General

Protecting business data Te pare i ngā raraunga pakihi

In association with
As data breaches and online threats become more common, it’s important to take active measures to safeguard critical systems and sensitive information. These tips will help you keep your data safe and secure.

Plan to protect important data

  1. Step01

    Identify everything that holds important data

    This is the information, records and systems that you can’t do without, or would be most damaging if lost.

  2. Step02

    Prioritise protecting important data

    Put extra security measures in place to protect sensitive data from different threats. Sensitive data might be customer details, confidential agreements, financial records and any trade secrets or other intellectual property.

  3. Step03

    Plan for different scenarios

    Plan what to do if important data is lost, breached or hacked. You will be able to respond quickly and have a better chance of minimising any negative impacts. Don’t just think about it: write it down.

  4. Step04

    Make sure staff know what to do

    This includes training or check-ins, and making sure passwords are protected and updated.

  5. Step05

    Put your plan into practice

    Test different scenarios regularly. Make any changes to your plan if it doesn’t work as expected. The Office of the Privacy Commissioner also has a step-by-step toolkit on how to plan and respond to data breaches.

    Continuity and contingency planning

Assess your weak points

To best protect your systems and data, identify your vulnerabilities and your important assets.

Use Own Your Online’s security risk assessment to help you with this.

The assessment will help you better understand both your business processes and the systems and data that’s important to secure.

If you have lots of weak points and don’t know how to manage them, consider paying a security specialist to help you set up a security process.

Create unique passwords

Make sure all staff and systems have unique passwords.

It’s easier for cyber attackers to gain access to shared accounts because the password is often weaker or it’s easier to find. It’s easier for computers to run a task and guess lots of passwords, so the stronger the better.

Do an online security risk assessment for your businessOwn Your OnlineCreate good passwordsOwn Your Online

Cyber insurance

Cyber insurance can cover data breaches, website hacking and IT scams.

Consider getting it if your business relies on sensitive information.

Make sure a policy covers your areas of risk. An insurance broker can help you understand what a policy does or doesn’t cover.

If you’re sorting out your own insurance, make sure it covers a cyber-attack.

Own Your Online has more practical steps you can take to keep data safe and secure online.

Get protectedOwn Your Online

Managing employees’ online behaviour

Security breaches can often be caused by an employee doing something they shouldn’t, usually by mistake.

If employees use computers and mobile devices at work, or work devices out of work:

  • create a cyber security policy so they know the rules
  • make sure everyone who uses your devices is trained to keep data and systems safe
  • give staff the right level of access to your systems and apps, and only to staff who need to use them.
Top online security tips for your businessOwn Your Online

Learn how to train your staff on privacy best practices

The Office of the Privacy Commissioner has short online courses to train people on privacy best practices.

Privacy trainingThe Office of the Privacy Commissioner

Best practice to keep staff safe

youtube 1AOEyRhC2 Q

Video transcript: Keeping your employees safe online

[Visual: Blue introduction screen with white business.govt.nz logo on the right-hand side of the screen. The sentence “Keeping your employees safe online” in smaller, thinner text is on the left-hand side of the logo.]

[Visual: The screen changes to a shot of the presenter standing in a board room, in front of a panel of four speakers. One presenter sitting in a desk chair to the left of the table, three other presenters sitting down at a table and an audience of two visible people. I-Film Science Logo is in the top right-hand corner for the entire video. The presenter standing up is speaking.]

What things can small businesses put in place to help their staff stay safe online and keep their businesses safe?

[Visual: The screen changes to a close-up mid shot with the third speaker on the left-hand side and the fourth speaker sitting on the right-hand side. The presenter on the left-hand side is speaking.]

I’d say one of the first things is around education and awareness.

Making sure your staff are aware of the scams and what goes on and where the resources are they can find to keep up their awareness. One thing I’d say is that, if you receive something by email that looks suspicious, a lot of organisations now do run pages on their website where they[BT1]  keep track of those latest scams that are exploiting their brands.

Xero’s got its se[BT2] curity noticeboard, if you look at New Zealand Post, Westpac Bank, and probably every other major player in New Zealand (I think Vodafone runs a very good scams and online safety site). So, [BT3] there’s a lot of information to be had out there, so [BT4] if you get something you think is[BT5]  dodgy, it’s fairly easy to check.

There’s also the MBIE (Ministry of Business and Innovation) scam watch site ,which gives you a rundown of everything going. So, there’s a lot of resources to be had out there.

I think the other thing I’d say is[BT6]  that, possibly not a day or maybe a week goes by where you don’t see an [BT7] article around somebody defrauding their employer.

One thing I’d say there, I know it’s not possible in very small business perhaps, to[BT8]  enforce a segregation of duties where no one person has the keys to the kingdom when it comes to being able to get access to the business’s[BT9]  money. But if you can do that,[BT10]  it’s a good idea.

And always operate on a principle of least privilege — you have just the access you need to do just your job and nothing more.

And that also [BT11] is a good thing for preventing external hackers from exploiting you, because if they compromise an account and they’re[BT12]  not able to do a great deal, then that’s the best thing that can happen.

[Visual: The screen changes and zooms out to show the whole room again. The presenter on the right-hand side is speaking.]

I think it’s also good to have an acceptable use policy as well. The word policy is always quite frightening for a small business.

[Visual: The screen changes to a close-up mid shot of the third and fourth speakers.]

So, we always say just put ten things about how you can use the internet as an employee. Just define some very simple things about what you expect employees to do when using the internet, and that will give you a little bit more of that awareness.

The other thing about that is that, often in post-incident reviews I often hear from staff saying, “I didn’t realise I couldn’t do that. I didn’t realise I couldn’t do that on the internet. I didn’t realise that was the rules in place”.

So, regular reviews of that with staff, just to make sure they are following the acceptable use practice you’ve got[BT13]  in place.

[Visual: The screen changes to a white outro screen with blue bolded business.govt.nz logo on the right-hand side of the screen. The words “Make business easier” appear on the left-hand side of the screen in thinner text, separated by a blue vertical line from the logo on the right.]

[Video ends.]

Learn more about

IT risks and scams