Top 11 cyber security tips for your business (From CertNZ)
CertNZ recently published the top 11 cyber security tips for your business as cyber security attacks on businesses are becoming more and more common. You have to make sure you do everything to keep your business safe, no matter of the size of your business. This includes protecting your data, network, customer information as well as your reputation.
A printable version of this guide is available at Cert NZ.
1. Install Software Updates
All devices and software should be up-to-date. Installing software updates is the most effective and basic way to prevent attacks and keep the system safe. Devices should be supported by the manufacturer at any time, and software updates (patches) for the operating systems are installed as soon as they’re available.
Patches are much more than adding new features to software, they most importantly fix security vulnerabilities. Installing patches prevents incidents caused by attackers who use these vulnerabilities to gain access to your system. It is to advise to put a decent security policy in place.
To do list:
- Set your system preferences to install any new patches automatically. In case your system may need to have the patches tested before rolled out, make sure your IT support provider has a plan in place to apply them within a few weeks of release.
- Make sure any servers or computers that you manage for your business run on operating systems that are still supported and patched.
- Enforce staff to use supported operating systems and to install any patches as soon as they're available also in mobile devices.
- With staff using BYOD - bring your own devices, make sure they are running supported operating systems and software before they access your business network and keep devices up-to-date.
Implement two-factor authentication (2FA) to secure your business protects both your systems and your customers’ accounts. Anyone logging in to your system will need to provide something else on top of their username and password, to verify their identity. It can be implemented on both internal systems and customer-facing systems. Credential reuse, sophisticated phishing attacks, and many other cyber security risks can be mitigated by using 2FA.
To do list:
- Enable 2FA on your key systems, like your:
- email services
- cloud aggregator services, for example Office 365, GSuite, or Okta Cloud Connector
- document storage
- banking services
- social media accounts
- accounting services, and
- any systems that you use to store customer, personal or financial data.
- Enforce the use of 2FA for each user in the system. Focus on using systems that support the use of 2FA. They should be a requirement for any new system that your business uses.
- Make it mandatory, not optional.
3. Back up your data
It is essential to regularly back up business data
- provided from customers or staff, such as employee or customer personal details, customer account credentials,
- generated by the organisation, such as financials, operational data, documentation and manuals,
- system-based, such as system configurations and log files.
If data is lost, leaked or stolen, it will need to be restored.
To do list:
- Set your backups to happen automatically
- Store your backups in a safe location that’s easy to get to — and isn’t on your own server and/or offsite.
- Consider cloud backup services and talk to your IT provider
- Test backups regularly
4. Set up Logs
Logs record all actions been taken on your systems. Logging helps to find out when an incident may be about to occur, e.g. multiple failed logons to your network, or when an incident has occurred, e.g. a logon from an unknown IP address. Logs can be set up to alert you to any unusual or unexpected events.
To do list:
Set up logs for:
- multiple failed login attempts, especially for critical accounts. This includes services like Office 365 or GSuite
- successful logins to your CMS and changes to any of the files in it (if you don’t change them often)
- changes to your log configurations
- password changes
- 2FA requests that were denied
- anti-malware notifications
- network connections going in and out of your network.
Setting the logs up to notify you about any unusual events by email. Set email notifications up for events that shouldn’t happen often, like multiple failed logons or denied 2FA requests.
Store logs in a safe location and make sure they’re encrypted.
Access to the logs should be limited to only those that need it.
Consider archiving them to offline storage and keeping them for a while in case you ever need them.
Talk to your IT service provider, we are happy to help.
5. Incident Response Plan - Create a plan for when things go wrong
If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running. An incident response plan helps to get the business back up and running quickly. The plan should be put in place ahead of time.
To do list (after identifying a security incident) :
- Call in reinforcements with prepared contact list
- Tell your staff
- Communicate to clients/customers
- Operate business as usual under unusual circumstances
- Reflect what happened
Default credentials are login details allowing full administrative access. They are used for the initial setup, and then changed afterwards. Unfortunately, these default credentials are often forgotten to be changed and easy to find or guess or find online at the same time.
To do list:
Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset.
Change them. Make the new passwords long, strong, and unique.
Use a password manager to store your usernames and passwords. They’ll be encrypted and you don’t need to remember.
7. Choose the right Cloud Service
Select a cloud service provider who will provide the right services for your business.
Cloud services are generally used for access to software without needing to buy it yourself, access to your data from any device, at any time, and for storage space and backups for your data. When using cloud services check the provider if they take your security needs and your data seriously.
To do list:
- Check your cloud services:
- if they’ll back up your data for you, or if you have to do it yourself
- if they offer the option to use 2FA (if not, see if there’s another provider who does)
- if they’ll notify you of a security breach if it happens
- what happens to your data if they’re bought out by another company, or if they go under
- if they have a public security policy, and a way for you to report security problems to them.
- Check where the servers that they use to hold your data are located (jurisdiction).
Only collecting the data which is really needed from customers should be collected. The level of risk is based on the amount of data stored — the more data collected, the more valuable and attractive it is to an attacker. Reduce the risk by only collecting what is needed.
To do list:
- Only saving and storing the information which is needed from a new customer or client. Be clear about why you need it.
- Make sure you’re encrypting any data you collect at any time including transition as well as storage in a database.
- CertNZ refers to the Privacy Commissioner who has built a tool, Priv-o-matic, to help creating a privacy statement that you can share with your customers. It can be used to tell how you’ll collect, use and disclose their information.
9. Secure your Devices
Install security/ anti-malware software such as Antivirus on any device that accesses your business data or systems. It prevents malicious software e.g. viruses or ransomware from being downloaded. This includes both company owned devices and any BYOD devices that belong to your staff. This is one of the basics to minimise your risk
To do list:
Use the security features that come as a default with your computer’s operating system. This includes Windows Defender for Windows 10 devices, or Gatekeeper for OSX. Otherwise, use security software that can prevent and detect malware and that gets updated regularly.
Don’t let your staff access your network with devices that are jailbroken or rooted.
Configure network devices like firewalls and web proxies to secure and control connections in and out of business network. Also using a VPN that in best case relies on 2FA when remotely access systems secures the network.
To do list:
- Limit access to the internet-facing parts of your network to only those who need it.
- Use a VPN if you need to remotely access systems on your business network. Make sure the VPN software you use requires 2FA.
- Use separate VLANs for your business network to control what parts of the network can talk to other parts.
- Put servers with sensitive data on a separate VLAN from the one that your employees’ computers are on and use firewalls to control how those two VLANs talk to each other.
- Talk to an IT or network engineer to explain what your business does, and what you use your business network for. They can help you configure any separate networks or network devices that you may need to protect yourself.
Manually checking unusual or unexpected online business requests prevents incidents such as for example invoice scams. It can be hard to tell when an email recipient’s behaviour is ‘phishy’.
Therefore, using another channel to check the person or company is recommended. This can be a phone call or a text message before approving any payments.
To do list:
- Set up a clear process for how to make sensitive business transactions or changes. Determine what’s sensitive for your business and make sure these thresholds are clear so your staff know when to raise a red flag.
- Use a separate channel of communication to verify a transaction or change before it happens.
- Have a clear point of escalation for your staff. Put a process into your incident response plan.
Let us share our IT expertise to build your business success.
FIND US AT
43 Moorhouse Avenue
Addington
Christchurch 8011
Addington
Christchurch 8011
