We know that security isn’t the sexiest subject and passwords can be a pain, but now more than ever is the time to take your business’ cyber security seriously.
The world is more technologically reliant than ever before and cyber threats are becoming progressively more serious and severe. According to a recent report from CERT NZ, businesses in New Zealand reported a direct financial loss of nearly $4 million in the second quarter of 2021 alone, which was a staggering 30% increase from the previous quarter.
And while the monetary value of a data breach is sizeable, cyber security attacks can also have a detrimental and lasting impact on a business’ brand and reputation, oftentimes leading to a substantial loss of customers, sales and business profits.
If your business uses technology, even as basic as email or a website, you are at risk of a cyber attack. The good news is that the majority of cyber security breaches can be prevented if you put technology safeguards in place, have the appropriate policies and properly educate your staff to increase cyber security awareness across your organisation.
To help mitigate the risk of a cyber security incident happening to your business, we’ve compiled a few technology, policy and people strategies that you can start applying straight away.
Hackers are becoming more skilled at finding loopholes in security systems to gain access to confidential and protected data, posing a significant cyber security threat to all types and sizes of businesses. Here are our top tips for keeping your technology safe, secure and up-to-date.
1. Backup your data regularly. Archiving and backing up your business data properly and regularly ensures that if you do face a cyber attack, you still have access to all of your information. You can use a removable storage device, like a hard drive, or sign up to a cloud based system to keep your data stored in a safe and separate place.
2. Always update your operating system and apps when new versions become available. Updates aren’t just about adding new, fancy features, they also contain critical patches to security holes to help reduce your risk of cyber attacks, data loss and privacy breaches. Regularly check your devices to make sure they’re all up-to-date or set your operating systems to install new updates automatically.
3. Limit user access rights. The principle of least privilege involves limiting and restricting user access for accounts, users and processes to only what’s required for a person to perform their job. If you haven’t already done so, consider limiting your user access rights to minimise the potential misuse of information or data and restrict the number of things an attacker can do if a user’s account does become compromised.
4. Schedule antivirus scans or install antivirus software to run natively on your work devices. Performing antivirus scans or installing antivirus software will detect and remove viruses and help secure your business’ data against all different types of attacks.
5. If you own or operate a website, make sure you have a security certificate or a SSL (Secure Sockets Layer) certificate. A SSL certificate is a digital file from a trusted third party that indicates that your website is secure and helps provide privacy, security and data protection to both you and your users’ personal information. You can obtain a SSL certificate online if you don’t already have one, just remember to take note of your certificate’s expiration date to help you preemptively renew it before it expires.
6. Get your cyber insurance sorted. Cyber insurance typically covers your business’ liability for a data breach of sensitive customer information like credit card details or personal health records. If your business relies on sensitive information, consider getting cyber insurance to help cover losses triggered by a cyber attack.
7. Conduct security audits on a regular basis. A security audit is an evaluation of your business’s systems and security practices. We recommend conducting your own internal security audit or calling on agency auditors or an independent security organisation at least once a year to help you assess your organisation’s systems and stay on top of the changing nature of security threats.
Cyber security policies set the standard of behaviour, help employees better understand how to maintain the security of data and applications at work and impact the public image and credibility of your organisation. Here are some important things to consider when it comes to creating, implementing and updating your organisation’s security policies.
1. Develop a cyber security policy that you can implement and audit against. A cyber security policy forms the foundation of your organisation’s entire approach to security, listing all of your business’s cyber security plans and procedures. You can learn more about internal and external cyber security policies and how to implement them on the CERT NZ website here.
2. Plan ahead for different scenarios and put an incident response plan in place. An incident response plan is a documented, step-by-step plan that helps you navigate your way through the different cyber security scenarios your business is at risk of and reduce the impact it may have on your organisation. You can learn more about how to develop an incident response plan here.
3. Make sure that your security policies are accessible and available to everyone in your organisation. You can create strong security policies, but if your employees never see them or don’t know where to find them, they will never be effective. To prevent this from happening, ensure you distribute your policies effectively so that everyone in your organisation has a copy or knows where to find one.
4. Keep your policies up-to-date. Your security policy should be a living document that is constantly updated as things change or become irrelevant. Just be sure that as you make changes to your policies, you notify your staff about what’s been amended.
It’s critical that your staff are aware of your business’ cyber security risks and how they can play a part in keeping your business cybersafe. Here are some of our leading tips on how to spread the word and educate your employees about the importance of cyber security.
1. Make security training accessible and painless. Security awareness training is a very effective way to reduce your business’ risk of a cyber security incident. There are plenty of security awareness training companies and online courses out there that can teach your employees about how to avoid and protect against cyber security threats in a fun and engaging way.
2. Encourage staff to lock their devices when stepping away from their desks or the office. This helps protect unauthorised people from accessing any personal or confidential information.
3. Create a password policy for your business. One of a company’s biggest vulnerabilities can come from employees utilising poor passwords. To improve your company’s password security, encourage your staff to set strong and unique passphrase combinations for each of their accounts – something that is at least 12 characters long and a mix of letters, numbers and symbols. If any of your staff worry about remembering their passwords, you can encourage them to use a password manager like LastPass.
4. Encourage employees to implement two-factor authentication (2FA) and single sign on (SSO). Asking your employees to add 2FA and SSO to their accounts is an easy way of adding another layer of security to important business information.
5. Educate employees about phishing attacks. Phishing attacks, in which carefully targeted digital messages are sent to fool people into clicking on a link that can then install malware or expose sensitive data and information, are becoming increasingly sophisticated. Make sure your employees understand the different phishing techniques hackers can use so that they know how to detect and avoid opening emails and clicking on attachments from suspicious senders.
6. Tell your staff to refrain from connecting their work computer or mobile phone to unsecure networks like free and public wifi. Using free, public wifi comes with a number of serious security risks such as theft of passwords, data breaches and cyber attacks. Ask your staff to refrain from using public wifi networks to reduce both their personal and businesses risk of being hacked.
We know it’s a long list, but being proactive about your cyber security is the only way to reduce your risk of a cyber attack. We hope you stay cyber aware and consider implementing these strategies to reduce the risk of a security incident happening at your organisation.