The cyber security of your business is critical. But what do you need to do, and how do you start?
Take the free assessment from Digital Journey. You can see whether you're doing enough to protect your business from cyber risks. You'll receive an individual action plan with some steps that you can take to protect your business – and your customers.
What would happen if someone outside your business got hold of your data? Read our six tips for preventing data theft in your organisation.
Cameron Bagrie has been an economist for 20 years. Read his take on data security for businesses.
For businesses, good data security is more than updating your anti-virus software. Here are some digital security tips from Spark Lab.
Josh Bahlman is a cyber security specialist with 20+ years’ experience of staying one step ahead of cyber crime. Here he shares his top tips for businesses.
Using anti-virus software is one of the easiest and most effective ways to protect your computer, but you need to install every update.
Anti-virus software are computer programs that attempt to identify, neutralize or eliminate malicious software, such as:
Anti-virus software typically uses two different techniques to do this:
Why update anti-virus software?
Anti-virus software depends on virus or malware definitions. These definitions are a database of malware signature files that are used to identify malicious software. A signature file is the unique information associated with each malware.
Cyber-criminals are always looking for new ways to get your information and money. So they are constantly writing and circulating malicious software online. To ensure your computer is protected from the latest threat, your anti-virus software provider must update their database of definitions as new malware is discovered. So set your anti-virus software to check for updates at least once a day. Although this is usually the default for most software, it’s worth checking to make sure.
Remember, to update its virus definitions, your anti-virus software needs an internet connection. If you don’t connect to the internet regularly you're leaving yourself open to all the threats that have evolved since your last update.
Whether the software is paid or free, make sure your anti-virus subscription doesn’t lapse. Lapsed software won't protect you against internet and email threats.
Here are a few free anti-virus and anti-malware services:
For a guide to selecting anti-virus software, see the Consumer Affairs guide
A business continuity plan (BCP) focuses on your people, processes and tools. It ensures that they'll be effective during a disaster. Take the Christchurch earthquake, for example. We've all seen how disasters can affect businesses that aren't prepared for disruption.
In the event of a disaster, you'll need to consider how to manage staff as well as how to access resources and data. So a business continuity plan covers most or all your critical business processes and operations. It'll allow you to identify risks and outline plans to reduce negative impact on your services.
Depending on your organisation, a business continuity plan could include everything from computer viruses to terrorist attacks. For a large organisation, it may be 50 pages and its creation could involve many people. But for a small company, your BCP could be a short document with the following:
Where do I start?
Here are a few great resources to help you get started:
Passwords are the first line of defense against unauthorised access to your computer. The stronger your password, the more protected your computer will be from hackers and malicious software, or malware.
You may have heard to make strong passwords for all your accounts. But what makes a password strong or weak?
The answer isn't as simple as once thought. The man who came up with the rules on safe passwords is Bill Burr. Fourteen years ago, while working for the USA government, Bill suggested that passwords contain:
He believed these passwords would be difficult to crack. But he's now changed his advice. These passwords are still vulnerable to certain kinds of cyber attacks. For example, brute-force attacks use computers to cycle through all possible character combinations.
Passphrases, not passwords
Bill Burr and other cyber security experts now recommend using passphrases. A passphrase is a combination of words that are easy for you to remember.
For a strong passphrase, don't choose common phrases like famous song lyrics or movie titles. These aren't as secure as a random set of words.
Instead, create a passphrase based on your own life. For example, let's say:
You might choose the passphrase LoraxCastle10MayCoriander
When creating a passphrase, remember these general rules:
Every business needs a security policy. This is a plan for how your business is protecting its assets. It outlines what an employee can and can’t do when using IT equipment, networks, systems and other digital services.
How to create a security policy
First, consider your business's risk factors:
Once you've reviewed your risks, think about your current security measures. What are you already doing to protect your assets?
Now, identify an appropriate security policy. How must staff use your network and operate devices for optimal security?
The importance of cyber security policies
If your business doesn't have a security policy, you could be at risk. You could even face potential legal issues. If your business has e-commerce or collects any customer data, cyber security is particularly important.
Cyber security policies can guide staff on acceptable use of devices and online material. The policy reminds your staff of the importance of security and helps them understand the role they play in security.
A cyber security policy will also help give your customers confidence in your business. For this reason, you could even include your security policy on your business website.
Where to start
Your cyber security policy might cover the following areas:
Remember, this isn't a complete list, just something to get you started. To help you get started, you can download a security policy template.
Once you've written your policy, review and update it every so often.
An important component of your BCP is the disaster recovery plan (DRP). It focuses on the technology and infrastructure that support business operations. The DRP would specify which technology applications and services are mission-critical.
The two most important factors associated with disaster recovery planning are as follows:
The recovery point objective (RPO) is the date to which you're recovering your data. For example, are you OK with losing all data created in the past month, week or 24 hours?
The recovery time objective (RTO) is the most time your organisation can tolerate a non-functioning IT system, network or application. For example, can your organisation function without email for an hour, a day or a week?
So first define the RPOs and RTOs for all critical IT services and applications. Then, check that your back-up settings reflect your plans. This could incentivise your organisations to store data in the cloud or use cloud-based applications.
Don't forget to test your disaster recovery plan. Then you can double-check that you'd be back up and running in time.
How will you respond to a cyber security incident? Here are key questions to ask yourself to help plan your response.
These questions should help you respond to a cyber security incident. This is a high-level process that you can fit to suit businesses of all sizes.
Why is it important?
Identifying and addressing a cyber security issue quickly is critical in managing and containing the situation. This way you can minimise impacts and get back to business as soon as possible.
Unfortunately, no one can predict when a cyber breach will occur and what it might involve. The nature of online threats is constantly evolving. So even if your business already has robust cyber security systems and processes in place, a breach involving your network platforms or a member of your team could still occur.
In the worst-case scenario, failure to deal with an incident could lead to major disruption of your business operations. It could even lead to a breach of legal requirements.
But you can ensure that your business is as prepared as possible so that you can manage any incident as quickly as possible.
Prepare and prevent
Preparation and prevention are your most effective tools in managing a cyber security incident.
First, assess your business's cyber security. You should also:
Monitor and detect
Monitor and identify any unusual activity or events that may compromise the integrity of your business' information and systems. This may involve taking steps to protect your business against topical new threats.
Unusual activity or events may include:
You must document the details of any incident or potential breach in your company's cyber security systems. That way, you can move on to the triage process.
Triage
The triage process is a critical decision point in any incident management. It involves collecting all available information on an incident to determine the scope of the incident, its impact and what assets are affected. Here are the steps to incident triage:
Respond
This involves taking actions to resolve or mitigate an incident by analysing, coordinating, and distributing information. This is likely to involve more than just a technical response: You might need management, communications and legal responses simultaneously. Coordination and information sharing is important.
Technical response
Your technical response may require advice from your technology/service provider or accredited IT security consultant.
Management response
Legal response
Your legal response includes actions associated with an incident that could have legal or regulatory implications. These include:
If the incident involves fraud or cyber-crime, you should report the incident to the police.
Resolve and review
Once an incident is resolved, review the cause. To minimise the risk of a similar incident occurring again, review your company's systems and processes. Rake the time to review your overall incident management plan: Was there anything that your incident response team could have done better?
Portable digital devices include laptops, tablets and phones. They're key to conducting business in a hyper-connected world. To help keep your organisation's portable devices as secure as possible, here are some recommendations:
1. Authentication
All portable digital devices support passwords or PINs. Many also have biometric readers than scan fingerprints for authentication. Always use authentication. If possible, look for two-factor authentication.
2. Malware
Malware can be disguised as a useful application or game. Messaging services can deliver infected files via email, instant messages or multimedia messages.
3. Theft
Portable devices are more likely than other digital equipment to get lost or stolen. Don't leave devices where they can be easily seen, such as in a car. Lock devices when not in use. Your organisation's IT manager or provider should know how to lock or disable devices remotely if they're misplaced.
4. Spam
Unwanted text messages, emails and voice messages from advertisers can appear on portable devices. Besides the inconvenience, you could be charged for inbound messages or data. These messages could also trick users into calling chargeable service numbers. Know how to identify spam, mark it as such and delete it.
5. Software
Consider investing in security software for your portable digital devices. Security software for mobile devices can include:
6. Updates
Like other digital devices, it's important that your portable devices are up-to-date. Check every so often that your devices have the most recent security updates and patches. Be aware that many manufacturers stop supporting smartphones 1–2 years after their release. These unsupported devices may pose a risk to your organisation.
You log into work in the morning. A message pops up telling you that all your files have been encrypted or locked...
...and whoever did this is demanding that you pay a fee within 72 hours, or everything will be deleted.
You've just been infected by ransomware!
What is ransomware?
It's a type of malicious software designed to block access to a computer system or files until money is paid. It can affect both individuals or businesses.
Infection happens when you (or someone else within your organisation) opens a link or attachment in an email. Known ransomware viruses include Cryptolocker, Cryptowall and TeslaCrypt. The total number of ransomware attacks is unknown. Many affected organisations and individuals pay the money and move on without reporting the attack.
If you don't have your files securely backed up, it's often impossible to decrypt your files, without paying the ransom demand.
Not just PCs
Smartphones and tablets aren't immune to ransomware. People have been targeted through social media links or websites that encourage you to install a video player app to watch content.
Ransomware tries to scare, trick or even embarrass you into paying the ransom. For example, some police-themed ransomware locks your screen. It then tells you that New Zealand’s Security Intelligence Service has caught you viewing child pornography or downloading movies. It states they will contact "witnesses" and displays three of your contacts on screen with their names and numbers.
How can I protect my files from ransomware?
1. Education: Make sure you and your staff know about the risks. Be careful when downloading apps, opening files and clicking links. Always verify the sender of attached files and web page links before opening them. Get your staff to complete the Digital Citizenship Assessment from Digital Journey; you'll find the link at the top of this page.
2. Anti-virus software: Anti-virus software can detect most ransomware before it infects your system. So check that your subscription is up-to-date with the latest virus definition files. If you have Android devices, consider installing anti-virus software on them too.
3. Back up all essential information: This will let you rebuild system if it does get infected. Some ransomware can target USB drives or the network attached to an infected computer, so be careful where you store your backups. Back up your data to a cloud provider, but make sure that the cloud storage is not synced from your local computer. Don't forget to test that your backup process is working, and that your backups can't be infected. If your organisation has a network (even a small one) consider limiting staff access to sensitive files and network drives. This will help limit the spread of an attack.
4. Check your computer: If you are a PC user, Netsafe NZ recommends you use software to look for weaknesses on your machines.
See the Software Vulnerability Manager from Flexera
What if I become infected?
Netsafe NZ is a great resource and has a wealth of information on how to prevent security breaches and what to do when they occur.
Check out the following information on dealing with different types of ransomware:
Secure web pages create a safe connection between the website and the web browser. This means that data (credit card details and passwords) isn't accessible by unauthorised individuals. Note the term "web pages". Within one website, individual pages can be either secure or unsecured.
Here are some of the reasons that people thought a web page was secure:
In fact, sending emails with links is one way scam artists can trick you into visiting their web page.
See the latest scam alerts from Spark
What makes a website secure?
A website is considered to be secure when it scrambles (or encrypts) the communications between your computer and the website.
Look out for the address the website uses: Does it starts with "https" or "http"? If you see the "s", then you know that the communications between the computer and the website are encrypted. No one can intercept this information or see your personal details.
Tip: Most browsers include a padlock symbol to show you whether a web page is secured with HTTPS.
Secure certificates
For a website to be secure, it must have a valid certificate from a trusted source. Select the padlock to see the certificate. Most modern browsers will warn you if a site has an invalid certificate. This does not always mean that the site isn't trustworthy. Sometimes these warnings are displayed as a result of a time zone error.
See whether a website is secure
Tip: If your browser says there's a security certificate error, double-check the site you're using.
Have a look at your bank's website. You should see that the internet banking page is secure. You may find other pages on their website that aren't.
Making sure you're on a secure web page is important when you're sharing any kind of personal information, such as shopping online.
A business security policy covers how your business plans to protect its physical and IT assets.
A security policy needs to be updated regularly to reflect changes in technology and employee requirements. It should outline what an employee can and can’t do when using IT equipment and services.
How to create a security policy
Consider auditing your business for risk factors. For example, do you and your staff change your passwords regularly? Have you secured your sensitive information? Do your computers have anti-virus software?
Once you've reviewed your current security measures, you can identify an appropriate cyber security policy for your organisation. Then ask all staff members to agree to follow it. You may also need to train them on the finer details.
To protect your business from threats, start with training everyone in your organisation on cyber security. Everyone can take responsibility for protecting internal information.
Consider the following topics when developing security training for your staff:
You can find information on these topics and more on this page.
Give your staff refresher training sessions as threats and technologies evolve. Remember, the more security-savvy your staff, the more protected your business.
Note: Security risks and requirements will differ among organisations, industries, technologies and businesses. If you're unsure of your training needs, consult an IT security professional.
Wireless internet access is convenient, but it also poses a risk. It's easy for outsiders to access your computer and/or files when you're on WiFi.
At the office
If you're using wireless systems in your business, make sure they're secure and private:
Staff who work remotely should also follow the same protocols with their WiFi routers at home.
For customers
As a business, you may want to offer your customers free WiFi, especially if you run a café or accommodation.
If you're offering this service, make sure that guests can't access your private network. You can create two separate networks, one for guests and one for your private use.
For working remotely
Public WiFi networks aren't always encrypted. This can put your information at risk. Employees might connect their laptops and/or phones to public WiFi networks, such as in a café, library, hotel or airport. These are to unsecure networks, which means that other people could intercept your employees' data.
Consider setting up a VPN (Virtual Private Network) for staff who travel frequently. This will encrypt the data that they're sending and receiving. At least avoid handling confidential information while connected to public WiFi networks.