Keeping your business safe with cyber security
Protecting your business from online attacks is just as important as locking up when you leave each night. Understanding the types of attacks your business could be exposed to and effectively planning your response is the best defence against cyber-crime.
The most common types of attacks
Your plan should outline your defences against the most common types of attacks on businesses:
Set up your online security policy
Protect yourself from external threats by deciding how your team use your systems and devices. If you have an e-commerce platform or you collect customer data online, your cyber security plan may be a legal requirement.
Your policy helps your team understand the important role they play in protecting your company's cyber security:
- Email and web use
- Mobile device security
- Handling sensitive data
- Managing remote access
- Using USB drives and other portable storage
- Reporting security breaches
Protect your systems with up to date security software
Install security software on all your team's devices and browsers. Often, this software can be administered remotely by you or your IT security team.
Choose a system that updates every few days. If a new mass-attack virus appears, check that your security software protects against it or issues an immediate update.
Keep your team's devices secure
Hackers see your team's mobiles, laptops, servers and desktop computers as access points. Keep the operating system and applications up to date, use security features that let you track, lock and wipe devices and consider encrypting your disks.
Keep passwords strong
- Tell your team not to use the same password for business and personal use
- Avoid common passwords and patterns
- Set up your systems to lock out a user after several failed log in attempts
- Use two factor authentication where you can, especially if they log in remotely
- Make sure your teams don't share log in details to cover each other's tasks
How to respond to attacks when they happen
If you're targeted, it's too late to start working out what to do. An incident management plan helps everyone in your business respond fast and efficiently.
- Make sure everyone knows where to find the plan in a hurry
- Recognise attacks quickly, to minimise the impact
- Keep a paper copy of your plan, in case the attack locks you out of your systems
Incident response management planning
Below are some basic steps you can follow to help you plan and prepare for how to respond to a cyber-attack. You can find a more detailed guide on Cert NZ.
-
Monitor - detect and recognise any attacks quickly
-
Report - sound the alarm immediately, and assure people they won't get in trouble if they've made a mistake and let an attacker in
-
Triage - identify the nature of the attack, who to notify and what to do
-
Respond - technical, management, customer communications and legal action
-
Resolve - what to do to shut down the attack and prevent loss of information or money
-
Review - assess what happened, your plan's success, and what you need to change for next time
Email scams - common business attack
Email is an easy tool for scammers to use. They try to trick you or your team into giving away information, logging in to malicious sites or sending money. Some simple steps can help reduce the risk.
- Spot scam emails with poor English or no personalisation
- Tell your team not to sign up to personal services with their business email address
- Watch for fake invoices - have clear processes for ordering and paying for goods, so that your team won’t be taken in
- Be careful of any email asking to make changes to a regular supplier's account details - contact them by phone to confirm the change
For more information, read our guide on how to protect your business from email payment fraud.
Control your team's access to critical systems
Your trusted people and ex-employees are one of your highest risk areas for business fraud. That doesn't mean you should be suspicious of everyone, but you should put controls in place to reduce the chance of something going wrong. Identify your critical systems, such as:
Customer data
Accounts and banking
Documents and Intellectual Property (IP)
Set user access privileges
1. Your people need access to do their job, but consider carefully who you give access to, which systems and what level of access they have and make sure you review this regularly.
2. Don't give every user 'admin-level' access, so they can create users or make changes to processes. Most people don't need that level of access.
3. Give your team the appropriate level of access to reduce the risk of mistakes and fraud. If an attack happens, it also makes it easier to work out how.
Check your online banking
Use a multi-user system with access control, like ASB FastNet Business. Set aside some time every quarter to check potential issues.
- Do some spot checks on supplier account numbers, and make sure they're accurate
- Look for duplicate suppliers in your payee lists with different account numbers
- Check your audit log for any modifications to your payments after creation
- Double check your sent payments to check for any duplicate or unusual payments
- Look for invoices from unknown suppliers, or invoices that seem higher than usual
- Check your online banking users to ensure they still require access and have the correct permissions & limits
Protecting your business' reputation
Whenever your people interact with the public they're representing your business. That’s also true on social media.
- Have a clear social media policy to ensure everyone is on the same page
- Only post content that’s in line with your business and brand values
- Even their personal activity can reflect on your business, especially if it's inflammatory or extreme
Regularly review your processes and plans
Online security is a fast-moving environment. Diarise an hour every few months with an IT person to review your policies and plans, remain informed and run checks on your businesses cyber security. It's much better that you discover any weaknesses before the criminals do.
IT security practices
Cert NZ have a checklist of 11 top tips to help you implement strong cyber security practises in your business or personal lives.
Controls
Cert NZ have some information on 10 critical controls to protect your business from attacks.
Run checks
You can also use online tools like 'Have I been pwned' to check if your email accounts have been linked to any of the major data breaches that have occurred across the globe. This can prompt you to take the necessary steps to protect your business such as changing your passwords, making your passwords stronger or upgrading your security.
Stay informed
NCSC (National Cyber Security Centre) Cyber Threats is a great resource for keeping up to date on the latest cyber threats impacting NZ.
Who can help?
Cert NZ
For more information on how to deal with a cyber security problem as a business or individual, please visit Cert NZ.
Your bank
If you think you or your business is under attack, let your bank know immediately.
If you're an ASB customer and you think you've been targeted, please call us on 0800 327 863 and we'll do everything we can to help.
Signals publications
ASB's Cyber Security publication, Signals, aims to empower businesses with unique insights into the cyber threat environment and provide advice to ensure a robust defence.
Keep reading
What's next for your business?
Small business banking
Every business is different and has unique banking needs, discover your options.
This page is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and should not be relied on. This information has been prepared without considering your objectives, financial situation or needs. We recommend you seek independent professional advice before acting on this information.
