In association with

Protecting business data

As data breaches and online threats become more common, it’s important to take active measures to safeguard critical systems and sensitive information. These practical cyber security and data safety tips will help you keep your data safe and secure.

Know the risks

Proper storage and regular backups will help protect your important information from system failures or improper use. But an increasingly complex online world means you need to also protect your data from unauthorised access, whether it’s an accidental breach by someone in your business or by a hacker.

Ignoring cyber security threats and data breaches puts your reputation — and bottom line — at risk.

Recovering from a cyber attack or data breach could be an expensive undertaking. Take precautions so you don’t fall victim.

Consider doing a cyber security risk assessment about your business. It will help you identify what you value, what your risks are and how to mitigate them.

Cyber security risk assessments for your business (external link) — CERT NZ

Cyber security: What is it?

Cyber security is about protecting information, devices and systems from unauthorised access, attack or other risks.

Common threats to a business’s data and systems include:

  • Data breaches: When private information is released into an unsecured environment. This could be done on purpose or by accident.
  • Malware: Malicious software designed to damage or harm a computer system. Ransomware is a type of malware that denies a user access to their files or computer systems unless they pay a ransom.
  • Denial-of-service: Attacks that aim to restrict or impair access to a computer system or network. Typically, the aim is to prevent legitimate users from accessing websites or payment services.
  • Insider threats: Someone who has inside knowledge threatens your business.

CERT NZ has more details on common cyber security threats to New Zealand business, including how to prevent them and what to do if they happen to you.

Common threats (external link) — CERT NZ

Cyber security business basics (external link) — CERT NZ

Assess your weak points

To best protect your systems and data, you need to identify and address your vulnerabilities and your important assets.

To work out whether you are doing enough to protect your business from cyber security incidents, go through CERT NZ’s Cyber security risk assessment guide. The guide will help you better understand both your business processes, and the systems and data that’s important to secure.

Cyber security risk assessment for business [PDF 483KB] (external link) — CERT NZ

If you have lots of holes and don’t know how to manage them, consider paying a security specialist to help you set up a security process.

Restrict access to your systems to those who really need it.

Restrict access to your systems to those who really need it.

This makes it harder for attackers to find an account with access.

Wherever you store personal information, your customers trust you to protect it.

Wherever you store personal information, your customers trust you to protect it.

Plan to protect important data

Protecting important data is all part of continuity planning — being prepared to recover from any problems. Follow these steps:

  1. Identify everything that holds vital data. This is the information, records and systems that you can’t do without, or would be most damaging if lost.
  2. Make protecting vital data a priority. Put extra security measures in place to protect sensitive data from different kinds of threats. This might be customer details, confidential agreements, financial records and any trade secrets or other intellectual property.
  3. Plan ahead for different scenarios. Map out a step-by-step approach of what to do if important data is lost, breached or hacked. You will be able to respond quickly — and have a better chance of minimising any negative impacts. Don’t just think about it. Write it down.
  4. Make sure staff know what to do. This includes training or check-ins, and making sure passwords are protected and updated.
  5. Put your plan into practice. Test different scenarios regularly. Make any changes to your plan if it doesn’t work as expected.

Protect your small business network (external link)   CERT NZ

The Office of the Privacy Commissioner also has a step-by-step toolkit on how to plan and respond to data breaches.

Data Safety Toolkit (external link) — Office of the Privacy Commissioner

Make sure all staff and systems have unique passwords.

Make sure all staff and systems have unique passwords.

It’s easier for cyber attackers to gain access to shared accounts because the password is often weaker or it’s easier to find. It’s easier for computers to run a task and guess lots of passwords, so the stronger the better.

Create a good password (external link) — CERT NZ

Cyber security steps

There are a number of easy things you can do to protect your information. The key is to commit to safety measures. If you have staff, make sure they are trained and kept up to date on any new risks or protective steps.

Passwords and passphrases

  • Always use strong passwords or passphrases to protect your devices and data.
  • Use passphrases, rather than passwords. Passphrases are unique, at least 15 characters long and a combination of different character types, eg IAte23OfDiana'sSandwiches!.
  • Change any default passwords and usernames that come with a new device as soon as you get it.
  • Don’t use the same password or passphrase for more than one of your systems or staff. Hackers could get into all your most sensitive information in one hit.

Create a password policy for your business (external link) — CERT NZ

Do not store passwords or passphrases on your online systems or devices — this makes them too easy to find. Instead use a password manager. There are many free or low-cost options available. Make sure you choose a reputable one.

Keep your data safe with a password manager (external link) — CERT NZ

Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.

Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.

Change these to strong passwords or passphrases — and make it part of your off-boarding process to change them each time someone leaves the business.

Secure your business network (external link) — CERT NZ

Software updates

Software providers release regular software updates to fix and bugs or weaknesses that have been found. It’s one of the easiest and best things to do to mitigate against cyber attacks. You may want to put off software updates for later, but it’s time well spent to keep your systems safe. This includes updating everything – your devices, printers, routers, and internet connected TV. CERT NZ recommends turning on automatic updates, so you don’t have to think about it.

If your device alerts you to an update, don't ignore it.

If your device alerts you to an update, don't ignore it.

The latest updates or versions often fix any new vulnerabilities to cyber attacks.

Encryption

Add a further security layer by encrypting data with a key. Check if a cloud service will do this for you, or you can look into free software that will help you do this yourself.

Antivirus protection software

Installing paid antivirus software on computers is an easy way to protect your data. Keep your software up-to-date to fight off the latest malware. Install patches and updates from your internet service provider.

Consider getting protection from malware, a term covering software threats, including:

  • Viruses: Code that can copy itself and infect computers and other devices.
  • Trojan horses: Programs designed to breach and take over parts of a system.
  • Ransomware: Software that blocks access to a computer until a ransom is paid.
  • Spyware: Software used to secretly get information sent from a computer about how it’s being used. 
  • Adware: Software that automatically downloads or displays often unwanted adverts.

Digital Resources has more tips on antivirus software and security.

Anti-virus software (external link) — Digital Resources

Always encrypt sensitive data — no matter how you decide to store it.

Always encrypt sensitive data — no matter how you decide to store it.

Encryption makes data indecipherable to those who don’t have the key to access it. 

Firewalls

A firewall is software or hardware that protects your computer or device against online threats. It helps you monitor who or what is allowed to access your system. It will also notify you if your computer or device is trying to access something suspicious online. Think of it as a door between your computer and the internet. It helps you let the right things in and keep suspicious activity out.

Two-factor authentication

Two-factor authentication (2FA) makes it much more difficult for hackers to crack into your systems. 2FA ensures a user can only gain access if they have an extra credential above a valid username and password. This extra credential may be a PIN number, access to a physical security key or token, or a unique identifier, eg a fingerprint. You should enable it for your most important systems, accounts and devices.

Top 11 cyber security tips for your business (external link) — CERT NZ

Best practice from cyber security experts

Hear the top tips on keeping small businesses safe online from experts from the private sector and government agencies.

Video transcript

Watch full webinar

Cyber insurance

If your business relies on sensitive information, it’s a good idea to think about cyber insurance. It can cover data breaches, website hacking and IT scams. Make sure a policy covers your areas of risk. An insurance broker can help you understand what a policy does or doesn’t cover. If you’re sorting out your own insurance, read the fine print to make sure it covers a cyber attack.

CERT NZ has more practical steps you can take to keep data safe and secure online.

Getting started with cyber security (external link) — CERT NZ

Use a web developer who builds using the OWASP Top 10 guidelines.

Use a web developer who builds using the OWASP Top 10 guidelines.

This is a list of the 10 most critical web application security risks.

Choosing an IT service provider (external link) — CERT NZ

Protect your website (external link) — CERT NZ

Manage online behaviour

Security breaches can often be caused by an employee doing something they shouldn’t, usually inadvertently. If employees use computers and mobiles devices at work, or work devices out of work:

  • Create a cyber security policy so they know the rules.
  • Make sure everyone who uses your devices is trained to keep data and systems safe.
  • Give staff the right level of access to your systems and apps, and only to staff who need to use them.

Cyber security policy (external link) — CERT NZ

Insider threat (external link) — CERT NZ

The Office of the Privacy Commissioner has short online courses, including Privacy ABC, to train people on privacy best practices.

eLearning (external link) — The Office of the Privacy Commissioner

Staff awareness is key to preventing cyber security incidents and data breaches.

Staff awareness is key to preventing cyber security incidents and data breaches.

Make sure everyone in your business knows how to keep important data and systems secure. 

Cyber security awareness training for your staff (external link) — CERT NZ

Best practice to keep staff safe

Hear top tips that will help small businesses keep their staff safe online, from experts from the private sector and government agencies.

Video transcript

Watch full webinar

Rating form

How helpful did you find this information?

Rate this