Keeping your employees safe online

Paul Macpherson from Xero and Stuart Dillon-Roberts from Digital Journey have some advice to help keep your employees safe online.


Host: What things can small business put in place to help their staff stay safe online and keep their businesses safe?

Paul: I’d say one of the first things is around education and awareness. Making sure your staff are aware of the scams and what goes on and where the resources they can find are to keep up their awareness.

One thing I’d say is, if you receive something by email that looks suspicious. A lot of organisations do run pages on their website that keep track of those latest scams that are exploiting their brand.

Xero’s got their security noticeboard, if you look at New Zealand Post, Westpac Bank, and probably every other major player in New Zealand (I think Vodafone runs a very good scams and online safety site). There’s a lot of information to be had out there. If you get something that seems dodgy it’s fairly easy to check. There’s also the MBIE (Ministry of Business and Innovation) scamwatch site which gives you a rundown of everything going. So, there’s a lot of resources to be had out there.

The other thing to say is, possibly not a day or a week goes by where there’s not an article around somebody defrauding their employer. One thing I’d say there is (I know it’s not possible in very small business perhaps), enforce a segregation of duties where no one person has the keys to the kingdom when it comes to being able to get access to the business money. But if you can do, that it’s a good idea. And always operate on a principle of least privilege — you have just the access to do just your job and nothing more. That is a good thing for preventing external hackers from exploiting you because if they compromise an account and they’re not able to do a great deal, then that’s the best thing that can happen.

Stuart: I think it’s also good to have an acceptable use policy. The word policy is always quite frightening to a small business. So, we always say just put ten things about how you can use the internet as an employee. Just define some very simple things about what you expect employees to do when using the internet, and that will give you a little bit more of that awareness. The other thing about that is, often in post-incident reviews I often hear from staff saying “I didn’t realise I couldn’t do that. I didn’t realise I couldn’t do that on the internet. I didn’t realise that was the rules in place”. So just regular reviews of that with staff, just to make sure they are following the acceptable use practice you have in place.

Back to video