CertNZ recently published the top 11 cyber security tips for your business as cyber security attacks on businesses are becoming more and more common. You have to make sure you do everything to keep your business safe, no matter of the size of your business. This includes protecting your data, network, customer information as well as your reputation.
A printable version of this guide is available at Cert NZ.
1. Install Software Updates
All devices and software should be up-to-date. Installing software updates is the most effective and basic way to prevent attacks and keep the system safe. Devices should be supported by the manufacturer at any time, and software updates (patches) for the operating systems are installed as soon as they’re available.
Patches are much more than adding new features to software, they most importantly fix security vulnerabilities. Installing patches prevents incidents caused by attackers who use these vulnerabilities to gain access to your system. It is to advise to put a decent security policy in place.
To do list:
Implement two-factor authentication (2FA) to secure your business protects both your systems and your customers’ accounts. Anyone logging in to your system will need to provide something else on top of their username and password, to verify their identity. It can be implemented on both internal systems and customer-facing systems. Credential reuse, sophisticated phishing attacks, and many other cyber security risks can be mitigated by using 2FA.
To do list:
If data is lost, leaked or stolen, it will need to be restored.
To do list:
4. Set up Logs
Logs record all actions been taken on your systems. Logging helps to find out when an incident may be about to occur, e.g. multiple failed logons to your network, or when an incident has occurred, e.g. a logon from an unknown IP address. Logs can be set up to alert you to any unusual or unexpected events.
To do list:
Set up logs for:
Setting the logs up to notify you about any unusual events by email. Set email notifications up for events that shouldn’t happen often, like multiple failed logons or denied 2FA requests.
Store logs in a safe location and make sure they’re encrypted.
Access to the logs should be limited to only those that need it.
Consider archiving them to offline storage and keeping them for a while in case you ever need them.
Talk to your IT service provider, we are happy to help.
If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running. An incident response plan helps to get the business back up and running quickly. The plan should be put in place ahead of time.
To do list (after identifying a security incident) :
Default credentials are login details allowing full administrative access. They are used for the initial setup, and then changed afterwards. Unfortunately, these default credentials are often forgotten to be changed and easy to find or guess or find online at the same time.
To do list:
Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset.
Change them. Make the new passwords long, strong, and unique.
Use a password manager to store your usernames and passwords. They’ll be encrypted and you don’t need to remember.
Select a cloud service provider who will provide the right services for your business.
Cloud services are generally used for access to software without needing to buy it yourself, access to your data from any device, at any time, and for storage space and backups for your data. When using cloud services check the provider if they take your security needs and your data seriously.
To do list:
Only collecting the data which is really needed from customers should be collected. The level of risk is based on the amount of data stored — the more data collected, the more valuable and attractive it is to an attacker. Reduce the risk by only collecting what is needed.
To do list:
Install security/ anti-malware software such as Antivirus on any device that accesses your business data or systems. It prevents malicious software e.g. viruses or ransomware from being downloaded. This includes both company owned devices and any BYOD devices that belong to your staff. This is one of the basics to minimise your risk
To do list:
Use the security features that come as a default with your computer’s operating system. This includes Windows Defender for Windows 10 devices, or Gatekeeper for OSX. Otherwise, use security software that can prevent and detect malware and that gets updated regularly.
Don’t let your staff access your network with devices that are jailbroken or rooted.
Configure network devices like firewalls and web proxies to secure and control connections in and out of business network. Also using a VPN that in best case relies on 2FA when remotely access systems secures the network.
To do list:
Manually checking unusual or unexpected online business requests prevents incidents such as for example invoice scams. It can be hard to tell when an email recipient’s behaviour is ‘phishy’.
Therefore, using another channel to check the person or company is recommended. This can be a phone call or a text message before approving any payments.
To do list: