Skip to main content Skip to page navigation

Webinar: Keeping your business safe online

This is all about practical guidance for small businesses to understand how to stay safe online.

My name is Matthew Kennedy-Good and I am Head of business.gov and we are a proud sponsor of Tech Week 17.  When we asked our audiences online if they were interested in tuning into a webinar, a staggering 98% of them said yes.  I think 2% of them may have guessed that I was going to be moderating it, but otherwise I think there was almost universal support and interest in this so we are really excited to welcome you here and welcome you online.

The name of this webinar is Keeping Your Business Safe Online and it is something that we know from our research as well that lots of small businesses in New Zealand don’t really focus on until they have a problem and then it is a nightmare that they are going to focus on until it is fixed or it goes away in some way, often at a cost of thousands of dollars.  This webinar tonight is how we can help small businesses in New Zealand save that from happening and save thousands of dollars for free. 

I am now going to introduce you to a globally, world leading panel of experts.  First we have Steve McCabe.  Steve is a partner at the global consulting firm PWC in the Cyber Unit.  He has had 15 years of experience in leadership roles and was formerly the Head of Security at British Gas.  He is going to introduce us to security issues and how your business can actually turn them from being a threat into being an advantage and we are very lucky to have Steve here tonight.

Following Steve we are going to hear from Sai Honig.  Sai is a Board Member of ISC2.  Incredibly 120,000 members globally and they are a security and education and certification organisation.  Sai is also a Consultant for Xero and she is going to talk about what small businesses need to think about to stay safe online.  Thank you for coming tonight. 

Next we have Paul McPherson.  Paul is Head of Security at Xero and has 25 years’ experience in information security, compliance and risk management.  Paul not only keeps Xero safe, he keeps their one million customers safe online in the cloud, so he is a man used to dealing with pressure.  I know if I had a problem online, I would talk to one of these panel members, possibly Paul, if it was a problem to do with the cloud especially.  He is going to focus really on email and how to keep safe when using that vital tool that so many businesses of course rely on. 

Finally we have Stuart Dillon-Roberts.  Stuart is a pillar of the online community in New Zealand. He left IT where he had been involved in lots of senior role in about 2013 and set up Digital Journey.  Digital Journey is a not for profit designed to help businesses all around the world, but especially in New Zealand make the most out of online opportunities.  Stuart is going to talk about a digital security tool that Digital Journey has created and he is going to answer questions and talk about how you can use that to keep your business safe online. 

So that is all for me.  I am going to pop up every now and again to introduce questions that we have got from online and the audience, but otherwise can I welcome Steve.

[STEVE]
I just realised that in a webinar you don’t get any applause. 

[Applause]

See I had to beg for it.  So look, today is all about the questions that you guys ask, it is all about the questions that come through online through the webinar and my colleagues here will be taking you through some of that, I guess, the finer points of some of the security tips and tricks to keep yourself safe.  I think from my perspective I just want to take you through a couple of the core concepts to kind of set the scene. 

The first couple here is that we are seeing a massive increase in economic crime and cyber crime.  Two distinct categories – the one where they steal a bit of money and they bruise a few reputations and the other one where you lose your intellectual property and it lays waste to your business.  Now that might sound a scary concept but very much cyber is the risk that will define our generation.  So the move to digital, the move online, the massive dissemination of information and the volumes of information that we are creating – cyber really will be a significant risk and it is not going to get any better, okay.  It is not going to go away.  We are going to be moving more and more digital and as we move more and more digital, it will become very important both for your businesses and for society at large that we look after our information.

So we talk about cyber as a risk.  It is a business risk discipline; it is a business management discipline.  It is not a technology problem.  So when you are thinking about your small businesses I want you to think about the things that are really important to your small businesses from a business perspective and not from a technology perspective. 

There are a couple of immutable laws I think when we talk about New Zealand and New Zealand as a whole - fantastic people, a fantastic country but there are some truths about New Zealanders that I like to spin out on every occasion I possibly can.  The first one is that we are an incredibly trusting society, okay.  We like to think the best in people, we like to think that everybody is doing the right thing and at the same time we don’t like being told what to do.  We don’t like being told how to live our lives and what sort of rules to follow. 

Now there are a couple of things kind of flashing behind me, but I will just ignore it. 

We have a kind of ‘she’ll be right’ mentality, so those things when we put them together it means that we are in a position where we have very little laws and regulations about the way that information is used, but at the same time we like to think that everybody is doing the right thing.  So there is a couple of statistics there that I hope you can see.  The first one; these statistics are from a global information security survey that we run on an annual basis.  These are actually from 2015 and there is a reason for that.

The first one, we asked our NZ participants how much confidence they had in both their suppliers and the confidence in their security controls and you can see there that 83% and 84% told us that they were either very or somewhat confident in their control sets.  Now their controls are things that they have that help them protect against security threats.  We found those figures stunning.  We found them stunning about how many people were so confident in their ability to protect against security threats; to look after what they had.

So we asked people, we said why are you so confident and the top three answers that we got from the people that we asked were – firstly ‘She’ll be right’, and that is no lie.  That is what they told us.  The second one was that if I buy something, I implicitly expect it to be secure.  And the third one is that if nobody tells me something is bad, I am going to assume it is good.

Now those three things I think are all pretty flawed assumptions and I think you would all agree that they are quite flawed assumptions.  Now what that means is that we exist in this kind of cyber attack continuum where we are thinking about security and we are thinking about how likely are we to be attacked and there are two ends of that spectrum that you can see there.  The first one is people believe that it will never happen to me; what  have I got that someone is interested in and they think the answer to that is nothing.  And the second one is the sky is falling in; it’s the Chicken Little approach at the other end of the continuum which means that you tend to  over-invest and you do things that disable your business. 

My job and the jobs of these people on the panel here is to enable businesses to succeed safely and confidently, making the most of your information assets.  And in small businesses, that is massively important.  So the best place to be in that continuum is somewhere in the middle, somewhere where you are making the right amount of investment in security, you are not over-investing and you are not doing too little.  In terms of ‘it will never happen to me’ – we know that to be false, okay?  The chances are is that this is a ‘when’ not ‘if’ and the most important thing about this slide you are seeing now is the 40% of New Zealanders who think that a cyber incident will occur, it will happen to them and then the 45% who have a plan.  Okay?  Maybe they are the same 40% - who knows – but more importantly over half of the respondents to this economic crime survey said that they don’t have a plan. 

The most important thing you can do as a small business owner is have a plan.  Your ability to respond, to do something when it happens is massively important.  If I give you a kind of education analogy – teachers know that in schools children will fall over and they will hurt themselves. That doesn’t mean that they don’t put mats beneath the gym equipment, it doesn’t need that they don’t do everything that they can in the playgrounds to make it as safe as possible, but they understand that something is bound to happen at some point and prepare for it.  They train people in first aid; they have the procedures in place to make sure they know what they are going to do when something like this happens. 

We can do the same as small business owners.  So why bother?  The title of this presentation is ‘Why do anything about this at all’ because we know that a lot of people don’t.  The first one is that security and privacy is a competitive advantage, it is a massive competitive advantage.  In the future as businesses become more and more digital, the way that information is treated will become a differentiator for customers.  It will be a differentiator for whether people choose you as a business or not.  It is a very important distinction because business is becoming more digital, not less and as I said before this won’t go away. 

The third thing there is that breaches are pretty expensive.  So some recent research has found that a breach roughly costs about $190 per record.  That’s a lot of money.  If you have a database of 1000 customers, 100 customers, 10,000 customers it is going to cost you a lot of money and that is money to recover, money to put it right, money to pay fines and these things tend to dominate your business.  They don’t go away.  So the really important thing to recognise here is that you need to be prepared to deal with these types of events because if not, they will overtake you.  They will overtake your business and your organisation. 

The other thing is that as Directors of businesses whether they are big or small, you have legal obligations.  You have a duty of care to make sure you are protecting information and your information assets.  And then finally, the trust and confidence of customers is absolutely critical to most brands and I expect that for most small businesses - for those of you online and for those of you here – that is true for all of you.  It is a very important aspect of maintaining your brand and the protection of your brand. 

So what can you do?  It is not a lost cause here okay, you can respond, you can protect yourselves. The guys on the panel here will talk to you more about how you can protect yourself but essentially the things that you have to think about is firstly your own context.  Your context is what is important to you; it is the things that are massively critical to you and your business.  Not everybody has the same risks, not everybody is subject to the same threats.  Think about what is really important to you, what information is really important and critical to your business and your organisation. 

If that information isn’t there or is disclosed or it is changed – what does that mean to you?  So what are the risks that really impact your organisation?  You need to treat information as the asset that it is.  We know that when we talk to organisations that they can tell us within a couple of dollars how much money they have got, they can tell us pretty accurately what sort of people they have and what types of skills they have.  If we ask them to identify where their information is and what value it has, they find that much more difficult.  So really treat it as the asset that it is, set the rules – so set out policies and I guess Sam we are probably going to talk more about education as we go along.

If I was going to spend a dollar on information security, I would spend 40 cents on education every single time – it is by far the most effective thing you can do.  Nine times out of ten something that happens is because of something that somebody did or something they didn’t do.  So a really key part there is to educate yourselves and educate others.  Educating your people is an investment that you won’t regret.

Being prepared to respond, so setting out a plan and making sure you understand what that plan is and how you are going to execute that plan and probably most importantly – practise that plan.  Make sure that you are practising what might happen in the event of an incident and then get the basics right.  There are some very, very simple things that you can do – these guys here will tell you some more about that, but get those basics right.  Do the hygiene bits properly – there are very easy technology steps that you can prepare yourself and to protect yourself. 

Okay, do you want me to take some questions here Matt?

[MATTHEW]
Thank you, yes that would be amazing.  First off, one question that has occurred to us is… you mentioned that small businesses and it is something I mentioned too, what we are seeing is that they are not necessarily rushing towards this and possibly understanding the risk until something bad happens to them.  We know that bigger firms are really taking this very seriously.  When you are talking about the continuum, are you starting to see in your day to day work that smaller businesses of certain types take this more seriously because of the exposure to attacks?  What are seeing out there in the real world?

Yeah look, I think the small businesses that are taking this more seriously is the start-up.  It’s the digital start-up that is starting from an online premise straight out the door and I think they are taking it more seriously because they understand that their business model is completely predicated on protecting their information and that of their customers.  I think they are recognising very early on that losing that information is kind of ‘pack home and go home’ time.  So in that place, in terms of the ‘it will never happen to me’ – we are finding that the start-ups are far further along this continuum.  But some of the more traditional bricks and mortar businesses, we are still seeing the kind of ‘it will never happen to me’ end. And that is largely because they don’t believe they have anything that anybody would want. 

But what we are seeing is much more sophisticated threat, as people are motivated to take what you have.  Whether that is organised crime, whether that is nation states, whether that is activists, people who take some sort of moral or ethical objection against your business model or even insiders.  And insiders are a huge part of that, that threat out to community.

Thank you very much. We are going to hear lots of more from you in the panel discussion on certainly other questions.  That was incredibly valuable and I really appreciate you of course sharing that with us. 

Next we are going to bring up Sai and Sai is going to, as I said give us some information and advice really tailored towards New Zealand small businesses and if anyone else who is listening online or here in the audience has questions that are related to maybe keeping your family safe online, Sai in her work with CSC2 will also be able to answer those questions and they have got some great tools and applications for keeping your broader family safe online. 

[SAI]
Good afternoon.   So small businesses – you are under attack.  You are probably the largest group of people that will be under attack.  First of all, so what is a cyber attack?  Well, it is an attack that comes through a computer or a computer network, it is generally from an anonymous source and the intent is malicious - to either take your data or to otherwise render it useless to you.  This segment of the business population is the largest growing because while there is more of you is number one.  Two you have connections that make it easier to get into other small businesses and also large businesses. 

So we have seen in the news ransomware is a big attack method and we are also finding that lots of businesses are paying for them, not just small businesses but even large businesses. We have heard about hospitals paying millions in ransom.  Frankly if you are a small business, you need to get back onto your feet as soon as possible so you are going to be paying the ransom. 

You have valuable data, this is data that could be used for either stealing funds or it could be potentially used for identity theft and one of the things I would also like to counsel small businesses is to think about what data you really need and not to collect too much.  You may also lack some of the advantages of larger businesses where we have a team of cyber security professionals and so with changing technologies – it is kind of hard to keep up.  Especially when your focus is on building your business and building your brand. 

Also as you are building your businesses and building your brands as we stated, understand what your cyber security needs are.  Training is obviously a very big part of that and there are resources that we can talk about.  Many of them are free for you to train yourself and train your staff. 

There is something that you can’t really ignore and we have seen in social media posts, hey I am going on a holiday, will be gone for two weeks.  Or personal information is put out there; maybe even information about your business is put out there.  Be careful of what you post and this is also where it is really good to train your staff on what they should and shouldn’t do. 

Backup often.  I can’t say that enough and understanding that it might seem like it is just an extra chore, but a lot of your backup systems can be done automatically – you just need to make sure that they are done properly and that those backups can be used in the event that they are needed.  And if you really have sensitive information, consider encrypting.  This will allow you to essentially lock up your data and you hold the keys to unlocking that data. 

These were figures that I have found online about the cost of small breaches and I can only imagine that those figures are only going to go up.  In terms of just a website hack that might be something that can be recovered, but consider the time that you have to put into it.  To bring your systems back up to what they were, you may have lost data and because of that you may have lost some business, and on top of that your reputation may also be hurt. 

Okay, shall we take a question? 

[MATTHEW]
Thank you Sai, that was amazing.  We have experienced a couple of little technical difficulties so please bear with us online, we have got those sorted.  I don’t think it is a result of a malicious hack but certainly if it is I feel very comfortable with the people in this room to make sure everything goes okay. 

Sai, in some of your talks you talk about … we found it really interesting how users sharing data in their personal lives could be used against them in their business.  Could you talk a little bit more about that, most people are on Facebook and maybe they are on Twitter too – what can they do in that space?

[SAI]
I know from a small business side you see yourselves as being part of this target, but there are things you can do to keep yourself from being a target and one of them is to watch out what you are posting online.  And I mentioned this and some of you may know about Garfield the cat – ISC2 has partnered with the creator of Garfield the cat and created a series of cartoons explaining cyber security and one of them is about posting.  Posting personal information, posting where your location, where you are going, are you on holiday – those kinds of things, be careful of what you are posting.  And also be careful who you are communicating with.  We found that particularly children are communicating with strangers and providing personal information like their names, their home address, their phone numbers etc.  This is kind of scary because these are predators and are now online and it is hard to catch them.  So do take the opportunity if you have children or if you are involved with schools to take a look at that information.

[MATTHEW]
Thank you for that and thank you for going into that.  I know that every business owner out there has friends and often family who are often a concern as well.  So one more question that has come in from our audience is people are really interested in how you see the cloud and whether or not it is safe to store your information there.  Can you talk a little bit about that?

[SAI]
Yeah, I have heard it often say, well my data is in the cloud and it is safe. Well, yeah that can be said but there are different levels of safety.  I know at Xero operate in the cloud, but we are also checking to make sure that the controls are in place.  So some things as a small business you might want to consider is what protection does your cloud provide or offer and are those sufficient for you?  A lot of that is going to depend on what data you are holding in the cloud.  For example, if you are holding credit card information or other business transactional information, you might have to have very stringent requirements.  They are called PCI and your provider should be aware of those. 

Also just because the provider is doing their part to protect your data, you need to understand what your business processes are to protect your data because it is a two-way street and I know Paul is going to talk more about that in his talk.

[STEVE]
Can I just add to that?

[MATTHEW]
Absolutely – jump on in.

[STEVE]
I agree with Sai, I think that the other thing to be wary of online in the cloud is that the reputable cloud providers spend millions of dollars on implementing controls and protections for the cloud and generally they would be more secure than anything you could possibly hope to stand up yourself.  But the other thing to bear in mind is that there is no such thing as a free lunch, so anything that you subscribe to, sign up for – if it is free there is a good chance that their business model requires your information. 

So when was the last time anybody here read a terms and conditions when they signed up to a service?  Yeah, not often right. 

[MATTHEW]
For those of you on line – not many people in the audience raised their hands.

[STEVE]
So it is important to understand what you are signing up for, what you are doing as a result of clicking that ‘I Agree’ button.

[MATTHEW]
Thank you so much and in fact we have had a question which relates to that from our online audience.  It is from Paul in Te Kuiti and Paul has asked the panel as a whole, his comment was that he feels like for small businesses the options for web hosting and keeping your business safe perhaps more generally, he feels that they don’t really compare with what he has seen in North America.  Can you talk about what options there are for small businesses in New Zealand to field Paul’s question.

[PAUL]
I would say that if you are using cloud services the options that are available in North America are completely available to you here in New Zealand as well.

[MATTHEW]
Could you name any in particular?

[PAUL]
Yeah I could.  Well certainly Xero, our platform is all hosted in the US with AWS.  And just coming back to what Steve was saying about doing your due diligence around your cloud providers I think that is very important because on the internet anybody can represent themselves as anything and I think when you are looking to a cloud provider and I would say also when you are looking to do a local provider, someone who might just be a local hosting provider- you need to get comfort that they have the right controls in place for the data that you want to store with them.

And often providers and like Xero, we have independent assessments against known standards so that people can get that comfort and most of your mainstream cloud providers also go through that process and we, as we say internally, we eat our own dogfood.  We use cloud service providers to run our business, the likes of SalesForce and WorkDay etc but we don’t just rush in and use them just because they are cloud providers.  We have gone through very stringent due diligence ourselves of those providers before we have got comfort that we are happy to have our Xero business data in those cloud providers.

[MATTHEW]

That is really interesting. Would it be fair to say for small businesses who we know are very busy and are trying to get a million things done, if perhaps if the organisational brand that they are using;  the online cloud provideris well known and has a good reputation in a sense - is that a fast track to understanding the security around it? Or would you say that lots of the big providers, without naming any of them, have been hacked  and that it is all a bit of risk but better known, the safer?

[SAI]
To understand that, the cloud providers are not just providing security for one customer. They have to provide security for all of their customers and they will try and provide the same level of security regardless of where you are located – whether you are here in New Zealand or North America or a small island out in the middle of the Pacific ocean somewhere else. There is a reliance on that level of security but there is also a reliance on what you as a business owner are going to do, like don’t share your credentials, use two factor authentication – those are things that you can do.  And also ask questions because the chances are that someone has asked that question and there is a response out there for it.

[PAUL]
I would just like to add that in security there are no absolutes. You know, we have seen companies with 100 million dollar security budgets that have been hacked but then they have been targeted because they are high value organisations and people specifically go after them.  If you are the target of some of these nation state actors out there who are after your intellectual property, then there is probably very little that you can do to prevent and you are then very much in a – have you got the right controls in place to detect and respond appropriately. 

But I think for small businesses, for most of their services I honestly believe that they are safer in the cloud, with a reputable cloud provider because as I said, there are large teams of people looking after the security of all their customers.  But it is that shared responsibility model – you still have to look after your account because if somebody compromises your account, no amount of security in place by the cloud provider is going to prevent somebody getting into your data.  And that is where, as Sai was saying, you need to have strong passwords, you need to use additional authentication, you need to protect the devices you are using through having good anti-malware through patching and keeping things up to date. 

[MATTHEW]

And that was another question that we have picked up around staying up to date – is that as simple as updating your browser regularly?  Are there other things that small businesses can do? 

[PAUL]

A lot of the updating these days of your software is automatic, things just update as needed but you do need to keep an eye on some products if you are installing different, out of the mainstream products then you need to make sure that they do provide that regular update.  A lot of your … I know you get a new laptop these days and it will generally come with some sort of an assistant to maintain the software to tell you when patches are available and when they should be applied or that they have been applied automatically.  So for the most part, it is a process that just sort of happens under the covers and you don’t really need to take a lot of note of it but you at least need to make sure it is happening.

[MATTHEW]
Excellent.  So our next speaker, unless we have other questions?  Okay, we will go to our next speaker – Paul. 

[PAUL]
Thanks very much Matt and good afternoon everybody.  I was just going to touch a bit on email.  And just knowing a little bit about the risks of email because I think everyone is aware and everyone uses email in their business. It is fast, it is reliable, it is low cost and you are not killing thousands of trees to go out to market to all your customers.  It is easy to send documents, your quotes, your invoices, plans etc. 

I recently went through a process of building a house and it was a continuous stream backwards and forwards between me and the builder and the architect – and you can imagine the cost and time involved if you were doing that snail mail or couriers sending all that information back and forwards.  We probably still wouldn’t have moved in.  So email is of great value to all businesses and certainly if you are conducting business overseas, yes there are more instant means of communications but when you are operating around different time zones it is very convenient just to be able to send that email and come back in the office the day after and you have a response there.

But I think that everyone should just understand the risks of email and what they can do to mitigate those because email today is probably the primary attack tool for our hackers and scammers out there.  I think probably most people have heard of the Sony Pictures hack a couple of years back.  Whether you attribute that to the Koreans or anyone else, the first step of penetrating Sony’s corporate network was the email with the attachment that somebody clicked and it installed a piece of malware which then called out to command control and basically best late privileges and hey presto – we own your network.   And there were quite significant repercussions from that.

More generally, as was mentioned earlier, ransomware is the attack of the month or has been the attack of the month probably the last couple of years.  The gangs that are running ransomware are making large amounts of money out of it and it is just that shotgun approach.  They can fire it out to huge lists of email addresses that they have bought on the dark web and if some of them stick, they make money.  I even heard of a recent variant where they sent it to somebody and if you got caught, you had the option of paying or you could refer two friends.  And if they got caught, you got your data back and that is pretty low, a low way of doing it but I would like to think that you wouldn’t do that. 

But that is the sort of thing these guys do – if there is a way to exploit something, they will figure it out.  And email is inherently insecure.  The internet as a whole and email were never initially designed with security in mind.  I always think of email being an open postcard rather than a sealed envelope – if it is out there on the wire and if someone wants to sniff it, they can do.  That said, most of your major mail providers do recognise these issues and they are working with all the other mail providing community to put the controls in place to make life better and more secure for people that are using email. 

I was fortunate enough to go to a conference event recently where I heard someone from Google speak and through their relationships with other mail providers, over 80% of email that is inbound or outbound to or from Google is now encrypted, as well as all being encrypted on their internal network.  But there are other things that people do with just impersonating email and impersonating senders to try to trick people into clicking on that link or clicking on that document that is attached.

Some of you probably would have heard of the term social engineering and that is basically manipulating somebody to do what you want or provide the information you want – it is far easier to hack the person than to hack the computer.  Why go to all that trouble of trying to break through somebody’s firewall and steal their data if you can just get them to click on something that then gives you complete control of their computer and you just carry on and do it?  I think it is key that people understand the risks there are on email; I am not saying we shouldn’t use it – of course we should use it, but just to understand that and know how to mitigate that to the fullest extent you can. 

I think most people would have seen one of these, if not something similar. This is the Fedex email that probably not a day goes by that I don’t find one of these in my junk and if it is not Fedex, it is NZ Post, it is Paypal, it is – you name it, people are saying that you need to do this immediately and you need to take action now – and that is one of the signs of a suspicious or a potentially dodgy email – it is that immediate call to action.  What I found interesting in this email is that if you clicked for more details, it took you to a malicious site but also if you clicked on the unsubscribe or the privacy policy it took you to that same malicious site.  So they are trying to cover all their bases. 

One thing I would say is that we see email being used to exploit our customers and exploit the community all the time, so I come back to what Steve said around educational awareness. There is huge value in educating yourself and in a small business, educating your staff around how to spot these emails.  You know, don’t be too quick to click on them and also to protect your own email account.  We have seen our customers and sometimes non-customers whose email accounts have been hacked and I think it has been well publicised here in New Zealand happening in the building industry that the builders email gets hacked and then any recently sent invoices get modified and re-sent from that builders email account with a message along the lines of, ‘Our bank account is being audited so can you please pay to this new account’. And they are after those big milestone payments, and we have seen 20, 50, 70 thousand dollars paid into a fraudulent bank account. 

Fortunately in most instances with the cooperation of the banks here in New Zealand, that money has been retrieved.  Excuse me.

Sorry – first week back at school last week, so the kid’s virus infection.

So these are things that you would watch out for and even today it was in the press or in the paper that another email scam is doing the rounds – emails purporting to be from the DHB to suppliers with purchase orders.  The purchase is then sent to a freight forwarding company and shipped off overseas to some dude who is now in receipt of a lot of well-made New Zealand goods for no cost. 

So this sort of thing happens all the time and it is just a bit of education and a few additional controls.  I would say for your own email account, as Sai was saying, second factor authentication is a fantastic protection for preventing people getting access to your accounts.  Even if they compromise your password, if you have second factor authentication enabled, or sometimes called multi-factor authentication, we call it 2-step authentication in Xero, and it is a really good road-block to the bad guy getting into your account. I can’t recommend doing that highly enough. 

If your mail provider doesn’t provide second level authentication, personally I would be looking for another mail provider.  Thank you.

[MATTHEW]
Thank you so much.  We have had a couple more questions come in from the audience.   Super interesting that whole talk, it has inspired lots of comments that I have heard and I note I guess that with your children passing you on viruses, some of what you talked about maybe happens in the real world as well as in the online world. 

One of the questions that we have came from Nica and that was around protection and what you can do around passwords.  What you mentioned around the two step authentication was super interesting and I wonder if aside from reading that an email has two step authentication, what does that actually mean in practice?

[PAUL]
Oh okay, so two step authentication, two factor, multi factor is something that you apply to your account.  So normally you would sign in with your user ID and your password.  Now that is all well and good even if you are using a very strong password but if somebody infects your computer with malware that logs your keystrokes or captures your password which often a lot of this malware does – or you get tricked into going to a phishing site which then captures your user ID and password, it doesn’t matter how good the password is, the bad guys got it. 

But second factor actually relies – it is called second factor because as well as the password which is something that you know, there is a code that is generated by an app on your smartphone and that is something that you had.  So if the bad guy doesn’t have access to that smartphone and the app on it – because the code is unique to your account and that device – they still can’t get into your account.  And that is a very good control for preventing unauthorised access.  Back in the dim, dark days of technology, and it is probably only about five years ago – banks used little tokens from RSA, a security company, and there were other variations where there is a constantly rolling code on the token.  But now with the advent of smartphones, anyone can install that app and it is available on your device.

[MATTHEW]
Thank you for that explanation, that has cleared up lots of things and I am learning things myself.  One other aspect that I think some of the people in our audience are interested in in relation to passwords is … we have heard around that you need to keep different passwords for different accounts as a form of security.  Would you recommend that people are saving them perhaps through a password manager or through a browser?

[PAUL]
Not so much the browser.  There are issues potentially with security in browsers but I would say use a good password safe.  I am not going to recommend any here but there are certainly a lot of good reviews out there around password safes. Some password safes have had issues in the past but they have learnt from that and there are some quite good options available – some of them on the desktop, some paid, some free, you can also have some in the cloud so they are accessible to you from anywhere.  But certainly having strong passwords and having … you can use your password safe if you have got one good password for the password safe then you can have it generate random values that you use for everything else and it makes it really easy to manage.

And the reason for that is if you use, or one of the reasons for it, if you use a common password across services and one of those services gets breached – like recently Adobe, LinkedIn, Myspace, Yahoo, Ashley  Madison, iMate – you name it, there have been so many well publicised breaches of password databases that there are too many to count – they get that and what they do and we have seen this at Xero recently – is that they take a big dump of credentials; they have stolen the password database and they will just try it against all different services, like Xero and like banks etc to see what sticks.

So if you have used the same password on your LinkedIn profile as you have on your internet banking, then hey presto – they are into your internet banking.  Except of course that you obviously would have put two factor authentication on your internet banking to prevent that.

[MATTHEW]
Thank you so much and look, that is so interesting about what you can do on those practical steps.  We are going to move along now to Stuart and it is timely actually because one of the questions we have had come in from the audience is why is uptake so slow amongst businesses and what are the online tools that I can use to help.  So keep questions coming in for the rest of the panel if you have anything else, we will go to a panel discussion and have some practical guidance to finish up as well.  Thanks Stuart.

[STUART]
Thanks Matt.  So hi, I am Stuart and thanks for coming out tonight and also for being online.  So Digital Journey is an organisation that has been designed and developed to help businesses keep themselves safe online but also improves their use of the internet.  So we are very much frontline, so we are right at the frontline and talking to businesses that have had a cyber incident or are suffering from an attack and helping them through the recovery process and keeping them safe for future transactions and being online. 

So yes we have painted some really bad pictures here, this cyber crime is on the increase and there are some great risks out there.  We have developed this service that is free for New Zealand to help them try and improve their cyber protection. 

So our little tool here is called Cyber Security.  It is a free online cyber assessment tool, so every business can do this tool.  It goes through a series of questions and at the end of the assessment you get a free action plan and some guidance on how you can improve your cyber protection.  So we know businesses are suffering from things like software on their machines not being patched properly, not being protected properly, some online tools out there as well.  So we go through a series of questions about how the business can potentially improve its software on its machines.  Same with hardware and people of course with awareness campaigns and policies and procedures.

So we take a snapshot of a business and we ask them a series of questions and from those questions and the answers that they provide, we give a free action plan.  The action plan, rather than being an overwhelming 20 different things you could do and lots of steps and lots of detail, we just give you five things to do to improve your cyber protection.  So there are five things to take away and put into action in your business.  Here is an example of that action plan.

Now this action plan is personalised to the business, so the way you answer the questions in our assessment drives the actual action plan.  The action plan is unique to your business and you only get the recommendations based on the questions that you have answered.  Even more so, we wanted to give a bit more here.  So we decided in our assessment tool to provide a benchmark – so how does your business compare to other businesses when it comes to cyber protection.  Have you fallen behind other business in your sector when it comes to protecting yourself online?  Or are you ahead of your competitors and other businesses when it comes to protecting yourself online. 

So our last part of our assessment tool gives you a benchmark, a little view of how your business is performing when it comes to protecting itself.  Do you need to invest more time or effort to achieve better security or are you looking right for your business?

So this is a free tool.  We decided to create this because we felt that there was a growing number of businesses that were out there that we were talking to who were suffering from cyber crime.  So the tool link is available through the business.gov website and also on this slide deck and I really encourage you to give it a go.  It is only 18 questions and will take about 2-3 minutes of your time and at the end you will get the action plan and the benchmark of where you sit in the cyber security world.

Please do share it around, it is a free tool.  Share it around to your colleagues, friends and other businesses and see if we can raise that cyber protection across the business community.  Thanks Matt.

[MATTHEW]
Thank you Stuart and thank you for providing such a great online tool for free.  All the help that you have been giving New Zealand businesses is phenomenal and at MB and business.gov we are really grateful for your support. 

We have a question online and that’s very astutely with someone saying it seems to be about human error, so education is key.  How do I keep up to date with education?

[STUART]
This is a great starting point, so doing the assessment tool is a great way to start and to assess how you are positioned and as your business.  Also in the actual plan you get links to online resources, so we have gone away and created some articles and some online e-books- it is called Cyber Security Resources – and in there, there are some tips and tricks about helping educate your staff about staying safe online, there are some templates to download about the sort of things you can go through your staff to keep their level of security and knowledge up.  So that is a great resource to use and other stuff like the Netsafe and those types of products out there are all again listed on the business.gov website which I think we have access to after this webinar. 

But yeah, certainly have a go at the starting point of our assessment tool and the links in there will point you to our resource site which is a repository of tips and tricks and advice to help you in this particular area.

[MATTHEW]
Excellent, thank you so much.  What we are going to do now is to switch across to the full panel discussion which as you have noticed is kind of what we have been doing the whole time anyway.  We have got other questions that have come in that I think might be suitable for different panel members. 

For example Patsy has asked – and I think this could be a question for Steve – she said that lots of people she knows feels uncomfortable about taking their business online, so why take the risk?

[STEVE]
It’s a really good question. I guess you would take the risk because; I guess it is looking at whether that risk is right for you.  Yes there are risks to being online but there are also massive advantages to being online.  There are huge opportunities.  And it is a bit like when we started adopting the cloud in a very significant way and there were massive opportunities being in the cloud but there were also risks attached to it.

So in terms of why I take the risk, you potentially have global reach with the internet, there are no geographic boundaries.  You have a much larger user and customer base; you have got different ways to get to market rather than traditional bricks and mortar.  So look, there are a whole heap of reasons why being online is a great idea but at the same idea you have to take the right steps to protect yourself. 

And that is really just … I think right at the beginning there – it is not impossible to do so.  We are paid to think like bad people, it is an occupational hazard but that is not to say that there aren’t… you know there are lots and lots of people who operate online every day who do so very safely and it is just about taking some of the steps and advice that is here. 

I think one of the other great resources to have a look at as a small business is the government’s Connect Smart initiative so that is available online if you google ‘Connect Smart’ you will find it.  Lots and lots of resources there and in terms of staying up to date, they are plugged into global resources that help you stay up to date.

[MATTHEW]
Thank you and that is a nice prompt in our audience tonight live we have representatives from CERT NZ which has just launched and if anyone online has any questions that they would like someone like CERT NZ to answer.  CERT NZ is the first place you can go if you notice that you have been hacked or if there is a scam, you can report it.  It has tools both for professionals and for non-professionals, so if you have any questions we can direct that question to the experts in our audience. 

Another question that we have had online relates to staff and employees.  Now for small businesses, what we see all the time is that once you have got employees your business changes and it seems that could be true in this realm too.  For the panel in general, what things can small businesses put in place to help their staff stay safe online and keep their businesses safe.

[PAUL]
I would say one of the first things is around the education and awareness – just making sure your staff are aware of the scams and what goes on, where the resources are they can find to keep up their awareness.  One thing I would say is that if you receive something by email that looks suspicious, a lot of organisations now do run pages on their websites where they keep track of those latest scams that are exploiting their brands.  Xero has its security noticeboard, if you look at NZ Post, Westpac Bank and probably every other major player in NZ. I think Vodafone runs a very good scams and online safety site, so there is a lot of information to be had out there so if you get something you think is dodgy it is fairly easy to check.  There is also the MBIE Scamwatch site which pretty much gives you a rundown of everything going. 

So there is a lot of resource to be had out there.  I think the other thing I would say is that it is possibly not a day or a week goes by where you don’t see an article around somebody defrauding their employer and one thing I would say there – and I know it is not possible in very small business, so perhaps to enforce a segregation of duties where no one person has the keys to the kingdom when it comes to being able to get access to the business’ money.  But if you can do that it is a good idea and always give people … operate on the principle of least privilege you have – just the access you need to do your job and nothing more.  And that also is a good thing for preventing external hackers from exploiting you because if they compromise an account and it is not able to do a great deal, and then that is the best thing that can happen. 

[STUART]
I think it is also good to have an internet usage policy as well, so the word policy is always quite frightening for a small business so we always say just put ten things about how you can use the internet as an employee.  So it just defines some very simple things about what you expect employees to do when they use the internet and that will give you a little bit more of that awareness stuff and the thing about that is that often in sort of post-incident reviews, I often hear from staff saying – I didn’t realise I couldn’t do that.  I didn’t realise I couldn’t do that on the internet, I didn’t realise that was against the rules.  So regular reviews of that and with staff just make sure that they are following the acceptable use practice you have in place.

[MATTHEW]
It almost sounds like what would be great for small business is a workplace policy builder that helps small businesses understand what sort of IT policies they should put in place for their staff and lucky for you out there, if you go to business.gov – the workplace policy builder – it is wpb.govt.gov – you can find our workplace policy builder.  It’s free, really easy to use, puts in place clear policies so that your staff understand what they can do with technology in your workplace.  Paid for advertisement by business.gov.

Another question that we have had come online is around insurance.  Do you see small businesses putting in place insurance against hacks and if so, what types of businesses?

[SAI]
Well, I think it just depends on what your business is and what your requirements are.  Some of these policies are very, very expensive and many of them are very limited in what they can provide you.  It may not be enough for you to recover from a potential cyber attack.  So be careful, you know the devil is always in the detail so read the fine print before you sign and make sure that it is going to meet your needs.

[MATTHEW]
Thank you.  I have another question in which is for Steve.  What would people out there do to put in place around business continuity planning and in fact if the other panel members want to jump in too, this idea is something that MBIE is very focussed on promoting and thinking about risks that face your business and taking measures before the disaster happens.

[STEVE]
Yeah, look I think it is a really good point and I think it is important to draw a distinction between disaster recovery and business continuity.  Business continuity can kick in in lots of different scenarios that don’t constitute a disaster and disaster recovery is more about a technology thing and business continuity is about the business.  I think that the important thing to do is to go through the exercise of trying to understand what is really important to you as an organisation in terms of the business processes that you run, what it is that you do and how you would continue those in the event your infrastructure, your environment, your technology, your people and your processes no longer exist. 

And for a lot of small businesses, that can be quite a simple exercise – it is purely a prioritisation about what really needs to run in the event that we have a situation where we have a problem.  That is kind of the way that I would approach it in that sort of prioritisation and what is really important.

[STUART]
One of the things I always talk about with business continuity and this is like real small businesses now, is that yes, he’s got to have some practice in place but you can’t be having good backups and it is one thing that we talked about already – it is just something that we don’t do enough of but you can automate it now and it is really simple by having a copy of your data, kept away from your computer and away from your office and that is so important.  So I think that is probably policy number one or activity number one when it comes to business continuity.

[STEVE]
And that in fact brings separate issues, disaster recovery and business continuity together, keeping it separate.  

And we obviously work with some very large organisations but it doesn’t matter whether you are large or small, the very first thing we do when we are talking to organisations about security or business continuity is we ask them what they do and why they do it.  And because that determines your purpose as an organisation and your purpose is what you are there for right?  So when we talk about the things that might happen, getting back to business as usual, getting back to your purpose is your key objective.  So when you are thinking about business continuity and when you are thinking about security and your risk, first of all understanding what you do and why you do it and then what is the information and systems and technology that we use to meet that mission, to meet that purpose. 

That will very quickly tell you the things that are important and the things that aren’t and if you focus on the things that are important it just helps you prioritise. 

[PAUL]
I just want to add to what Stuart was saying about keeping your backups separate – there is no shortage of horror stories and statistics around organisations who have suffered a fire, a theft or whatever and the backups were sitting next to the device that was stolen or in the same office that went up in smoke and the stats around that sort of issue for a small business is very often six months down the track they are out of business.  So if you are taking backups, there are a lot of cloud services that provide backups, there are potentially risks if you get ransomware around that and potentially even encrypting your backups.  If you are taking backups to a separate device, make sure you are taking that offline when you are not doing backups and also taking them off-site.

[MATTHEW]
What a great practical piece of advice which is going to bring us to the final sort of concluding remarks and I am going to put you all on the spot and ask you to think of one practical thing that businesses can take away from what we have heard tonight or what you think the number one thing a small business can do to stay safe online once we have finished with this webinar.  Stuart, let’s start with you.

[STUART]
So I have mentioned backups – does that count. 

[MATTHEW]
We can go with backups.  You could also say that you could use a security online tool for freeing your digital genie?

[STUART]
Obviously use our tool which is going to be a good starting point because that is a great way to give you a snapshot of how you are doing to security, but of all the times we have been helping businesses that have gone through ransomware and ransomware is one of those classic things.  I have got Office365 or I have got my file on Dropbox and I can see all the files and they are in the cloud and they are all safe – ransomware doesn’t care about that.  It takes over your machine, if it is in one drive or in Dropbox – it is still going to be infected and you are starting off looking at that blank screen saying you have to pay some ransom.  So I cannot emphasise enough that having a good backup that is not connected to your machine and kept offsite is absolutely critical.

[MATTHEW]
So an offline backup – thank you Stuart. Paul?

[PAUL]
I am going to cheat here and say two things.  I can’t stress strongly enough my recommendation that if two factor or multi factor authentication is available to you on an account – use it.  If it is not available to you, I would say look to a service that has it.  And the other thing is the value of education and awareness especially when it comes to avoiding scams.  The knowing that email is dodgy so therefore I shouldn’t click that link or open that attachment.  Those are the primary ways that people are getting into your organisation and getting the malware in, getting your machine infected with ransomware or stealing your information.

[MATTHEW]
Excellent, really practical.  Look for that two factor authentication in the security settings or in preferences I imagine and make sure you use it if it is there.  Sai?

[SAI]
I would say keeping your devices updated and too often I have seen when the updates are turned off and I mean, that includes these little guys too.  When you get an update or you get a notice of an update, nine times out of ten it is not just new features, it is also including new security protections that have been developed over time so you want to have the latest on your devices.

[MATTHEW]
Thank you so much.  Make sure you update the software you are using.  Finally Steve.

[STEVE]
I’m not sure what you are leaving me here.  We have done education, we have done hygiene.  Don’t ignore it. 

[MATTHEW]
I couldn’t have summed it up in a better way and it is around the continuum that Steve was talking about it.  Don’t be one of the businesses that just shuts this out of your life until it happens to you and suddenly you haven’t stored your data somewhere else, you haven’t checked your two factor authentications so suddenly they are accessing all different programmes that you have got.  Make sure that you have got good practices and processes in place and don’t ignore it.

Thank you to everyone, the panel and the audience for your participation.

[End of Transcript]

Back to video