips on antivirus software and security.
Anti-virus software(external link) — Digital Resources
Always encrypt sensitive data — no matter how you decide to store it.
Encryption makes data indecipherable to those who don’t have the key to access it.
Firewalls
A firewall is software or hardware that protects your computer or device against online threats. It helps you monitor who or what is allowed to access your system. It will also notify you if your computer or device is trying to access something suspicious online. Think of it as a door between your computer and the internet. It helps you let the right things in and keep suspicious activity out.
Two-factor authentication
Two-factor authentication (2FA) makes it much more difficult for hackers to crack into your systems. 2FA ensures a user can only gain access if they have an extra credential above a valid username and password. This extra credential may be a PIN number, access to a physical security key or token, or a unique identifier, for example, a fingerprint. You should enable it for your most important systems, accounts and devices.
Top online security tips for your business(external link) — Own Your Online
Best practice from cyber security experts
Hear the top tips on keeping small businesses safe online from experts from the private sector and government agencies.
Cyber insurance
If your business relies on sensitive information, it’s a good idea to think about cyber insurance. It can cover data breaches, website hacking and IT scams. Make sure a policy covers your areas of risk. An insurance broker can help you understand what a policy does or doesn’t cover. If you’re sorting out your own insurance, read the fine print to make sure it covers a cyber attack.
Own Your Online has more practical steps you can take to keep data safe and secure online.
Get protected(external link) — Own Your Online
Use a web developer who builds using the OWASP Top 10 guidelines.
This is a list of the 10 most critical web application security risks.
Choosing an IT service provider(external link) — Own Your Online
Protect your website(external link) — Own Your Online
Manage online behaviour
Security breaches can often be caused by an employee doing something they shouldn’t, usually inadvertently. If employees use computers and mobiles devices at work, or work devices out of work:
- Create a cyber security policy so they know the rules.
- Make sure everyone who uses your devices is trained to keep data and systems safe.
- Give staff the right level of access to your systems and apps, and only to staff who need to use them.
Create an online security policy for your business(external link) — Own Your Online
Insider threat(external link) — Own Your Online
The Office of the Privacy Commissioner has short online courses, including one on the new Privacy Act 2020, to train people on privacy best practices.
eLearning(external link) — The Office of the Privacy Commissioner
Create an easy IT and social media policy(external link) — Workplace Policy Builder
Internet and social media use(external link) — Employment Agreement Builder
Staff awareness is key to preventing cyber security incidents and data breaches.
Make sure everyone in your business knows how to keep important data and systems secure.
Educating your staff about online security(external link) — Own Your Online
Best practice to keep staff safe
Hear top tips that will help small businesses keep their staff safe online, from experts from the private sector and government agencies.
