Ngā tino tīwhiri haumarutanga tuihono mā tō pakihi

Top online security tips for your business

Cyber security attacks on businesses are becoming more common. It doesn’t matter how big or small your business is, you need to protect your data, your network, your customer information, and your reputation.

Woman sitting at desk holding documents and smiling
  • Install software updates

    Keeping your devices and software up-to-date is one of the most effective things you can do to keep your systems safe.

    Why it matters

    Devices and software that are not up-to-date are at risk of attacks. Software updates (also known as patches) don't just add new features – they often fix security vulnerabilities too.

    What to do

    Check that all your servers, computers and mobile devices are still supported by the manufacturer – this means they'll still get software updates and patches for their operating systems.

    Install any updates to software and operating systems as soon as they’re available – set your system preferences to install updates automatically if you can, and make sure staff know to do this too.

    If any systems need to have updates tested before they're rolled out, make sure your IT support provider applies them within a few weeks of release.

    If staff use their own devices for work (BYOD devices), make sure they're running supported operating systems and software before they access your business network. Make sure they keep their devices up-to-date too.

    Patching advice for IT staff | CERT NZ

  • Implement two-factor authentication (2FA)

    Implementing 2FA means that anyone who logs in to your system will need to provide something on top of their username and password to verify that they are who they say they are. You can implement 2FA on internal systems and your customer-facing systems.

    Why it matters

    Using 2FA can reduce the risk of credential reuse, phishing attacks, and many other online security threats.

    What to do

    Enable 2FA on key systems, including:

    • email services
    • cloud aggregator services, for example Office 365, GSuite, or Okta Cloud Connector
    • document storage
    • banking services
    • social media accounts
    • accounting services, and
    • any systems that you use to store customer, personal or financial data.

    Enforce 2FA for each user in the system. Consider not using systems that don’t support the use of 2FA.

    Protect your business with two-factor authentication (2FA)

  • Back up your data


    Backups are a copy of your data – all the digital information you need to keep your business running. You can store backups in the cloud or offline, and should run them regularly.

    Why it matters

    If your business data is compromised in any way – if it’s lost, leaked or stolen, for example – the backup lets you restore it quickly so your business can keep running.

    What to do

    You’ll need to back up all of your data, including data that's:

    • provided from customers or staff – employee or customer personal details, customer account credentials
    • generated by the organisation – financials, operational data, documentation and manuals
    • system-based – your system configurations and your log files.

    You should:

    • set your backups to happen automatically so you don’t have to remember to do it
    • run backups regularly, and as often as key data changes. If you have new customer data coming in every day that would be impossible to re-create, set your backups to happen a few times a day
    • store your backups in a safe location that’s easy to get to – and isn’t on your own server. Ideally, you need to store your backups somewhere offline. If you use a memory stick or external hard drive to store your backups, disconnect it from your network every day.

    Backups for your business

  • Set up logs

    Logs can help to warn you when an incident:

    • may be about to occur – for example, when you’ve had multiple failed logins to your network, or
    • has occurred – like a login from an unknown IP address in Uzbekistan.

    You can set logs up to alert you to any unusual or unexpected events that you need to know about.

    Why it matters

    The sooner you know about a security incident, the sooner you can act to protect your business.

    What to do

    Set up logs for:

    • multiple failed login attempts, especially for critical accounts. This includes cloud aggregator services like Office 365 or GSuite
    • successful logins to your CMS and changes to any of the files in it (if you don’t change them often)
    • changes to your log configurations
    • password changes
    • 2FA requests that were denied
    • anti-malware notifications
    • network connections going in and out of your network.

    Store logs in a safe location and make sure they’re encrypted. Your IT service provider can help you with this.

    Set up logs and monitoring for your website

  • Create a plan for when things go wrong

    If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running.

    Why it matters

    Having a clear plan in place will help you through what could be a stressful time. It’ll help your team respond to an incident quickly, and improve your business's resilience.

    What to do

    Create an incident response plan for your business. Our guide will help you understand:

    • what you need to do if you’re targeted by a cyber security attack, and
    • what plans to put in place so you’re prepared for this kind of event.

    Create an incident response plan

  • Update your default credentials

    Default credentials are login details that give a user administrator-level access to a product. They should only be used for the initial setup, and then changed afterwards.

    Why it matters

    Default credentials are easy to guess or find online. Attackers could use them to get into your system.

    What to do

    Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset. If you find any, change them. Make the new passwords long, strong, and unique.

    Use a password manager to store your usernames and passwords. That way, you won’t have to remember them all, and they’ll be encrypted so no-one else can access them.

    Default credentials | CERT NZ

    Create a password policy for your business

  • Choose the right cloud services for your business

     Using cloud services to manage your IT needs can give you:

    • access to software without needing to buy it yourself
    • access to your data from any device, at any time
    • storage space and backups for your data.

    Why it matters

    There are a lot of cloud services providers out there, and you need to make sure you choose the right one for your business. Before you commit to a  provider, check they can give you the services and protection you need.

    What to do

    Ask your cloud services company:

    • if they’ll back up your data for you, or if you have to do it yourself
    • if they offer the option to use 2FA (if not, see if there’s another provider who does)
    • if they’ll notify you of a security breach if it happens
    • what happens to your data if they’re bought out by another company, or if they go under
    • if they have a public security policy, and a way for you to report security problems to them Credit card icon for example, through a specific email address. If not, that should be a red flag for you.

    Using the cloud securely

  • Only collect the data you really need

     Consider what information you really need to collect from clients and contacts.

    Why it matters

    Your level of risk is based on the amount of data you have – the more you collect, the more valuable it is to an attacker. By only collecting what you need, you reduce your risk.

    What to do

    When you get new customers or clients, only collect and store the information from them that you need. Be clear about why you need it.

    Make sure you’re encrypting any data you collect. This includes while it’s:

    • in transit – for example, collecting data from your customers through an HTTPS form
    • at rest – when it’s stored in a database.

    The Privacy Commissioner has built a tool, Priv-o-matic, to help you create a privacy statement that you can share with your customers. You can use it to tell them how you’ll collect, use and disclose their information.

    Create a privacy statement with Priv-o-matic – Privacy Commissioner

  • Secure your devices


    Enable anti-malware software on any device that accesses your business data or systems. This includes both company-owned devices and any BYOD devices that belong to your staff.

    Why it matters

    It prevents malicious software – such as viruses or ransomware – from being downloaded and getting into your systems. Malware’s easier to avoid than it is to fix.

    What to do

    Use the security features that come as a default with your computer’s operating system. This includes Windows Defender for Windows 10 devices, or Gatekeeper for OSX. Otherwise, use software that can detect malware and that gets updated regularly.

    Don’t let your staff access your network with devices that are jailbroken or rooted. Their devices should only use apps downloaded from their phone provider’s app store, like the Apple Store or Google Play Store.

    Educate your staff about online security

  • Secure your network

    There are different types of security features you can add to your network to filter traffic and restrict access.

    Firewalls help control where connections go, and proxies can act as an intermediary between different computers or networks. For example, you can use a web proxy to send traffic from your business network to the internet, and it could filter that traffic and prevent any bad traffic – to sites hosting malware, for example – from getting through. A VPN can help you access your business network remotely if you needed to.

    Why it matters

    You need to think about your business’s network security as soon as you have:

    • employees who need access to business applications and accounts
    • multiple devices linked to your network – like laptops, phones, and printers
    • customers or guests who want to use your WiFi while they're at your office.

    The more devices and users you have on your network, the more opportunity there is for attackers to find a way into it.

    What to do

    Talk to an IT or network engineer to explain what your business does, and what you use your business network for. They can help you configure any separate networks or network devices that you may need to protect yourself. For example, you may need to:

    • limit access to the internet-facing parts of your network to only those who need it
    • use a VPN if you need to remotely access systems on your business network
    • use separate VLANs for your business network to control what parts of the network can talk to other parts.

    Secure your small business network

  • Manually check new or unusual requests

    Two people communicating icon

    If you need to pay a new supplier, or to change bank details, double check it manually  by phone or text before you approve any payments. Do this for any unusual or unexpected requests too.

    For example, if you get an email from a supplier asking to change their usual bank account number, phone them to check that the email came from them.

    Why it matters

    Having manual checks will prevent you from getting caught up in online fraud, like invoice scams.

    What to do

    • Define a process for certain types of transactions – for example, requiring phone call verification if someone places an order over a certain amount or requests a certain type of change.
    • Use a separate channel of communication to check a transaction or change before it happens. For example, if you’re doing business over email, follow up with a text message or phone call.
    • Have a clear point of escalation for your staff. For example, if a staff member receives an email that looks like it's phishing, make sure they know what to do. Put a process into your incident response plan. Your process should include reporting it to CERT NZ.

    Phishing scams and your business

    Protect your business against email compromise

Get help

If you’ve experienced an online security issue, your first step is to contact the service provider.

You can also report an online issue or security incident to us at CERT NZ.

Get help now

Photo of a woman's hands holding a mobile phone with webpage showing the words Your business action plan.

Business online security assessment tool

Get a free customised action plan that will help you and your business become more secure online.