Top 15 tips for Kiwi SMBs to boost cybersecurity practices

The need to protect computers, programs, networks and data from attack, damage, theft or unauthorised access is not restricted to governments and large businesses.

With governments and large businesses spending considerable sums of money protecting their systems, criminals are turning their attention to softer targets like small businesses.

According to CPA Australia, one of the world's largest accounting bodies, across the Tasman in New Zealand, cybersecurity is therefore a real issue for small business.

For most, it is not a matter of if you will be attacked but that you have already been attacked or will be attacked.

The question therefore is - taking into account that client data may be the primary target of such attacks - what can you do to reduce the risks of attack and the damage such attacks may cause?

There is no one single action you can take that is going to protect you from cyber attacks. The following lists some of the actions you should consider to improve your cybersecurity:

Know your business

It is important to be fully informed as to how all aspects of computing services your business uses are provided and protected.

For a small business today, there have never been so many services and applications that can be accessed via the internet or cloud, and can be used in the office or on a mobile device.

There is usually little or no opportunity to vary the terms of use of these services. You should consider how your business would operate if that service was unavailable for a period of time, how easily you can move your information to another provider and how your provider is protecting your information from data loss.

Cybersecurity starts and ends with you and your staff

You can invest considerable sums of money on systems and hardware to protect your network only to find a simple error or an inadvertent sharing of passwords by a staff member can allow a criminal to circumvent all those protections.

You must therefore establish and enforce basic security policies, and train staff so that they are aware of secure behaviour, and have a reasonable idea of when someone may be inappropriately seeking confidential information from them.

This could be via an email (known as phishing), over the phone (known as vishing) or even via text message (sometimes called smishing).

You should give one staff member responsibility for regularly communicating and training you and your staff on cybersecurity issues.

Keep your software up to date

Have anti-virus software and make sure it, your web browser and operating systems are up to date. Set anti-virus software to run a scan after each update.

Enable automatic updates of such software and prevent employees from disabling these updates. Use application ‘whitelisting’ to help prevent malicious software and unapproved programs from running.

Have a firewall

Make sure your operating system’s firewall is enabled and prevent staff from disabling it. If employees (or others who have access to your system) work remotely, ensure their systems are protected by an appropriate firewall and that it is up to date.

Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office and operating system vulnerabilities.

Identify your assets that may be vulnerable to attack

Do a stocktake of what assets you have that could be vulnerable to attack so you know what you need to protect and prioritise risks. Assets include physical and virtual such as intellectual property.

Do regular backups

Regular back-ups that are stored at a secure offsite location or in the cloud should allow you to get your business up and running very quickly after an attack.

Fully test whether those backups work on a regular basis. If you use a cloud backup service and you are storing sensitive client information, you should encrypt the back-ups beforehand.

Page Break

Check the security of third parties accessing your system

If you allow suppliers or contractors to access your systems, ensure that cybersecurity requirements are built into their contracts, and that their cybersecurity processes at least meet your own.

If they in turn outsource your work to another provider, check their level of cybersecurity. Make sure you review access on a regular basis and revoke accounts where necessary.

A register of organisations and their employees that have access to your network will enable you to identify and disable access when circumstances change.

Cybersecurity and mobile devices

Employees, contractors, suppliers and customers that can access your network from their own device present risks. If you do allow such access, limit what such users have access to.

Require employees, contractors and suppliers that can access your network from their mobile devices to password protect such devices and have appropriate security apps installed. Consider enforcing restrictions by limiting access to known devices (known as a whitelist).

Control physical access to your network

Make sure you establish separate user accounts for each employee and require strong passwords that expire at least every three months. With separate user accounts you can track individual users.

Consider restricting who can plug devices into your network to authorised personnel only.

Restricting access to your Wi-Fi networks

If you have a Wi-Fi network in your business for employee use, make sure it is secure (requires password access) and is hidden. If you have a public Wi-Fi network for customers, ensure that it only gives users access to the internet, not your business-critical networks. Never use public Wi-Fi hotspots to access your company network.

Separate your point-of-sale systems

Isolate your point of sales systems from other less secure system. Speak to your bank that provides your point-of-sale systems as they may be able to assist you better secure your system.

Limit employee access to information systems

Employees should only be given access to the systems they need to perform their duties. No employee should have access to your entire system and the installation of software should only occur with specific permission.

Consider requiring separate authority and passwords to access critical data. Once a person leaves your employment, their access to your system, including remote access must be removed immediately.

Limit or disable the use of administrative or privileged user accounts except in limited circumstances where maintenance is required.

Disaster recovery plan

Have a disaster recovery plan in place to help you respond in case you are subject to an attack and your data has been accessed or lost or your system is impacted by a virus.

Consider including in your plan how you will communicate with customers and others if their data has been accessed or lost.

Review

Regularly review your security to see if it is appropriate. You may wish to engage an external to review and advise on the effectiveness of your cybersecurity. This also includes your suppliers and insurance provisions.

Perform random tests, such as phishing emails to educate staff and / or suppliers on potential cybersecurity risks.

Report attacks

As with a break in to your premises, you should also report attempted and actual break-ins to your system. Only if you report such action can law enforcement agencies take action against such criminals.

In New Zealand, you can report a crime on the New Zealand National Cyber Security Centre (NCSC) website see www.ncsc.govt.nz/incidents/