Using anti-virus software is one of the easiest and most effective ways to protect your computer, but you need to install every update.

Anti-virus software are computer programs that attempt to identify, neutralize or eliminate malicious software, such as:

• viruses
• worms
• phishing attacks
• trojan horses

Anti-virus software typically uses two different techniques to do this:

1. During a scheduled scan, it will examine files on your computer to look for known viruses (it may also scan files as you access them)
2. It will attempt to identify suspicious behaviour from any computer program

Why update anti-virus software?

Anti-virus software depends on virus or malware definitions. These definitions are a database of malware signature files that are used to identify malicious software. A signature file is the unique information associated with each malware.

Cyber-criminals are always looking for new ways to get your information and money. So they are constantly writing and circulating malicious software online. To ensure your computer is protected from the latest threat, your anti-virus software provider must update their database of definitions as new malware is discovered. So set your anti-virus software to check for updates at least once a day. Although this is usually the default for most software, it’s worth checking to make sure.

Remember, to update its virus definitions, your anti-virus software needs an internet connection. If you don’t connect to the internet regularly you're leaving yourself open to all the threats that have evolved since your last update.

Whether the software is paid or free, make sure your anti-virus subscription doesn’t lapse. Lapsed software won't protect you against internet and email threats.

Here are a few free anti-virus and anti-malware services:

• Avast!
• Avira
• Panda Cloud
• Bitdefender
• Malwarebytes Anti-Malware Free
  
• Windows Defender (built in to Windows)

For a guide to selecting anti-virus software, see the Consumer Affairs guide

A business continuity plan (BCP) focuses on your people, processes and tools. It ensures that they'll be effective during a disaster. Take the Christchurch earthquake, for example. We've all seen how disasters can affect businesses that aren't prepared for disruption.

In the event of a disaster, you'll need to consider how to manage staff as well as how to access resources and data. So a business continuity plan covers most or all your critical business processes and operations. It'll allow you to identify risks and outline plans to reduce negative impact on your services.

Depending on your organisation, a business continuity plan could include everything from computer viruses to terrorist attacks. For a large organisation, it may be 50 pages and its creation could involve many people. But for a small company, your BCP could be a short document with the following:

• a list of potential threats
• the primary tasks to keep the organisation running
• location of staff personal contact information
• data backup locations and recovery processes

Where do I start?

Here are a few great resources to help you get started:

• For a guide to preparing your business for disasters, look at the guide "Shut Happens" from Resilient Organisations. Download the PDF guide
• Read this CIO article about how inexpensive online technologies are making maintaining business continuity easier. Read four tech trends in Disaster Recovery
• For templates and example plans, check out this guide from Queensland Government: What's in a business continuity plan?

Passwords are the first line of defense against unauthorised access to your computer. The stronger your password, the more protected your computer will be from hackers and malicious software, or malware.

You may have heard to make strong passwords for all your accounts. But what makes a password strong or weak?

The answer isn't as simple as once thought. The man who came up with the rules on safe passwords is Bill Burr. Fourteen years ago, while working for the USA government, Bill suggested that passwords contain:

• capital letters
• numbers
• symbols

He believed these passwords would be difficult to crack. But he's now changed his advice. These passwords are still vulnerable to certain kinds of cyber attacks. For example, brute-force attacks use computers to cycle through all possible character combinations.

Read more about passwords

Passphrases, not passwords

Bill Burr and other cyber security experts now recommend using passphrases. A passphrase is a combination of words that are easy for you to remember.

For a strong passphrase, don't choose common phrases like famous song lyrics or movie titles. These aren't as secure as a random set of words.

Instead, create a passphrase based on your own life. For example, let's say:

• Your favourite book as a child was the The Lorax
• You grew up on Castle Street
• You hate coriander
• Your brother's birthday is 10 May

You might choose the passphrase LoraxCastle10MayCoriander

When creating a passphrase, remember these general rules:

• Use different passwords for different systems
• Don't share your passwords with other people
• Use two-factor authentication
• Don't write down your passwords/phrases; instead, consider using a password manager
• The longer your passphrase, the more secure it is

Every business needs a security policy. This is a plan for how your business is protecting its assets. It outlines what an employee can and can’t do when using IT equipment, networks, systems and other digital services.

How to create a security policy

First, consider your business's risk factors:

• How often do staff members change their passwords?
• Have you secured your sensitive information?
• Do your computers have anti-virus software?

Once you've reviewed your risks, think about your current security measures. What are you already doing to protect your assets?

Now, identify an appropriate security policy. How must staff use your network and operate devices for optimal security?

The importance of cyber security policies

If your business doesn't have a security policy, you could be at risk. You could even face potential legal issues. If your business has e-commerce or collects any customer data, cyber security is particularly important.

Cyber security policies can guide staff on acceptable use of devices and online material. The policy reminds your staff of the importance of security and helps them understand the role they play in security.

A cyber security policy will also help give your customers confidence in your business. For this reason, you could even include your security policy on your business website.

Where to start

Your cyber security policy might cover the following areas:

• The purpose of the policy and the importance of security for your business
• Email and internet use:
  • Do you have programmes to protect your devices from viruses, spyware and other malicious software?
  • Are your programmes kept up-to-date?
    
• Phone and mobile device protection
• Sensitive data, including customer data:
  • Where are you storing sensitive data?
  • Are there restrictions on who can access sensitive information?
• IT equipment and software licences:
  • How are you keeping track of who is using business equipment?
  • Do you have an inventory of all assets?
    
• Remote access:
  • How do you ensure security while accessing work documents from the road or at home?
• USB drives and other portable media
• Monitoring and procedures:
  • How do you know whether staff are following the policy?
  • What are the disciplinary procedures in place to deal with consequences of a breach?
• Guidelines for customers:
  • What will you email to your customers? This can minimise phishing scams.

Remember, this isn't a complete list, just something to get you started. To help you get started, you can download a security policy template.

Download the template

Once you've written your policy, review and update it every so often.

An important component of your BCP is the disaster recovery plan (DRP). It focuses on the technology and infrastructure that support business operations. The DRP would specify which technology applications and services are mission-critical.

The two most important factors associated with disaster recovery planning are as follows:

1. Recovery point objective (RPO)
2. Recovery time objective (RTO)

The recovery point objective (RPO) is the date to which you're recovering your data. For example, are you OK with losing all data created in the past month, week or 24 hours?

The recovery time objective (RTO) is the most time your organisation can tolerate a non-functioning IT system, network or application. For example, can your organisation function without email for an hour, a day or a week?

So first define the RPOs and RTOs for all critical IT services and applications. Then, check that your back-up settings reflect your plans. This could incentivise your organisations to store data in the cloud or use cloud-based applications.

Don't forget to test your disaster recovery plan. Then you can double-check that you'd be back up and running in time.

How will you respond to a cyber security incident? Here are key questions to ask yourself to help plan your response.

These questions should help you respond to a cyber security incident. This is a high-level process that you can fit to suit businesses of all sizes.

• Have you called the experts? Get specialist help if needed. Don't rely on family or friends to diagnose the problem and solution. A specialist could cost you less in the long-term than getting your response wrong.
• Can you contact affected customers if required, and what will you tell them?
• What response is your business taking to rectify the situation? For example:
  • Reset passwords
  • Implement new security procedures
  • Remotely lock or wipe a mobile device
  • Temporarily suspend services and business
• Do you need to contact the Privacy Commission or other regulatory body regarding this incident?
• Who is on your emergency call-tree or incident management team? Are these contact details up to date? It's critical to have cellphone numbers for outside working hours.
• Who is leading your incident response? For example, the first identifier, senior management or someone else?
• Do you have a conference call number so all parties can share updates and progress with managing the response?
• Do you have or know media experts who can manage enquiries if required? This includes managing the situation on social media where the rules of engagement are different.

This guide is based on the model developed by the Computer Security Incidence Response Teams at the CERT Division of the SE1.

Why is it important?

Identifying and addressing a cyber security issue quickly is critical in managing and containing the situation. This way you can minimise impacts and get back to business as soon as possible.

Unfortunately, no one can predict when a cyber breach will occur and what it might involve. The nature of online threats is constantly evolving. So even if your business already has robust cyber security systems and processes in place, a breach involving your network platforms or a member of your team could still occur.

In the worst-case scenario, failure to deal with an incident could lead to major disruption of your business operations. It could even lead to a breach of legal requirements.

But you can ensure that your business is as prepared as possible so that you can manage any incident as quickly as possible.

Prepare and prevent

Preparation and prevention are your most effective tools in managing a cyber security incident.

First, assess your business's cyber security. You should also:

• Set out the roles and responsibilities for dealing with cyber incidents
• Set up an incident database, communication channels and reporting forms

Monitor and detect

Monitor and identify any unusual activity or events that may compromise the integrity of your business' information and systems. This may involve taking steps to protect your business against topical new threats.

Unusual activity or events may include:

• Alerts and reports about potential malicious activity or vulnerabilities. This can include alerts from intrusion detection system software or reports from your technology or network provider.
• The theft, loss or breach of a device, including personal mobiles that staff use to access work emails. Staff may feel uncomfortable about reporting such incidents so it's important to encourage people to speak up.
• External events and publicised or high-profile cyber security incidents, both overseas and in New Zealand. Read media reports and ask whether an incident would've affected your business. Don't assume that you're immune.
• General day-to-day indicators, such as unusual email activity or incident reports.

You must document the details of any incident or potential breach in your company's cyber security systems. That way, you can move on to the triage process.

Triage

The triage process is a critical decision point in any incident management. It involves collecting all available information on an incident to determine the scope of the incident, its impact and what assets are affected. Here are the steps to incident triage:

1. Categorise: How severe is the incident? What are the potential impacts?
2. Prioritise: Does this incident need an urgent escalation or is it easy to resolve?
3. Assignment: Who handles managing and resolving the incident? When does it need to be resolved?

Respond

This involves taking actions to resolve or mitigate an incident by analysing, coordinating, and distributing information. This is likely to involve more than just a technical response: You might need management, communications and legal responses simultaneously. Coordination and information sharing is important.

Technical response

• Analysing the incident
• Planning a resolution
• Coordinating actions
• Containing any on-going malicious activity
• Repairing or recovering any affected systems
• Generating postmortem analysis reports
• Closing the incident

Your technical response may require advice from your technology/service provider or accredited IT security consultant.

Management response

• Notifying staff and/or affected customers of a breach
• Advising which steps you took to resolve the situation
• Approving courses of action and other communications

Legal response

Your legal response includes actions associated with an incident that could have legal or regulatory implications. These include:

• Privacy issues
• Non-disclosure
• Copyright
• Any other legal matters

If the incident involves fraud or cyber-crime, you should report the incident to the police.

Resolve and review

Once an incident is resolved, review the cause. To minimise the risk of a similar incident occurring again, review your company's systems and processes. Rake the time to review your overall incident management plan: Was there anything that your incident response team could have done better?

Portable digital devices include laptops, tablets and phones. They're key to conducting business in a hyper-connected world. To help keep your organisation's portable devices as secure as possible, here are some recommendations:

1. Authentication

All portable digital devices support passwords or PINs. Many also have biometric readers than scan fingerprints for authentication. Always use authentication. If possible, look for two-factor authentication.

2. Malware

Malware can be disguised as a useful application or game. Messaging services can deliver infected files via email, instant messages or multimedia messages.

3. Theft

Portable devices are more likely than other digital equipment to get lost or stolen. Don't leave devices where they can be easily seen, such as in a car. Lock devices when not in use. Your organisation's IT manager or provider should know how to lock or disable devices remotely if they're misplaced.

4. Spam

Unwanted text messages, emails and voice messages from advertisers can appear on portable devices. Besides the inconvenience, you could be charged for inbound messages or data. These messages could also trick users into calling chargeable service numbers. Know how to identify spam, mark it as such and delete it.

5. Software

Consider investing in security software for your portable digital devices. Security software for mobile devices can include:

• Anti-malware programmes
• Firewalls to protect against unauthorised connections
• Whitelist settings to allow use of specified software only

6. Updates

Like other digital devices, it's important that your portable devices are up-to-date. Check every so often that your devices have the most recent security updates and patches. Be aware that many manufacturers stop supporting smartphones 1–2 years after their release. These unsupported devices may pose a risk to your organisation.

You log into work in the morning. A message pops up telling you that all your files have been encrypted or locked...

...and whoever did this is demanding that you pay a fee within 72 hours, or everything will be deleted.

You've just been infected by ransomware!

What is ransomware?

It's a type of malicious software designed to block access to a computer system or files until money is paid. It can affect both individuals or businesses.

Infection happens when you (or someone else within your organisation) opens a link or attachment in an email. Known ransomware viruses include Cryptolocker, Cryptowall and TeslaCrypt. The total number of ransomware attacks is unknown. Many affected organisations and individuals pay the money and move on without reporting the attack.

If you don't have your files securely backed up, it's often impossible to decrypt your files, without paying the ransom demand.

Not just PCs

Smartphones and tablets aren't immune to ransomware. People have been targeted through social media links or websites that encourage you to install a video player app to watch content.

Ransomware tries to scare, trick or even embarrass you into paying the ransom. For example, some police-themed ransomware locks your screen. It then tells you that New Zealand’s Security Intelligence Service has caught you viewing child pornography or downloading movies. It states they will contact "witnesses" and displays three of your contacts on screen with their names and numbers.

How can I protect my files from ransomware?

1. Education: Make sure you and your staff know about the risks. Be careful when downloading apps, opening files and clicking links. Always verify the sender of attached files and web page links before opening them. Get your staff to complete the Digital Citizenship Assessment from Digital Journey; you'll find the link at the top of this page.

2. Anti-virus software: Anti-virus software can detect most ransomware before it infects your system. So check that your subscription is up-to-date with the latest virus definition files. If you have Android devices, consider installing anti-virus software on them too.

3. Back up all essential information: This will let you rebuild system if it does get infected. Some ransomware can target USB drives or the network attached to an infected computer, so be careful where you store your backups. Back up your data to a cloud provider, but make sure that the cloud storage is not synced from your local computer. Don't forget to test that your backup process is working, and that your backups can't be infected. If your organisation has a network (even a small one) consider limiting staff access to sensitive files and network drives. This will help limit the spread of an attack.

4. Check your computer: If you are a PC user, Netsafe NZ recommends you use software to look for weaknesses on your machines. 

See the Software Vulnerability Manager from Flexera

What if I become infected?

Netsafe NZ is a great resource and has a wealth of information on how to prevent security breaches and what to do when they occur. 

Go to Netsafe NZ

Check out the following information on dealing with different types of ransomware:

• Cryptolocker ransomware
• Android ransomware

Secure web pages create a safe connection between the website and the web browser. This means that data (credit card details and passwords) isn't accessible by unauthorised individuals. Note the term "web pages". Within one website, individual pages can be either secure or unsecured.

Here are some of the reasons that people thought a web page was secure:

• They saw a privacy policy at the bottom of the page
• The website is hosted by a reputable organisation
• They received an email with a link to the website

In fact, sending emails with links is one way scam artists can trick you into visiting their web page.

See the latest scam alerts from Spark

What makes a website secure?

A website is considered to be secure when it scrambles (or encrypts) the communications between your computer and the website.

Look out for the address the website uses: Does it starts with "https" or "http"? If you see the "s", then you know that the communications between the computer and the website are encrypted. No one can intercept this information or see your personal details.

Tip: Most browsers include a padlock symbol to show you whether a web page is secured with HTTPS.

Secure certificates

For a website to be secure, it must have a valid certificate from a trusted source. Select the padlock to see the certificate. Most modern browsers will warn you if a site has an invalid certificate. This does not always mean that the site isn't trustworthy. Sometimes these warnings are displayed as a result of a time zone error. 

See whether a website is secure

Tip: If your browser says there's a security certificate error, double-check the site you're using.

Have a look at your bank's website. You should see that the internet banking page is secure. You may find other pages on their website that aren't.

Making sure you're on a secure web page is important when you're sharing any kind of personal information, such as shopping online.

A business security policy covers how your business plans to protect its physical and IT assets.

A security policy needs to be updated regularly to reflect changes in technology and employee requirements. It should outline what an employee can and can’t do when using IT equipment and services.

How to create a security policy

Consider auditing your business for risk factors. For example, do you and your staff change your passwords regularly? Have you secured your sensitive information? Do your computers have anti-virus software?

Once you've reviewed your current security measures, you can identify an appropriate cyber security policy for your organisation. Then ask all staff members to agree to follow it. You may also need to train them on the finer details.

To protect your business from threats, start with training everyone in your organisation on cyber security. Everyone can take responsibility for protecting internal information.

Consider the following topics when developing security training for your staff:

• Data back-ups
• Email and phishing
  
• Internet use and WiFi
  
• Malware
  
• Passwords
• Phones and tablets
  
• Policies, procedures and reporting
• Social media
  
• Use of company devices, including software/apps
• Working remotely

You can find information on these topics and more on this page.

Give your staff refresher training sessions as threats and technologies evolve. Remember, the more security-savvy your staff, the more protected your business.

Note: Security risks and requirements will differ among organisations, industries, technologies and businesses. If you're unsure of your training needs, consult an IT security professional.

Wireless internet access is convenient, but it also poses a risk. It's easy for outsiders to access your computer and/or files when you're on WiFi.

At the office

If you're using wireless systems in your business, make sure they're secure and private:

• Don’t broadcast the name of your private network. This is called the Service Set Identified or SSID. Read more about SSID
• Encrypt your WiFi by enabling WPA2. Learn more about WPA2
• Create a complex password to connect to WiFi
• Switch off WiFi when you're not using it

Staff who work remotely should also follow the same protocols with their WiFi routers at home.

For customers

As a business, you may want to offer your customers free WiFi, especially if you run a café or accommodation.

If you're offering this service, make sure that guests can't access your private network. You can create two separate networks, one for guests and one for your private use.

For working remotely

Public WiFi networks aren't always encrypted. This can put your information at risk. Employees might connect their laptops and/or phones to public WiFi networks, such as in a café, library, hotel or airport. These are to unsecure networks, which means that other people could intercept your employees' data.

Consider setting up a VPN (Virtual Private Network) for staff who travel frequently. This will encrypt the data that they're sending and receiving. At least avoid handling confidential information while connected to public WiFi networks.