1. Install software updates
Keeping your devices and software up-to-date is one of the most effective things you can do to keep your systems safe.
Why it matters
Devices and software that are not up-to-date are at risk of attacks. Software updates (also known as patches) don't just add new features – they often fix security vulnerabilities too.
What to do
- Check that all your servers, computers and mobile devices are still supported by the manufacturer – this means they'll still get software updates and patches for their operating systems.
- Install any updates to software and operating systems as soon as they’re available – set your system preferences to install updates automatically if you can, and make sure staff know to do this too.
- If any systems need to have updates tested before they're rolled out, make sure your IT support provider applies them within a few weeks of release.
- If staff use their own devices for work (BYOD devices), make sure they're running supported operating systems and software before they access your business network. Make sure they keep their devices up-to-date too.
Patching advice for IT staff – CERT NZ
2. Implement two-factor authentication (2FA)
Implementing 2FA means that anyone who logs in to your system will need to provide something on top of their username and password to verify that they are who they say they are. You can implement 2FA on internal systems and your customer-facing systems.
Why it matters
Using 2FA can reduce the risk of credential reuse, phishing attacks, and many other online security threats.
What to do
- Enable 2FA on key systems, including:
- email services
- cloud aggregator services, for example Office 365, GSuite, or Okta Cloud Connector
- document storage
- banking services
- social media accounts
- accounting services, and
- any systems that you use to store customer, personal or financial data.
- Enforce 2FA for each user in the system.
- Consider not using systems that don’t support the use of 2FA.
Protect your business with two-factor authentication (2FA)
3. Back up your data
Backups are a copy of your data – all the digital information you need to keep your business running. You can store backups in the cloud or offline, and should run them regularly.
Why it matters
If your business data is compromised in any way – if it’s lost, leaked or stolen, for example – the backup lets you restore it quickly so your business can keep running.
What to do
You’ll need to back up all of your data, including data that's:
- provided from customers or staff – employee or customer personal details, customer account credentials
- generated by the organisation – financials, operational data, documentation and manuals
- system-based – your system configurations and your log files.
You should:
- set your backups to happen automatically so you don’t have to remember to do it
- run backups regularly, and as often as key data changes. If you have new customer data coming in every day that would be impossible to re-create, set your backups to happen a few times a day
- store your backups in a safe location that’s easy to get to – and isn’t on your own server. Ideally, you need to store your backups somewhere offline. If you use a memory stick or external hard drive to store your backups, disconnect it from your network every day.
4. Set up logs
Logs can help to warn you when an incident:
- may be about to occur – for example, when you’ve had multiple failed logins to your network, or
- has occurred – like a login from an unknown IP address in Uzbekistan.
You can set logs up to alert you to any unusual or unexpected events that you need to know about.
Why it matters
The sooner you know about a security incident, the sooner you can act to protect your business.
What to do
Set up logs for:
- multiple failed login attempts, especially for critical accounts. This includes cloud aggregator services like Office 365 or GSuite
- successful logins to your CMS and changes to any of the files in it (if you don’t change them often)
- changes to your log configurations
- password changes
- 2FA requests that were denied
- anti-malware notifications
- network connections going in and out of your network.
Store logs in a safe location and make sure they’re encrypted. Your IT service provider can help you with this.
Set up logs and monitoring for your website
5. Create a plan for when things go wrong
If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running.
Why it matters
Having a clear plan in place will help you through what could be a stressful time. It’ll help your team respond to an incident quickly, and improve your business's resilience.
What to do
Create an incident response plan for your business. Our guide will help you understand:
- what you need to do if you’re targeted by a cyber security attack, and
- what plans to put in place so you’re prepared for this kind of event.
Creating an incident response plan
6. Update your default credentials
Default credentials are login details that give a user administrator-level access to a product. They should only be used for the initial setup, and then changed afterwards.
Why it matters
Default credentials are easy to guess or find online. Attackers could use them to get into your system.
What to do
- Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset. If you find any, change them. Make the new passwords long, strong, and unique.
- Use a password manager to store your usernames and passwords. That way, you won’t have to remember them all, and they’ll be encrypted so no-one else can access them.
CERT NZ’s critical controls: Default credentials
Create a password policy for your business
7. Choose the right cloud services for your business
Using cloud services to manage your IT needs can give you:
- access to software without needing to buy it yourself
- access to your data from any device, at any time
- storage space and backups for your data.
Why it matters
There are a lot of cloud services providers out there, and you need to make sure you choose the right one for your business. Before you commit to a provider, check they can give you the services and protection you need.
What to do
Ask your cloud services company:
- if they’ll back up your data for you, or if you have to do it yourself
- if they offer the option to use 2FA (if not, see if there’s another provider who does)
- if they’ll notify you of a security breach if it happens
- what happens to your data if they’re bought out by another company, or if they go under
- if they have a public security policy, and a way for you to report security problems to them Credit card icon for example, through a specific email address. If not, that should be a red flag for you.