Business security - Protecting your data online

Watch out for warning signs
 

First, it's worth paying attention to anything that seems out of the ordinary such as:

• Large, unusual transactions from unknown buyers.
• Payment with many different credit cards.
• Rush orders or any type of unusual urgency from a customer.
• A high volume of transactions over a short period.
• A customer orders small amounts and pays on time (building trust), then places a very large order (which they don't intend to pay for).
   

If you're not sure whether a transaction is legitimate, implement a few extra steps to double-check.

• Call the customer to confirm their order.
• Use multi-factor authentication data security programmes such as Verified by Visa.
• Reject any order you're still suspicious of - always trust your gut! If it doesn't feel right, it probably isn't.

Educate your team

Provide employee training on the General Data Protection Regulation (GDPR) for data privacy laws, as well as regular data security updates to help your team identify and prevent fraud and spot suspicious transactions. Ensuring data security policies are in place, means you're also protected from insider threats and human error. You can keep up to date with the latest scams on the Cyber Security website Cert NZ. Make sure your teams are aware of the consequences of fraud. Customers could be heavily impacted as they won't have access to funds for an extended period and your business could be liable for purchases made on a compromised card.

Take care of your data

Why is data security important? Your organisation's data is possibly your most valuable asset. Imagine if all the information on your computers, laptops, software and devices was wiped clean (either by mistake or by a malicious attack). Improve your data security strategy and protect user data by: 

• Only holding critical data. The more sensitive information you hold, the higher your security risks for data discovery.
• Regularly performing a sensitive data backup and storing it securely offline. Wherever your data resides, provide access to authorised users only, who can then restore the data if it's lost, leaked or stolen.
• Setting up logs to record all the actions people take on your website or server. Set up notification alerts if an unusual event occurs. Make sure your security teams check the user data when an alert comes in.
• Creating an incident response plan to help you get your business back up and running quickly if your business is targeted by a cyberattack. Talk to your staff about the plan ahead of time.
• Selecting a cloud computing services provider who will provide the right data security technologies and services for your business. Check their data security solutions. Ask if they'll do backups and if they offer multi-factor authentication.

More ways to securing data

• Data Encryption - protecting sensitive data begins with encryption. An algorithm encrypts data by modifying standard text into an unreadable format, and encryption keys scramble the encrypted data so that only those authorised can read it. 
• Data Erasure - delete unused data through erasure. Protecting data through erasure is more secure than standard data wiping. This software will completely overwrite data stored on any device. 
• Data Masking - protect sensitive information by masking structured data and personally identifiable information where applicable.
• Data Resiliency - this refers to how well a data centre endures or recovers from a data security incident – from hardware issues to power outages or any other disruptive event.

Check your internal systems are well managed

A solid data security strategy that is compulsory for all employees protects data access and ultimately, your business. Often it's best to put data security compliance conditions into employment agreements and flag non-compliance as serious misconduct. Employ tighter security controls and:

• Control user access by ensuring anyone accessing data must provide further information on top of their username and password, to verify their identity.
• Change existing default passwords and check the passwords on any new hardware or software. If you find any default credentials, change the passwords to better manage access.
• Use creative recovery answers as security answers like your pets name or your school can be easy for an attacker to gain access to. Protect data by choosing novel answers that aren't necessarily real.
• Create unique passwords for each account so if you experience a data breach, the cyber attacker will be unable to access any of your other accounts.
• Don't give out personal information. Legitimate-looking emails are very clever at trying to trick us into giving away financial or personal data. Learning to recognise phishing emails and other social engineering attacks will help reduce data breaches. Stop and check if you know who the email is from. 
• Be smart with social media. What you and your employees post can allow cybercriminals to collect data that they can use against you. Avoid potential security threats and set your privacy so only friends and family can see your details.

Protect your financial data

Possibly you could survive a cyberattack that disrupts your business. It may be annoying, time-wasting and embarrassing to fix whatever sensitive data has been hacked. But if your finances are impacted, it's a different story.

Reduce the chance of financial loss by:

• If you need to pay a new supplier or to change bank details, double-check it manually by phone or text before you approve any payments. Do this for any unusual or unexpected requests.
• Check bank statements regularly as that could be the first tip-off to any unauthorised access. Ring your bank immediately if you see something suspicious.
• Get a regular credit check to alert you if someone else is using your details to get loans or credit.
• Keep an eye on your networks and install software updates to stop attackers from getting access to your business network through known vulnerabilities. Software updates often contain security fixes.
• Enable software security systems, like antivirus, to prevent malicious software from being downloaded to any device that accesses your valuable data or operating systems. Free online antivirus software can be fake. Instead, purchase it from a reputable company and run it regularly.
• Configure network devices like firewalls and web proxies to secure and control connections in and out of your business network. Use a VPN that uses two-factor authentication if you need to remotely access systems on your network.
• Be careful using free Wi-Fi and hot spots - they are untrusted networks so others could see what you are doing.
• Like most things in business, prevention is better than a cure; a little planning in effective data security now could save you a significant financial cost in the future. 

Next steps for data protection

• If you, your friend, or your business experiences an online incident, report it to CERT NZ, a government agency that helps New Zealanders identify cyber security issues and guides them in resolving them. Report an issue.
• Get in touch with ASB by enquiring online, visit a branch, call 0800 272 222 or contact your banker if you think your business has suffered a data security breach.
• Find out more about getting cyber smart on the government cyber smart website.