In association with
Protecting business data
As data breaches and online threats become more common, it’s important to take active measures to safeguard critical systems and sensitive information. These practical cyber security and data safety tips will help you keep your data safe and secure.
Know the risks
Proper storage and regular backups will help protect your important information from system failures or improper use. But an increasingly complex online world means you need to also protect your data from unauthorised access, whether it’s an accidental breach by someone in your business or by a hacker.
Ignoring cyber security threats and data breaches puts your reputation — and bottom line — at risk.
Recovering from a cyber attack or data breach could be an expensive undertaking. Take precautions so you don’t fall victim.
Consider doing a cyber security risk assessment about your business. It will help you identify what you value, what your risks are and how to mitigate them.
Online security risk assessments for your business(external link) — Own Your Online
Cyber security: What is it?
Cyber security is about protecting information, devices and systems from unauthorised access, attack or other risks.
Common threats to a business’s data and systems include:
- Data breaches: When private information is released into an unsecured environment. This could be done on purpose or by accident.
- Malware: Malicious software designed to damage or harm a computer system. Ransomware is a type of malware that denies a user access to their files or computer systems unless they pay a ransom.
- Denial-of-service: Attacks that aim to restrict or impair access to a computer system or network. Typically, the aim is to prevent legitimate users from accessing websites or payment services.
- Insider threats: Someone who has inside knowledge threatens your business.
Own Your Online has more details on common cyber security threats to New Zealand businesses, including how to prevent them and what to do if they happen to you.
Common risks and threats for business(external link) — Own Your Online
Get protected(external link) — Own Your Online
Assess your weak points
To best protect your systems and data, you need to identify and address your vulnerabilities and your important assets.
To work out whether you are doing enough to protect your business from cyber security incidents, use Own Your Online’s security risk assessment. The assessment will help you better understand both your business processes, and the systems and data that’s important to secure.
Online security risk assessments for your business(external link) — Own Your Online
If you have lots of holes and don’t know how to manage them, consider paying a security specialist to help you set up a security process.
Restrict access to your systems to those who really need it.
This makes it harder for attackers to find an account with access.
Wherever you store personal information, your customers trust you to protect it.
Plan to protect important data
Protecting important data is all part of continuity planning — being prepared to recover from any problems. Follow these steps:
- Identify everything that holds vital data. This is the information, records and systems that you can’t do without, or would be most damaging if lost.
- Make protecting vital data a priority. Put extra security measures in place to protect sensitive data from different kinds of threats. This might be customer details, confidential agreements, financial records and any trade secrets or other intellectual property.
- Plan ahead for different scenarios. Map out a step-by-step approach of what to do if important data is lost, breached or hacked. You will be able to respond quickly — and have a better chance of minimising any negative impacts. Don’t just think about it. Write it down.
- Make sure staff know what to do. This includes training or check-ins, and making sure passwords are protected and updated.
- Put your plan into practice. Test different scenarios regularly. Make any changes to your plan if it doesn’t work as expected.
Secure your small business network(external link) — Own Your Online
The Office of the Privacy Commissioner also has a step-by-step toolkit on how to plan and respond to data breaches.
Privacy breach guidance(external link) — Office of the Privacy Commissioner
Make sure all staff and systems have unique passwords.
It’s easier for cyber attackers to gain access to shared accounts because the password is often weaker or it’s easier to find. It’s easier for computers to run a task and guess lots of passwords, so the stronger the better.
How to create good passwords(external link) — Own Your Online
Cyber security steps
There are a number of easy things you can do to protect your information. The key is to commit to safety measures. If you have staff, make sure they are trained and kept up to date on any new risks or protective steps.
Passwords and passphrases
- Always use strong passwords or passphrases to protect your devices and data.
- Use passphrases, rather than passwords. Passphrases are unique, at least 15 characters long and a combination of different character types, for example, IAte23OfDiana'sSandwiches!.
- Change any default passwords and usernames that come with a new device as soon as you get it.
- Don’t use the same password or passphrase for more than one of your systems or staff. Hackers could get into all your most sensitive information in one hit.
Create a password policy for your business(external link) — Own Your Online
Do not store passwords or passphrases on your online systems or devices — this makes them too easy to find. Instead use a password manager. There are many free or low-cost options available. Make sure you choose a reputable one.
Using a password manager in your business(external link) — Own Your Online
Watch: Protect your online accounts
Video transcript: Unmask Cyber Crime: Episode 2 - Protect your online accounts
[Visual] The screen opens up to display our unmasked real leader. Throughout the episode you will see our unmasked real leader on the right side of the screen and our masked fake leader, whose mask looks like the real leader's face, on the left, sometimes they will appear solo and sometimes side-by-side. The masked fake leader will often mimic the unmasked real leader.
[Audio: Real Leader] Small businesses account for the biggest segment of the business sector in Aotearoa. That's great for our economy.
[Audio: Fake Leader] But some of you aren't great on your passwords.
[Visual] Unmask Cyber Crime intro graphic - Episode two - Protect Your Online Accounts
[Visual] Montage of the unmasked real leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] Real Leader
Say you're a manager of a construction company. You may think your and your business’s accounts aren't big enough for scammers to target…
[Audio: Fake Leader] …but I'm interested in anything you've got.
[Audio: Real Leader] Especially if you use a weak password.
[Audio: Fake Leader] One you like to use for everything. One that's less than 16 characters. Or that's just a simple word. It all makes it super easy to get into your online accounts.
[Audio: Real Leader] And just like that, they have your bank accounts…
[Audio: Fake Leader] Draining your hard-earned revenue.
[Audio: Real Leader] Your emails…
[Audio: Fake Leader] Say goodbye to upcoming jobs, or client lists.
[Audio: Real Leader] And your social media…
[Audio: Fake Leader] Reputation, ruined.
[Audio: Real Leader] And none of them are opposed to blackmailing you if you want those accounts back.
[Audio: Fake Leader] Not at all.
[Audio: Real Leader] And if your passwords are being reused, they can be easy to get – through databases of already stolen credentials…
[Audio: Fake Leader] Or if you're only using short ones, I've got software that cracks them in a snap.
[Audio: Real Leader] But….
[Visual] Montage of the unmasked real leader and masked fake leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] …for any business, there are many simple steps you can take to make sure it's just you making the business calls.
Make your passwords 16 or more characters, they're more secure that way.
[Visual] Graphic on screen - Make your password long, strong and unique
[Audio: Real Leader] Use a passphrase rather than a word, and don't use the same one on multiple online accounts.
[Visual] Graphic on screen - Use a passphrase rather than a word
[Visual] Graphic on screen - Use a different password for each account
[Audio: Fake Leader] What? No…definitely reuse them.
[Audio: Real Leader] Get a password manager to safely store your passwords.
[Visual] Graphic on screen - Keep your passwords safe In a password manager
[Audio: Fake Leader] I can manage them for you.
[Audio: Real Leader] A password manager is basically a vault for all your passwords, and it means you only having to remember one password to unlock it. Leaving it to securely remember all your other passwords for you.
And meaning you can get creatively complex with your other passwords. Or, even easier, it can generate them for you.
[Audio: Fake Leader] …there's no need for creative complexity.
[Audio: Real Leader] Set up two-factor authentication, or 2FA, on all your online accounts to add a valuable second layer of protection against someone trying to get access to your accounts.
[Visual] Graphic on screen - Set up Two-Factor Authentication (2FA)
There are many different forms of 2FA. For example, an app that auto generates a code you must enter to log-in.
[Audio: Fake Leader] So I do all that work for your password and then you go and add an extra layer of protection, with… THAT?
[Audio: Real Leader] At a minimum this should be set up on all your important accounts.
[Audio: Fake Leader] Or not any…
[Audio: Real Leader] And lastly, download and put up our Own Your Online posters at your workplace to remind your team to use long, strong and unique passwords.
That's how to Unmask Cyber Crime by protecting your accounts. In the next video, I'll show you how to protect your data and systems.
[Visual] Unmask Cyber Crime graphic leading to end screen slide with Own Your Online - Learn how to protect yourself online at ownyouronline.govt.nz/business.
[Video ends.]
To learn more about cyber security in your business visit Own Your Online.
Business online security series(external link) — Own Your Online
Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.
Change these to strong passwords or passphrases — and make it part of your off-boarding process to change them each time someone leaves the business.
Secure your small business network(external link) — Own Your Online
Software updates
Software providers release regular software updates to fix and bugs or weaknesses that have been found. It’s one of the easiest and best things to do to mitigate against cyber attacks. You may want to put off software updates for later, but it’s time well spent to keep your systems safe. This includes updating everything – your devices, printers, routers, and internet connected TV. Own Your Online recommends turning on automatic updates, so you don’t have to think about it.
Watch: Protect your data and systems
Video transcript: Unmask Cyber Crime: Episode 3 - Protect your data and systems
[Visual] The screen opens up to display our unmasked real leader. Throughout the episode you will see our unmasked real leader on the right side of the screen and our masked fake leader, whose mask looks like the real leader’s face, on the left, sometimes they will appear solo and sometimes side-by-side. The masked fake leader will often mimic the unmasked real leader.
[Audio: Real Leader] Cyber scammers are here, constantly targeting those who don't lock down their systems. To make the calls you should be making.
[Audio: Fake Leader] You have so much data and information that's valuable for me.
[Visual] Unmask Cyber Crime intro graphic - Episode three - Protect Your Data and Systems
[Visual] Montage of the unmasked real leader and fake leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] Like in a real estate firm, where the data and information you hold on behalf of your customers and clients are super sensitive – and just the kind of details cyber scammers are after.
[Audio: Fake Leader] Yep.
[Audio: Real Leader] Their names, email addresses, and personal information are great ammunition for phishing campaigns.
[Audio: Fake Leader] I can impersonate you to your friends or family - or your bank!
[Audio: Real Leader] It isn't a great look for any business if your clients or partner's personal data gets released publicly.
[Audio: Fake Leader] It's pretty embarrassing.
[Audio: Real Leader] They could even lock you out of your systems and blackmail you, to either get the data back or to stop them from releasing it publicly.
[Audio: Fake Leader] I accept cash.
[Audio: Real Leader] But….
[Visual] Montage of the unmasked real leader and fake leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] …for any business, there are things you can do to protect the data you've been trusted with.
Take note of all the data you capture, and review it regularly so you don't possess information you don't need.
[Visual] Graphic on screen - Take note of all data and review it regularly
Create a policy for how you collect, handle and store sensitive customer data.
[Visual] Graphic on screen - Create a policy for how you collect, handle and store data
[Audio: Real Leader] Then, assign ownership of the information to someone in your business.
[Visual] Graphic on screen - Assign ownership of the Information you hold
[Audio: Fake Leader] No no, there's no need.
[Audio: Real Leader] You want to keep your systems secure. If your software is vulnerable, scammers have no shame in jumping in to exploit them or steal your data.
[Audio: Fake Leader] If I learn of a vulnerability in your systems, I’ll exploit it.
[Audio: Real Leader]
It’s important to set up your software to update automatically. Developers are constantly upgrading their code, to increase your cyber security, and fix vulnerabilities.
[Audio: Fake Leader] You don't need to be that organised.
[Audio: Real Leader] There are a range of things that need updating, including wifi routers, website platforms and anything that connects to the internet.
For anything that doesn't update automatically – like any systems, data or software – make an inventory of them and put a system in place to make sure that someone is updating all of them manually.
[Audio: Fake Leader] Nahhhh don’t worry about doing that….
[Audio: Real Leader] But, there are things you can do to help your business recover if it happens to you.
Make sure you are regularly backing up your business data, using the 3-2-1-1 method.
[Visual] Graphic on screen 3, 2, 1, 1
[Audio: Fake Leader] You don't know what that is? Don't worry about it…
[Audio: Real Leader] Which is simply that your organisation must have 3 copies of back up data.
[Visual] Graphic on:
- 3 copies of back up data
- 2 types of storage media
- 1 copy off-site
- 1 physical back-up offline.
[Audio: Fake Leader] Three?
[Audio: Real Leader] On two different types of storage media.
[Audio: Fake Leader] Hmm?
[Audio: Real Leader] With one copy off-site, for example in alternative cloud storage.
And one copy of a physical back-up kept offline such as a USB stick.
[Audio: Fake Leader] Go ahead and skip those steps.
[Audio: Real Leader] This makes sure these guys can never force you to pay to restore everything your business has worked hard for.
[Audio: Real Leader] This was quite a lot of info, so for a full run down of how to keep your data and systems secure visit www.ownyouronline.govt.nz(external link).
[Visual] Graphic on screen ownyouronline.govt.nz
In the next video, I'll help you Unmask Cyber Crime by tidying up your website and social media hygiene.
[Visual] Unmask Cyber Crime graphic leading to end screen slide with Own Your Online - Learn how to protect yourself online at ownyouronline.govt.nz/business.
[Video ends.]
To learn more about cyber security in your business visit Own Your Online.
Business online security series(external link) — Own Your Online
If your device alerts you to an update, don't ignore it.
The latest updates or versions often fix any new vulnerabilities to cyber attacks.
Encryption
Add a further security layer by encrypting data with a key. Check if a cloud service will do this for you, or you can look into free software that will help you do this yourself.
Antivirus protection software
Installing paid antivirus software on computers is an easy way to protect your data. Keep your software up-to-date to fight off the latest malware. Install patches and updates from your internet service provider.
Consider getting protection from malware, a term covering software threats, including:
- Viruses: Code that can copy itself and infect computers and other devices.
- Trojan horses: Programs designed to breach and take over parts of a system.
- Ransomware: Software that blocks access to a computer until a ransom is paid.
- Spyware: Software used to secretly get information sent from a computer about how it’s being used.
- Adware: Software that automatically downloads or displays often unwanted adverts.
Digital Resources has more tips on antivirus software and security.
Anti-virus software(external link) — Digital Resources
Always encrypt sensitive data — no matter how you decide to store it.
Encryption makes data indecipherable to those who don’t have the key to access it.
Firewalls
A firewall is software or hardware that protects your computer or device against online threats. It helps you monitor who or what is allowed to access your system. It will also notify you if your computer or device is trying to access something suspicious online. Think of it as a door between your computer and the internet. It helps you let the right things in and keep suspicious activity out.
Two-factor authentication
Two-factor authentication (2FA) makes it much more difficult for hackers to crack into your systems. 2FA ensures a user can only gain access if they have an extra credential above a valid username and password. This extra credential may be a PIN number, access to a physical security key or token, or a unique identifier, for example, a fingerprint. You should enable it for your most important systems, accounts and devices.
Top online security tips for your business(external link) — Own Your Online
Best practice from cyber security experts
Hear the top tips on keeping small businesses safe online from experts from the private sector and government agencies.
Cyber insurance
If your business relies on sensitive information, it’s a good idea to think about cyber insurance. It can cover data breaches, website hacking and IT scams. Make sure a policy covers your areas of risk. An insurance broker can help you understand what a policy does or doesn’t cover. If you’re sorting out your own insurance, read the fine print to make sure it covers a cyber attack.
Own Your Online has more practical steps you can take to keep data safe and secure online.
Get protected(external link) — Own Your Online
Use a web developer who builds using the OWASP Top 10 guidelines.
This is a list of the 10 most critical web application security risks.
Choosing an IT service provider(external link) — Own Your Online
Protect your website(external link) — Own Your Online
Manage online behaviour
Security breaches can often be caused by an employee doing something they shouldn’t, usually inadvertently. If employees use computers and mobiles devices at work, or work devices out of work:
- Create a cyber security policy so they know the rules.
- Make sure everyone who uses your devices is trained to keep data and systems safe.
- Give staff the right level of access to your systems and apps, and only to staff who need to use them.
Create an online security policy for your business(external link) — Own Your Online
Insider threat(external link) — Own Your Online
The Office of the Privacy Commissioner has short online courses, including one on the new Privacy Act 2020, to train people on privacy best practices.
eLearning(external link) — The Office of the Privacy Commissioner
Create an easy IT and social media policy(external link) — Workplace Policy Builder
Internet and social media use(external link) — Employment Agreement Builder
Staff awareness is key to preventing cyber security incidents and data breaches.
Make sure everyone in your business knows how to keep important data and systems secure.
Educating your staff about online security(external link) — Own Your Online
Best practice to keep staff safe
Hear top tips that will help small businesses keep their staff safe online, from experts from the private sector and government agencies.
