Business webinar replay: Online security basics for business

[Visual] The screen opens displaying a slide tile with the webinar title. The host, Hadyn Green appears in a small window at the top right-hand corner at around 15 seconds in. Throughout the video, the webinar slides change to match what the speaker, Sam Leggett is discussing. At times Hadyn, the host will cut in – as each speaker speaks, they appear in the top corner.

[Audio: Host/Hadyn] Morning everyone, I can just see everyone filtering in at the moment. We're obviously just going to give a little bit of time. We've got quite a few participants today.

So yeah, quite a few registrations for the webinar today so going to give it a minute to let everyone slowly get into the room? Find their seats.

[Audio: Speaker/Sam] Grab a coffee, grab a drink of water, whatever you need to before we get started.

[Audio: Host/Hadyn] Yeah, absolutely. Stay hydrated.

Just do a quick note for the people who are, who have already hear, the early ones. As we go through this, you'll see a Q&A box down the bottom toolbar there that you can use to add any questions that you want, want us to answer and we'll get to them either during the talk if they're relevant or all of the end.

If they're not relevant, no, there's not what else meaning! But just there's a big summary then we can also go through all the questions there.

Alright, we'll give it just a little bit more, a few more people just trickling in, that's alright.

You know, I'm watching the number of participants and it just went down by one and then back up so I assume someone had a connection issue. So good morning, everyone. My name is Hadyn Green, I am the Senior Comms person here at CERT NZ and with me is Sam Leggett.

[Slide change]  He's our online, ah, there he is. Senior Analyst, Threat and Incident Response. Expert in all things, cyber crime related. Today we're talking about business. We're giving a rundown of the basics of what to do if you're running a business, specifically a small business where you know that most businesses are a small in New Zealand, so this is going to be the, the starter for 10 so to speak.

As I mentioned before, if you do have a question, and there's a Q&A box down the bottom there, you can check it in there, will either answer it at the time or we will do, we'll get to it at the end and we'll cover off all the all the topics that you want.

So feel free to check them in there. 

[Slide change]

Bit of a rundown about what CERTs about.

So, CERT NZ is, we're the public facing cyber security agency for individuals and businesses. We offer help with incident responses so if you, if you hit with any sort of thing, we can help out with that. We also run a whole bunch of like national campaigns. You may have seen some of our billboards around for our new website. Own Your Online, on which is Own Your Online dot G O V T dot NZ you'll see the little logo down there in the in the corner.

And so that's, online resource full of tips and guides and, and information that you can get on business stuff and also for your own personal cyber security. And of course, we also really regular stats and help you know what threats are coming up.

[Slide change]

And these are the topics we're going to cover off today. Common threats, practical tips and the basics for the cyber security for businesses.

And with that I'm going to hand over to Sam.

[Audio: Speaker/Sam] Awesome. Thanks very much, Hadyn. Yup, today we're covering off the basics for cyber security for businesses.

And the idea of today's session is to enable you to go away and implement some of these controls yourselves.

What we want to do is get rid of some of the jargon. Get rid of the confusing aspects of it and actually present it in a way that you yourselves can go away and put these things into practice in your own business today.

I'm going to look at some of the common threats that we see reported to CERT New Zealand that are affecting businesses. So these are reports that have come from all organisations and businesses in New Zealand through to us. And then we're going to go through a list of practical tips.

When we go through that list of practical tips. we're also going to look at actually how to implement those. These are the basis of cyber security. We're going to talk about the ways that these can protect you and where it's important to implement these in your own business.

[Slide change]

Alright, so starting off with the common threats that we see affecting organisations

[Slide change]

in New Zealand, I captured these stats from our quarterly reports way back from the start of twenty twenty one, all the way through to the quarter three report of twenty twenty three.

Collated all the information of the reports of incidents that are affecting organisations so that we can get an accurate snapshot of what's actually going on, what's actually affecting businesses here in NZ.

So obviously the first thing that you'll notice is the big, stat at the bottom there. Phishing and credential harvesting takes up the vast majority of reporting when it comes to organisations. Now, even some of these terms are maybe a little bit technical and a little bit, scary.

Phishing ultimately, we're going to talk about phishing a little bit more detail but ultimately it's the practice of people sending messages pretending to be someone they're not, trying to get information they shouldn't have.

This is the common thing that happens in New Zealand through a few different mediums. Like I say, we're gonna dive into that in a little bit more detail.

A few things that I want to point out on the screen. Ransomware is a bit of a scary incident that affects businesses quite, quite intensely. Quite severe impacts to organisations. And there's a couple things that we can actually group up here.

So, unauthorised access is basically attackers is getting into accounts they shouldn't have access to and website compromise as a bit of a part of that.

You can call it kind of come under that umbrella a little bit. We've obviously got scams and fraud category as well being in the second highest there, and there's a couple ones in particular that are mostly affecting organisations of businesses.

So the first one that we often see is the gift card scam. This either looks like an email or a message through an app like WhatsApp, something like that.

Where someone claims to be, a member of your organisation and a position authority, claims that they need some urgent assistance and then they ask you to go out and buy some gift cards usually as a present for good work of the staff as a bit of a reward.

This can kind of come under the umbrella of phishing. We're going to talk about why in just a moment.

But the good news is that when we go through these practical tips, they, these are going to help you prevent the vast majority of things that we see reporting in terms of reporting from organisations.

It's going to help produce to gets malware, ransomware, unauthorised access, website compromise. A number of scams and fraud and it's also going to give you some extra protection against things like phishing too.

[Slide change]

Speaking of phishing, as I said, phishing is ultimately the practice of sending a message that could be an email, a text message, even a message through social media, pretending to be someone reputable, an organisation of repute, a well-known business.

The intent here is that the bad guys trying to get your personal information. Typically your financial information, login details to various online accounts and things like that. Often phishing is the first type of incident that occurs and leads to much more disruptive things happening.  

[Slide change]

Couple of examples of phishing. Now, as we said, this can happen through emails, keep it through messages.

A couple email examples here. The good news was phishing overall, and it's also applicable to things like the gift card scams that we talked about, is that we can look for the same kinds of things across all these different mediums of phishing to help us spot that it's actually a scam, that it's not genuine at all and it's just a message that we can delete and move on.

The first thing that we're going to look at is the email address that the message is coming from in the case of emails, obviously.

We're going to look at that email address it's coming from, now. Familiarising ourselves with the genuine websites of various organisations that we work with is a really important step to take, and that's going to enable us to spot these phishing emails when they come through.

So a business owner in New Zealand, you're probably going to have some dealings with Inland Revenue. And familiarising yourself with their genuine website is a really great step to take. Now if we look at the email address that this example has come from, it's something like KRF dot big lobe dot N E dot J P.

It's obviously nothing to do with Inland Revenue whatsoever, there's no dot GOVT dot NZ there. So we can tell that already that email address is not genuine. This message has not come from Inland Revenue.

And that's the first thing that we're going to look for. And the same thing can be seen in the NZTA example.

This one's a little bit trickier though if we look at the email address that one's come from it says no reply at NZTA dot co dot nz, that looks pretty good right? But again, if we familiarise ourselves with what their genuine website looks like, we know that their website is NZTA dot GOVT dot NZ. So even when it looks legitimate, NZTA dot co dot NZ, we know it's not quite right.

We know that's not their genuine website. And again, we can tell that this email is not genuine.

But the second thing that we're going to look for is what are they actually asking us to do? Now most commonly phishing emails are gonna ask you to click on a link and that'll take you to a website where it's asking for various kinds of personal information.

And the NZTA example, what we can see is actually a button. Big button that says renew now.

The email claims that you need, to renew your registration as soon as possible. Big button this is renew now. And if we click on that link, it'll take us to that dodgy website. So unfortunately, we can't see the full link displayed in the email all we can see is that big button. If we hover over that button with our mouse, now if you're on an iPad or if you're on a mobile phone, typically what you want to do is long press on that button, that'll bring up an additional menu of options and that should display the full link there. But if we hover over up with our mouse, we can actually see what that link looks like.

In this case, again, rather than NZTA dot GOVT, dot NZ, we've got NZTA dot D N S dojo dot com. I think this one is. Again, we can tell that that's not NZTA's genuine website, it's not taking us to a genuine page on their website and so again we can tell that this email is not genuine, has not come from NZTA and that is a phishing scam.

Coming back to the Inland Revenue example, this one doesn't have a link for us to click on. Instead, this one has an email address that it's asking us to contact. This one too, looks kind of good.

It's got some, it's got some good parts and it that might convince us is genuine.

If we look at that email domain, it's at refund dash IRD, dash update dash IRD dash GOVT dash NZ dot COM. Now it's got the GOVT and NZ in there. But again, if we're looking at the end of that email address, what we should see is dot GOVT dot NZ.

In this case, we've got a dot com at the end. So we can tell again this is not a genuine email address that belongs to Inland Revenue.

Those are the two main things I want you to look out for. The other the other thing that you can check is, you know, does it actually apply to you if you have a, if you don't have a car, then getting an email about a registration, probably not applicable to you.

So just look at the content of the message as well and if it's not applicable to you that can serve as another red flag. Awareness around phishing is one of the most powerful things that we can implement. So actually knowing that we're likely to receive phishing emails and how to spot them by looking at that email address by looking at the link it's asking us to click on.

It's really empowering. If we do get something like this, it looks suspicious. We can simply delete that, move on with our day. If we've got additional concerns, a really good practice is actually just to contact that organisation directly. Giving NZTA a call, giving the Inland Revenue a call apologies, and actually talk to them about that email. Is it genuine? Is it not? They should be able to confirm with you, whether it is.

[Audio: Host/Hadyn] A couple of really quick questions here Sam, first of all, I also seem to be aware, like if you were receiving this as part of your work email, like if I'm getting a thing saying I need to renew my cars registration, but I'm getting into my work email that's probably like an immediate red flag, I'd say.

[Audio: Speaker/Sam] Yep.

Yep, yep, really good thing to call out now. Obviously taking that context and whether or not it applies to your business is really important.

Phishing is something that's volumetric in nature. So they are sending out as many of these emails as possible. It can hit personal email addresses. It can hit business email addresses and just keeping in mind that context, whether or not it actually applies to your business account is a really good thing to look for as well.

[Audio: Host/Hadyn] And also we've got, we've got a few questions on, on this. I'm just going to go through them very quickly.

So someone says, is there an easier way to identify if a company is using a middleman organisation because there's lots of, 'no reply at' sort of emails but but as you were saying it's a bit after the at,that you really want to look at.

[Audio: Speaker/Sam] Yeah, that's the key. That's what we're really looking for. And again, it's that process of familiarising ourselves with the genuine website.

So, NZTA dot govt dot nz. That's what we expect to see after that at symbol, if and email is actually coming from NZTA. Head to their website, familiarise yourself with what that looks like and that's what you should see after the at symbol if it's actually coming from that organisation.

[Audio: Host/Hadyn] And someone said, how, how do we discover what the actual proper email address should be from from these organisations as that information doesn't often seem to be on their websites?

[Audio: Speaker/Sam] Just heading, just heading to the website itself. And usually what you can do is go through, sort of a government facilities so MBIE, they should be able to link you to things like this.

You can make sure you're actually going to the genuine website. Once you're on that website, just looking at that bar at the top of your browser, that'll tell you what the website address is and again, it needs the NZTA example. If you land on their home page, it's probably going to be www dot NZTA dot GOVT dot NZ.

Head to the website, whether or not you're navigating there through sort of government channels, and familiarise yourself with what that address is, then that's what you should see after that at symbol, if the email genuinely comes from that organisation.

[Audio: Host/Hadyn] Oh, there's actually quite a lot of email, a couple of questions about, these we, we might come back to a few of these at the end, but there is one that I would like to.

To ask you here and that is if there is an unsubscribe link on the email.

[Audio: Speaker/Sam]  Okay. Yeah, so, in the phishing space a lot of time what can be tricky is determining if it's phishing if it's you know actually an attempt to capture our login information or financial information or if it's just kind of that marketing spam stuff that we often get. Unfortunately when we sign our email addresses up to things it can end up on the internet and we can end up receiving a lot of different types of, spam emails as well as phishing stuff. A lot of time the marketing ones are the ones that come with it unsubscribed link at the bottom.

If you find those quite annoying and there is an unsubscribe link, simply clicking on that unsubscribing from it, should prevent some of that stuff from getting to your inbox.

Typically in the case of the phishing emails, they don't often carry that unsubscribe link because again, they're an attempt to capture that information, rather than marketing.

[Audio: Host/Hadyn] But you should also, double check the link before you click it just in case anyway, cause it could also be another scam.

[Audio: Speaker/Sam]  Absolutely. If Absolutely. As we've talked about, check out that hover over with your mouse long press if you're on a mobile phone or sort of an iPad. Have a look what that link actually looks like.

[Audio: Host/Hadyn] Yep, so, we've had heaps of questions, so we'll deal with more of these questions at the end.

[Audio: Speaker/Sam] Come back to this.

[Audio: Host/Hadyn] We're going to we're going to carry on through. And, oh, but, one other thing is that yes, we definitely will be sharing these slides and the recording of this presentation afterwards so this will all be online later.

[Audio: Speaker/Sam] Absolutely.

[Audio: Host/Hadyn] Carry on, Sam.

[Slide change]

[Audio: Speaker/Sam] Cool. So we've talked about emails. This can happen in text messages as well.

The reality is we all got mobile phones these days and the truth is we're more likely to text, check our text messages than we are our emails in a lot of cases. So unfortunately what the scammers are now doing is sending us a lot of text messages that are phishing. The good news is that the things that we're looking for here are similar to what we're looking for an emails.

First thing we're going to check out is the number it's been seen from. Now in these examples we've got BNZ, we've got NZTA and we've got NZ Post, that's three really big organisations with a lot of different customers.

Now, organisations of that size, they typically, when they do text their customers, typically they're going to use a text service.

And that means that their text messages are going to come from a short code number. It's usually three digits or four digits.

And that's just, that's just the methodology they use to get the text messages out to such a large audience of customers essentially.

Now if you get a text message from a really big organisation and it comes from an individual mobile number, that can serve as a bit of a red flag that we might be dealing with a scam.

This isn't unfortunately a catch-all. It's not going to be that if you ever get a text message from an individual mobile number, it's definitely a scam, but it is a really good indicator to look for in the vast majority of times genuine text messages from these organisations are going to be from those short code numbers. So that's the first thing we can look at.

Again, we can look at the link that it's trying to take us to. The good news with the text messages is that link is going to appear in full, like we can see on screen now. We're going to do the same thing here. We're going to look at the genuine website.

That the organisation has, bnz dot co dot NZ, NZTA dot GOVT dot NZ, NZ post dot co dot nz. Now if we look at those links we can very quickly tell those links are not part of those genuine websites.

We've got BNZ auth details dot com. That's not a dot co dot NZ. That's that's not BNZ's website. We know that one's not legitimate. T dot ly slash pay dot NZTA. Again, it's not GOVT.NZ. It's not the genuine website.

You can tell this one's not from NZTA either. And in the NZ Post one is NZ POST dot life again, not their genuine domain. We can tell that this website does not belong to NZTA. We can look at the context as well.

If you're getting these text messages to your work phone, your business device, and you don't bank with BNZ, really good indication that's probably a scam. You don't have a car, so you couldn't have gone through a toll road, again another a good indication, and maybe maybe you haven't signed your mobile number up to any sort of delivery service and notifications or updates these are all good indications to take into account. And the good news is that we're looking at the same stuff, right?

Where does it come from? We're looking at that mobile number, just like we're looking at that email address. Where's the taking us? We're looking at that link, just like we are with those emails.

And in the context as well. Again, if you get a text message like this, you have any suspicions the best thing to do is simply not engage with it. Don't click on any links, don't provide any information.

Call the organisation if you want to verify whether or not that's genuine or not.

[Audio: Host/Hadyn] Very quickly, Sam, if it does come from a one of those four digit short codes or five digit short codes, is that is that a sign that it's legit or is should you still be like incredibly suspicious?

[Audio: Speaker/Sam] I would still look at the other things that we've talked about here. So if it does come from a short code, doesn't necessarily guarantee that it's genuine.

If it does come from a short code, still take a look at that link, if the link is looking good if the short code's there that's like that's an that we may be dealing with something genuine but if it's coming from a short code and that link looks completely wrong that's a good indication it's probably still a scam.

The good news in the space and the text message realm, is that all the banks in New Zealand have come together and made an agreement that they will no longer text their customers, with text messages that contain any links.

So if you get any text message from a bank that contains a link, you can almost guarantee that that's a scam because they've made an agreement they're not going to do that anymore moving forward.

Cool. And usually what we do in these presentations in these webinars, we go through a lot of different risks and threats to organisations and it can get a little bit scary.

We're taking a slightly different approach today and that the main content that we're going to look through

[Slide change]

is what we can actually do to keep ourselves safe, the good stuff, the stuff that you can go away and implement today, it's going to keep you and your business nice and safe online.

[Slide change]

So these are the practical tips that we're going to look at today. Now, Some things on this list might look a little bit intimidating. It might look a little bit confusing. We are going to go through them. We're going to break them down and explain them and an easy way to understand.

The idea here is that these practical tips of the security basics that you can implement today. This is scalable for organisations of any size.

Now, A little bit of research a few years ago showed that I think around 97% of enterprises in New Zealand to 20 people or less so we are really a nation of small to medium businesses.

And the good and the good news is that these tips, these practical tips if we put them in place they're going to protect us against the vast majority of cyber security incidents that we see.

So if you're a small business and the way I've kind of approached it is if I was to create a business tomorrow, what are the cyber security things that I would worry about?

What would I want to get on board as soon as possible? If you're a small business, you can do all these things today.

You can go away, and implement them and keep yourself, nice and safe. Now, one thing I also want to mention here is that we are looking to do more of these in the future.

And so in future sessions we may look to increase the technical capacity of the things that we're talking about. We may look to target bigger organisations and things like outsourcing your security to third parties. Today what we're really focusing on is again the things that you can do that you can implement today.

[Slide change]

Okay, so the first one is simply asset management. Now all this means is recording, tracking and maintaining. What system assets you have in your organisation.

This could be software, this could be hardware, this could be cloud based systems, anything that you use within your organisations that's a digital asset to your organisation as part of your your asset management. And really all this is generating a list of all those assets so that we have visibility of cross what we have in our organisation.

[Slide change]

Really quick example of this. This might be laptops that we use, mobile phones that we use, maybe we have an office space and we've got modems going on in there as well that's the hardware side of things.

This could also include iPads. I know a lot of organisations do face-to-face stuff and they interact using iPads. This could be cash registers with the point of sales software on it, could even be things like servers if you're hosting your own web content.

That's a little bit higher on the technical level. But any kind of hardware that you use could be on this list. The software side, this could be software or third-party services that we use. So maybe we outsource the creation and hosting of our website to an online service provider.

There's a few out there, Squarespace, Wix, these kinds of things. Obviously we're probably using emails for, for our organisation so, the email client that we use as part of this list as well, the bank account that we have for our business.

And any social media that we use for things like marketing or talking to our customers and client base. And then collaboration software, what's collaboration software? Really, we're just talking about things like office 3, 6, 5, Microsoft Teams. Microsoft Word docs, G Suite, Google, anything where you

[Audio: Host/Hadyn] Zoom.

[Audio: Speaker/Sam] Zoom, that's really good at it's really good point anything that you use within your organisation to sort of work with people, talk to people, work on the same documents, anything like that. And then invoicing, maybe you outsource your invoicing to a third party. You maybe you use a particular piece of software like Xero, something like that.

This is just an example list of things that sort of popped into my mind. Your list may look different. This list is not exhaustive. But the process of the asset management, the key here is just creating this list just so that you know you have visibility of what you have in your organisation. You may even want to do this to a level of assigning certain pieces of hardware to the employees that are in your organisation. So maybe you got three employees, maybe they all have a laptop and a mobile phone, but the office has a modem.

Maybe certain people in your organisation don't use certain software. Just visibility across the assets that are within your organisation and what what we're going to do is use this list to show you where it's important to implement the next practical tips that we're actually talking about.

[Audio: Host/Hadyn] Just, just very quickly, you had a link on the previous slide just to let everyone know that once again, we will be sharing these slides and all the links

[Slide change – back to previous slide] 

after this. So don't worry if you didn't get it down. If you didn't write it all down at this time or we were going to share this all online so it'll be there. Cheers.

[Audio: Speaker/Sam] Really good point and right at the end of the slide we've actually, slides we've actually got one slide where it's collating all those links that we're talking about so that you can just refer to that here to the page where you need to get a bit more information.

Now actually really good point as well is that you may see a link to cert.govt.nz. You may see a link to ownyouronline.govt.nz. These are both websites that CERT owns and operates.

They just host slightly different content. Little more technical on the CERT side, a little bit more business friendly on the Own Your Online side.

Now in this link there's also additional information on identifying those current assets that are within your organisation. So a little bit of help to actually figure out what they are.

[Slide change]

Oh right, so when we have this list of assets within our organisation, now we can start looking at those practical security tips and where we need to actually implement them.

[Slide change]

So software updates. This is a big one. Now ultimately, we can categorise the two biggest risks, the two biggest threats to businesses as the misuse of credentials. So that might be phishing for our login information and then how that login information is used against us.

Or it's the exploitation of vulnerabilities. Now, vulnerabilities are just issues that appear in software that could result in attacks against us, those vulnerabilities being exploited for various malicious purposes.

And the best way that we can combat against those vulnerabilities is to simply update our software as quickly as possible, getting those updates from the vendor as soon as they come out to keep ourselves nice and safe.

Now, if you can set your updates to run automatically, then you don't have to think about it, you don't have to worry about it. You can just set that up and then carry on with the life. But a really good practice here is to implement some kind of regular software cycle. So maybe when you check all the software, make sure they've got the latest update and you can keep yourself nice and safe that way.

[Audio: Host/Hadyn] Yes.

[Audio: Speaker/Sam]  At the page here also has information on how to actually create and implement a patching process.

[Audio: Host/Hadyn] So when you do your asset management, you've listed all that software, you can put a little note like this one set to auto update. This one I need to update so that it's make it schedule that sort of thing.

[Audio: Speaker/Sam]  Yeah, really good point. You could, list the ones that can happen automatically, the ones that you have to do manually and how regularly you want to actually check for that. Now, truth is, we've all had that pop up in the bottom right hand corner of our laptop that says you need to update your laptop and restart now. We've all hit defer, we've all said no, not remind me later, remind me in seven days.

The reasoning that we want to get that update as soon as possible is like I say, just to protect us against any vulnerabilities that pop up so those vulnerabilities can't be exploited by the attackers.

[Slide change]

Coming back to our list of examples of what our maybe our business assets look like we're updating our software, where are these updates going to be relevant.

[Slide change]

In a lot of different places. So specifically for any devices you use, you want to make sure that the operating system on those devices is updated as soon as possible. That's a really big key. But of course, anywhere we use any other kind of software, again, maybe it's that collaboration software, things like Teams, Microsoft Office, Google, G Suite, these kinds of things, making sure that software has updated.

Any browsers that you use on your devices making sure they're up to date, any invoicing software.

The truth is this could also be that cash registers, you know, the point of sales software that sits on the cash registers, they are ultimately a computer and keeping those up to date with the latest version of that point of sales software is really important to make sure that they can't be exploited any vulnerabilities can't be exploited.

As you're going through this, as you're creating this list of assets, it's actually acknowledging which pieces are software, in which pieces the hardware is going to make this patching process implementing a patching process just even easier for you.

Anywhere that you use software for your organisation make sure you are updating that as soon as possible with the latest update from the vendor.

[Slide change]

[Slide change – back to previous slide] 

[Audio: Host/Hadyn] That's a really good point. Latest updates from the vendor. So, there was a question about how you, how you know the updates are legitimate. And I assume go to the vendor website or if they come through from say app store on your phone and then you know that it's legitimate.

[Audio: Speaker/Sam] Yep, again, making sure we're going to the genuine websites to download any updates from there. That's a really good step making sure we're using any reputable or legitimate sort of application stores, app store, placed all these kinds of things, and making sure the updates for our devices are actually coming through the device system itself.

So again, that pop up and a little heading to the settings of the laptop, getting the update that way, that's going to make sure that we're getting the updates from genuine sources and make sure that those updates are nice and safe and going to keep us nice and safe.

Okay, alrighty. The next one we're going to talk about is passwords.

[Slide change]

Now there's a couple of different ways that we can approach passwords.

This one is implementing a password policy, the second one is implementing a password manager. Now. 

[Slide change]

What's password policy? You've probably all encountered a password policy at some point. Typically the most common way that you'll encounter a password policy is by way of password requirements through a third-party server.

So Facebook may require that you have at least 8 characters, you have an uppercase, a lowercase, a symbol and a number, and that's their password requirements entirely.

You can create a password policy for your organisation and for the people within your organisation and this is essentially the guidelines that you want your people to follow when they are creating passwords.

There's a few keys here that are going to make your password really good, really strong, and going to keep your accounts nice and safe. Making sure they long enough. About 15 characters at the very least is a really good starting point. The math here is a little bit funny.

12 characters is pretty good. But it increases, as you increase the length of the password, the difficulty for a computer to crack that password gets exponentially harder. So the difference between 12 characters and 16, 15 characters is, just a few million years. So as we increase that length, it's going to give us a lot more security in our passwords, but there's a few other things we need to follow.

How do you create a long password but actually remember the password, right? One thing we can do is use a passphrase. So, for random words put together to make a password of ample length as long as we can remember what those words are.

That's going to be a pretty decent password. That maybe doesn't sound like it's going to be as strong as a completely random password, but it's actually going to be a lot stronger than the vast majority of passwords that people are using today.

A few other things we need to follow. We need to make sure that their password is unique and it's not used on any other accounts that we have online. And the reason for that is because even through no fault of our own, third parties can have data breaches and our passwords can end up on the internet as a result of those data breaches.

So if we have the same password across all our accounts and that password gets breached in one place, it's putting all our all our online accounts at risk because we have the same password across them and now our password is known.

Really common tactic of attackers is to download lists of compromise passwords and essentially spray them against accounts trying to get into them. So we have to make sure our passwords are unique, especially on those really critical accounts, things like our business email account, our bank account, these types of things.

The other aspect of uniqueness is making sure it's not a common password. The list of the 200 most used passwords even in 2024 still surprises me quite a lot. Password1 is still right up there. QWERTY, is still right up there. 123456789 is still right up there. These are passwords that people are still using and attackers know that people are still using these passwords.

So unique. It's different on all, passwords are different on all our accounts, but it's also not one of those really common passwords that are used.

The other aspect is making sure we're not using that personal information, especially where their personal information can be found online.

I know a lot of people like to create passwords using their pets name and then check their data birth at the end and then, you know, that's got a letters, upper case, lowercase, it's got some numbers, it's pretty long, it's a decent password, right?

Unfortunately no, attackers know that we follow these common patents and if they can find them information on us about us online they can use that in conjunction with software to try and get our password really quickly.

So avoiding that personal information, especially where it's available online is really important too.

And then just avoid those common patterns. So, you know, if you need, if you need to have a number in your password, typically we always chuck a one at the end and then we're asked to change it three months later we changed that one to a two again three months later we changed that two to a three.

These are common patterns that we all follow to make passwords a little bit easier for us. Unfortunately, attackers know that we follow those patterns. So avoiding those common patterns is really good.

I can see you wanting to say something there Hadyn.

[Audio: Host/Hadyn] So yeah, no, I was just, we've got a couple of questions that I, well, someone that was asking like, are attackers still doing brute forcing on passwords, but you mentioned when they, when they download like heaps of credentials, and they try a bunch of stuff. So yeah, do want to do want to just briefly talk about that?

[Audio: Speaker/Sam]  Yeah, yeah, the reality is that the attacks that we see are far more sort of optimistic and volume-metric in nature and so brute forcing a password is a much more targeted attack.

These things do still happen. And it's really hard to tell how an attacker has compromised our password, whether that's through a data breach and we've reused our passwords, whether that's password cracking, guessing, brute-forcing, these kinds of things, it does still happen. Whilst it may be the minority that is something that's still happening out there.

And so following these tips, these guidelines in terms of password policy, it's really important to make sure our passwords are nice and strong.

[Audio: Host/Hadyn] And the other thing is, and this is, this isn't a question, which is what you always love to hear in this and it's not a question but apparently Taylor Swift is the most common password in 2023, there is nothing that woman can't do apparently.

[Audio: Speaker/Sam]  Nope. Not too surprising, but again, if that's the most common password used, then using that password is not going to give us a lot of security on our online accounts. So avoiding those common passwords is a really good step to take. Now, the good news here is that if we follow all these guidelines and we create a really strong password, it's actually better that we don't regularly change it.

It's better to create a really long, strong and unique password from the get-go and keep using that password and unless you absolutely have to change it unless it's been breached somewhere, it's been compromised somewhere, anything like that.

Then we would need to go and change it. But if we create a really long strong unique password, it's actually better that we maintain that password.

Rather than changing it, which often leads to us following those common patterns, like changing the one to a two, changing the two to a three, and so on.

Now the reality is we all have about 150 online accounts. For your business, you might have a few less, but you probably have quite a few online accounts for even your business.

How do you create a unique password for every single one that can get almost impossible very, very quickly?

And this is where you may want to consider using a password manager.

[Slide change]

So our password manager is ultimately, kind of like a digital vault, right? It's going to store all your passwords in one place. That way you don't have to remember all of them.

You just have to remember the one password that you use for your password manager. You do absolutely have to make sure that that one password you're using for the password manager, what we call the master password is long, strong and unique.

It's the keys to the kingdom, it's protecting all your other online accounts. So you have to put that time and energy into making sure that that password as as strong as possible.

It's not something you've used anywhere else. It's not something that's been breached or compromised online. It's not a common password, doesn't it personal information, all these good things to make sure that that password is long, strong and secure.

And the password manager is going to take care of everything else for us. It's going to generate our passwords for us and they're going to be about 30 characters along completely random. It's going to take a computer trillions upon trillions upon whatever the number bigger than trillion is, years to actually compromise or breach that password.

It's going to remember all those passwords for us so we don't have to and it's going to make it really easy to make sure that all our passwords are unique. We're not going to have the same password on any account. So if one account does get compromised, if that password gets breached, we don't have to worry about our other accounts, we can just go on and change that one password.

Password managers can make life a lot easier, but there are a few things that you want to consider around the password manager. Now unfortunately in our role in our capacity we're not able to tell you what password manager to go out and use. It's a common question that we get and I totally understand you want to be directed and in the direction of a solid password manager.

There's a few things that you can look forward to help choose the password manager you want to onboard.

Now the first thing is whether or not the first thing you can do is simply Google search, right? What are the best password managers? Now, I'd encourage you to look at a few different lists and actually compare what ones are common across those different lists.

If you've got one password manager that's appeared five times and the five lists that you've looked at, chances are that's probably a really good one. But some questions to ask around that password manager before we jump in. What's the track record like?

Have they had a data breach in the past? And actually maybe more importantly, how did they handle that data breach? Were they transparent with their customers? Did they let them know what's going on? Did they help them work through that process? Or did they handle it really badly?

That's one thing that we might want to look at. Maybe if they've had a data breach, that's simply a deal breaker for you when you want to look at another password manager which is totally understandable.

Another one that we want to ask and probably the most important one is does that password manager offer two-factor authentication? We're going to talk about two-factor authentication in just the moment, but it's an additional layer of protection and that's really important on our password manager. Because we want to make sure that that password manager is as secure as possible.

[Audio: Host/Hadyn] So Sam, I'm conscience of time, so I'm gonna not interrupt you as often as I was, but I wanted briefly touch on password managers inside of web browsers or inside of phones.

So, you know, obviously, and phones these days have password managers built in, key chain on Apple for example and and browsers like Chrome obviously, offered like, you want me to save your password? Should people be using these, especially in the business context, should you be using that? And maybe like you've got your home and things mixed together.

[Audio: Speaker/Sam] Yeah. The reality is with a built-in password manager that's part of your browser, it may not be able to offer its services to all the services that you use.

So for example, if the service you use is not something you log into through a browser, then you're probably not going to be able to apply that browser password manager to that service. So it may be a little bit more limited in scope. The other things you want to consider if you go down that route is, your Google account, your Gmail account if you use Google Chrome and save your passwords there, that's now your password manager.

So the password for that account is now your master password. You want to get two-factor authentication enabled there. You want to make sure that Google Chrome is updated with the latest update as soon as possible. You probably don't want to stay auto logged into Google Chrome in case you lose your device and someone can actually access it.

If you do stay auto logged in to Google Chrome, you want to make sure your device is nice and secure as well. These are all things that you want to take into consideration. Now, what about password managers in your devices and your phone? I know that Samsung has one. I know that Apple has one. I think these ones are pretty solid.

As long as you're making sure that that device is is really well-protected that your I-cloud account your Samsung account whatever that account may be again that's that's now your your password manager account that's now your master password you want to make sure that's really secure.

You want to make sure there's two-factor authentication on that account. You want to make sure the device is secured really well with either a decent code, decent password or some form of biometrics.

These are the things that you want to consider if you're looking at those solutions to password manager.

[Slide change]

A lot of talk about today and we are getting through the time pretty quickly. So we're our passwords relevant. Where do we care about passwords?

[Slide change]

Any accounts we have essentially. Now as you're going through that asset management process take note of which accounts are most important maybe even rank them start with the most important account make sure the password there is really really solid and start working your way down that list anywhere that you have an online account that is important to your business, you should have a really good password there.

It may be the account that you have that takes care of your website, your email accounts. Actually, I'm going to call that email account specifically, often times our email account is associated to all our other accounts. And if our email account is compromised, our other accounts may be compromised through things like password reset features.

So really important to make sure that one's locked down. Your bank account obviously that's where all the money is. We want to keep that nice and safe. Social media, we don't want, the bad guys getting a hold of our social media and then talking to our customers through that channel, maybe even scamming our customers that way.

Want to make sure that's nice and secure. Ultimately, any accounts that you have that are important to your business, make sure you've got a long, strong and unique password to those accounts.

[Slide change]

Two-factor authenticaiton. I talked about this, briefly. Ultimately, this is an additional layer of protection for your accounts on top of your username and password.

Most commonly this looks like you enrol a mobile number to that account that you want to have two-factor authentication on. When you log in, you get sent a code via text, you have to enter that code to be able to log in.

This might be an authentication app that you have that generates a code that you have to enter when you log in. There are a lot of different forms of two-factor authentication. It's actually called a lot of different things.

Multi-factor authentication, two-step verification, two-factor verification. There are a lot of different names for it. We are referring to the same thing. Now two-factor authentication is probably one of the most powerful security tools that you can use.

And again, I really encourage you to implement this on your important accounts. The things that we've already talked about.

[Slide change]

[Slide change]

Things like the account that you have, to take care of your website, your email account, your bank account, your social media, any collaborative software you use and accounts you have with those, your invoicing accounts, all these good things, we want to turn two-factor authentication on there as that additional layer of protection.

It's also going to be really, really powerful to help prevent the effects of phishing. Even if we do fall victim to phishing even if we click on one of those malicious links and we enter our username and password.

The attackers now have our username and password and they try to log in, if we've got two-factor authentication enabled there we've got that extra layer of protection they can't get in without the code that's just been sent to us, and that's going to keep our accounts safe even in the event that we do fall victim to phishing.

Lot of really good reasons to get two-factor authentication, if that's the only thing you go away and do today, that is still a really really good step into improving your cyber security.

[Audio: Host/Hadyn] I can attest to this as someone who recently had their Facebook account, or people attempting to hack my Facebook account, and see the thing pop up saying you know, use this code to reset your password. I'm like, no!

And you, I know then that I don't have to do anything that people didn't have my password they didn't need my phone they couldn't get in so it's a really good layer of security.

But I do want to touch on literally phones and devices like laptops that have fingerprint ID or face ID or, similar kind of setup. There's also a form of 2FA.

[Audio: Speaker/Sam]  Yep, absolutely can be. So 2FA can also look like a bit of a push notification to a device. And it may say, hey, you need to enter your biometric scan in order to log into this account.

You that could be a thumbprint, face ID, anything like that. How you choose your implementation of two-factor authentication is not as important as actually having some form of two-factor authentication on your account.

Don't let perfect get in the way of good, have some form of two-factor authentication on those accounts to get that extra layer of protection and keep those accounts nice and safe.

[Audio: Host/Hadyn] And I know the way I like running at a time very quickly, but, someone just put a, well two very good questions in here.

One, what happens if you lose your phone?

Two, the, the getting the text message thing has been highlighted as being not super super secure. Can you just talk about like the other forms of 2FA?

[Audio: Speaker/Sam]  Yeah, certainly. So, the other forms of 2FA and probably the best ones are those authentication apps.

So that's an app that you specifically download to mobile phone so that when you do try to log into an account that has two-factor authentication on it the app generates a code or the app generates a request to enable that login. And that is typically a little bit better than those text message codes.

Unfortunately, the attackers, the bad guys, they are starting to use social engineering tactics to try and target people, to get them to provide those codes. And that's ultimately because two-factor authentication is so powerful at preventing that unauthorised access.

So if you do want to use, better form of two-factor authentication, I encourage you to look at those authentication apps. Microsoft has one, Google has one. They can, any app can pretty much be used on any accounts.

What was the other question that you asked there?

[Audio: Host/Hadyn] If you lose your phone.

[Audio: Speaker/Sam] Yep. So when you enrol in two-factor authentication, and again, this is the process that you can make part of that asset management. Take note of the accounts that have two-factor authentication. Typically when you enrol, you'll get a list of recovery codes, keeping those in a secure location so that any of that you do lose that two-factor authentication device, typically a phone may look like something else.

Those recovery codes are going to help you. Still be able to access that account even if you do lose that methodology. So make that part of that asset lifecycle management. Take note of the accounts you've enabled two-factor authentication on and whether or not you've got those recovery codes stored for that as well.

[Audio: Host/Hadyn] You might also be lucky in that some of them will link to your phone number. So if you have your old number ported forward to your new phone you might you might be lucky enough to have that still work.

[Audio: Speaker/Sam] Okay, we are quickly running out of time, so we're going try get through this a little bit, pace now.

[Slide Change]

Principal lease privilege. What is that? That sounds confusing. It's a little bit scary.

Ultimately, it's just only allowing access that you need in order to do your job. So let's say we have three people in our organisation and I'm going to quickly

[Slide Change]

skip to the example page here. You say we've got three people in our organisation. One handles the finances, one hand was a social media, one's the the big boss, the CEO. The one that handle the finances, they're gonna need access to the bank account. They're going to need access to the invoicing.

Do they need access to the social media? Probably not. And in that case, if we don't give them any kind of access, then we don't open the door to a risk around their set of credentials for those online accounts.

Principal of lease privilege is really just making sure that the people in your organisation only have access to the things that they absolutely need access to. Now you can also make this part of your asset lifecycle management like I say, start actually mapping those assets to the employees of your organisation.

Who needs access to what? Who has access to what? Keeping that in mind as a really powerful thing to do.

But if we can lower that threat landscape by making sure that people only have access to what they actually need access to that's going to go a long way to keep us nice and safe too.

[Slide Change]

Right backups, what are backups? Ultimately this is just storing a backup of your important information of your important data. So, You want to have a regular backup process in place. You want to be able to restore from their backup in case something does go wrong in case your organisation gets hit with something like ransomware or maybe you even lose the hardware itself gets damaged.

Having that backup in place so that you can restore from it as soon as possible, is going to help you get back to business operation as you as normal as quickly as you can.

It's essentially a continuity plan for your organisation. Few keys to take into consideration, get that backup process happening automatically if you can.

If not, then create a regular process and what you're going to do those backups. Stall those backups in a secure location. So away from your organisational systems and assets in case they get hit. Our backups are stored there. They're not going to be any good to us. We want their backup stored in a separate location.

That may be physically stored on physical hardware that we then remove from the environment. It may be that we use a cloud service provider to do their backup process for us. And then actually test that backup process. Actually go through the process of restoring from backup so that you know that when the time comes if something does go wrong, you know how to do that, you know what that looks like and you can make sure that that's actually going to work when it comes down to.

Backups are probably the most important thing when it comes to an attack like ransomware.

It's the best way to ensure that you can get back to business operations as normal without actually playing the game of the attacker without having to even consider paying him any kind of ransom or anything like that, which we definitely discourage.

[Slide Chagne]

[Audio: Host/Hadyn] Very quickly, Sam, this includes cloud, obviously, cloud backups and, and so forth?

[Audio: Speaker/Sam] Absolutely. Like I say,

[Slide change – back to previous slide] 

you could, you could do the backups physically. You could store them on a hard drive and do that process yourself or you could look at a cloud service provider who will do that for you. The only consideration you may want to take into account there is that restoring from a cloud backup may take a little bit longer than doing it physically yourself.

But the payoff may be maybe really good there. The other thing that you want to consider is looking at that service provider again considering the service provider again considering the same questions around a password manager.

What's the track history, do they offer two-factor authentication? How are they going to store and keep that back up nice and secure?

These kinds of questions are really good to consider before, jumping in with any kind of cloud backup provider.

[Slide change] 

Where's that relevant? Anywhere you have important data, anywhere you have important documents. So probably on your laptops, maybe even on your mobile phones, maybe you want to back up your email threads.

 

The emails that you actually have stored in your client, maybe you want to keep a record of those. The content that you host on your website, you might want to back up of that in case something goes wrong with the website.

Maybe even content that you have on social media, photos and posts, things like that. Any documents in those collaboration workspaces and maybe any invoices that are really valuable or important. Any data or information that sits within any of the assets of your organisation that are really important to you, you may want to consider having a backup in place for that.

[Slide change] 

Alright, we are getting to the end here, which is good. We may have a bit of time for questions at the end.

I think there's still a few sitting in there. So the last one that we're going to talk about today is the Incident Response plan. And this is just basically making sure that you know what to do with something does go wrong.

You can also make this part of your asset, asset management process. So as you're going through those assets and you're actually identifying them, taking note of who you would call if something goes wrong with one of those assets as the essence of the incident response plan.

[Slide change] 

So if we jump back a little bit. Who would you contact if something went wrong with your website? Maybe you know the organisation who handles your website, but what's the actual number that you'd call?

What's the email address that you contact? Writing that down and actually having that on paper so that when something, if, touch wood, something does go wrong, you know who to call as quickly as possible is going to save you precious time and the event in an internet does occur.

What about your email accounts? What if you lose access to that? Who would you contact there? I, the ones that are red here are applicable

[Slide change]

[Slide change]

[Slide change]

to backups, not the incident response plan because all the assets are applicable to the incident response plan. Who would you contact if you had an issue with the hardware? You know, your laptop, your mobile phone. This may be a simple as knowing that you can report a cyber security incident to CERT New Zealand.

It's maybe as simple as knowing what phone number you're going to call for your bank account if something does go wrong with the bank account itself.

[Slide change]

As you're going through that asset management process and identifying the assets relevant to your business, also identify who you would contact for that asset if something did go wrong with it.

And that's going to form the basis of your incident response plan. Again, this is just having something written out so that if something does go wrong, you know who to call as quickly as possible. You don't have to waste any time trying to figure that out and you can even test this too, you could call them ahead of time and say I'm just trying to find the most appropriate contact

In the case of an incident actually occurring so that if it ever did happen, I know exactly who to call and I know that it's going to result in a response really really quickly.

[Slide change]

Cool. As I said, that may be as simple as reporting to CERT New Zealand. That may be as simple as knowing what phone number to call for your bank. You can, anyone can report to CERT New Zealand at the link provided. There just cert.govt.nz.

Anyone can report a cyber security incident to us for free advice and guidance to sort of help you actually work through that incident and ideally set yourself up in a better position moving forward so that you're not likely to have to face the same incident again, in the future. Taking note that you can report to CERT New Zealand may be part of your incident response plan as well.

[Slide change]

Now, the last thing that we were going to go through really quickly is just a little bit of Own Your Online, and I'm going to do this in about a minute if I can.

Own Your Online is another platform that we have. This is a consumer focus, small business focused and it's trying to cut through the jargon and the technical speak the technical language and make it actually easily to understand and digest for anyone of any kind of level of experience or technical capability.

[Slide change]

There's lots of information on Own Your Online from guides to the various risks and threats that we see affecting organisations,

[Slide change]

to guides on the kinds of things that we've talked about today like creating an incident response plan. Now I do encourage you to keep an eye on this website because one thing that we're looking at doing is uploading things like templates for these various things.

Incident response plan, we want to get template up there as soon as we can. Password policies, we're looking at putting a template together for that too. So do keep an eye on the website. There are going to be regular updates coming to Own Your Online to help keep you in your business nice and safe.

[Slide change]

Okay, we got through it in the and we still have five minutes for those questions and answers. Now again,

[Slide change]

we've got a link, a page right at the end of the slide with all the links that we've talked about today so that if you're looking for more information you can simply go to the link relevant to the thing that you're looking for. Make it nice and easy for you.

[Slide change]

But the other thing we want to talk about is that we are looking to do more of these in the future and we want to make sure that you're actually going to get something out of them.

They're going to be usable and meaningful for you. So at the end of this, there will be a little survey and you can use that as an opportunity to let us know the kinds of things that you want to hear about in the future so that we can help you learn about the things that you are really interested in when it comes to cyber security.

Okay, let's do some questions.

[Audio: Host/Hadyn] And yes, that was a very important point too because we've had a couple of people saying like, oh, actually I want to get more in depth into these and we've had heaps of questions and if we don't get through all of these, we will put up an FAQ as well when we share the slides and links so we will we will make sure that we get to as many of these as we can.

I'm going to go all the way to the top so this is going to be early on.

Has anything been done? This is about phishing. Emails that have similar domains to GOVT dot NZ. Is anything being done to like stop people from buying those similar domains?

[Audio: Speaker/Sam]  Yeah, so there's a lot of work going around in New Zealand at the moment, and it's really across collaboration between multiple different organisations, you know, things like banks, things like the really big organisations of New Zealand, the telcos, government organizations like ourselves like police like the DIA, all coming together to try and monitor for those domains being stood up and then actually taking proactive action against their domains so that hopefully we can stop people from ever even being able to get to that dodgy website.

There's a bunch of work going on in the background for through a lot of different organisations. All trying to prevent the misuse of those domains that look really similar to the genuine websites.

Absolutely. A lot of that work going on.

[Audio: Host/Hadyn] There's a question here about again about phishing and it's super relevant to everyone on this call I believe, like what do you do if your company is being impersonated in these sorts of emails?

[Audio: Speaker/Sam]  That's a, yeah, that's a really, really good question. And the first thing that I encourage you to do is actually report to CERT New Zealand.

So what will typically happen in the event of your organisation being impersonated in a phishing campaign, is that there will be a website stood up that's designed to look similar to your website. And that's where the phishing is actually occurring.

So what we can do is we can take note of the malicious website that's trying to impersonate your business, we can work with hosting providers, domain name registrars, we have initiatives like Phishing Disruption Service and we can use all these things to try and take that website down, that malicious one down, or prevent people from being able to get to it in the first place.

So report that through to CERT New Zealand. One thing you may want to consider is, actually where it's easy enough to do so or not too not too costly, to do so, you may want to look at standing up or purchasing similar domains to your website so that other people can't.

That's something that you can consider doing. But if you do find that your organisation, your brand is being impersonated report that through to CERT New Zealand when it comes to those phishing websites that are stood up and trying to impersonate your, your brand of your website, there's plenty that we can do to try and take those down.

[Audio: Host/Hadyn] And from a comms perspective, it's good that once you've figured out that, oh my gosh, this is happening, use your official channels. Your your social media channels and email if if it's appropriate to contact your customers to say we're aware that this is happening.

This is something the large organisations, Inland revenue that we showed before they do it as well anytime there's sort of a large campaign when they become aware of it they let everyone know, so the customers hopefully won't click those links.

A couple of questions about password managers.

One is, is it okay to store your username, password, and the website address all in the same password manager?

[Audio: Speaker/Sam] A lot of password managers do do that. It ultimately just comes back to making sure that your password manager is nice and secure.

[Audio: Host/Hadyn] Hmm.

[Audio: Speaker/Sam] Making sure the password you have on there long strong and unique following the guidelines that we talked about today, enabling that two-factor authentication on there. All these things are going to be really good to make sure that password manager is nice and secure and in that way, I think most password managers do store all those details.

The website its relevant to, the username and the password, typically. So just making sure the password manager itself is nice and safe and secure is going to be the key there.

[Audio: Host/Hadyn] And one question about those backup recovery codes for 2FA. Someone's asked, is it okay to keep them in your password manager?

I imagine that's, that's fine except for the fact that if your password manager has 2FA and you've kept the backup recovery codes inside there that you might not be able to get to them?

[Audio: Speaker/Sam] That's a really good point. Yeah, again, the password manager is going to be a safe place for you to throw a lot of that information.

So storing things like, like the recovery codes for and then you can actually store it against the account itself. So it's going to be all in the same place, nice and easy for yourself, but that's a really good point that you raised Hadyn, you may not want to store the recovery codes for the password manager itself, within the password manager.

Maybe write that down, put that in a safe or a lockbox or something secure like that. So that if anything ever does happen, the password manager, you know, exactly where those codes are, you can go grab them when you need them.

[Audio: Host/Hadyn] Someone's asked a fairly specific question. How safer apps on Google workspace.

[Audio: Speaker/Sam] That is a very good question. Again, relatively safe. I mean, they're coming from reputable organisation, right?

But the key is going to be making sure that you're getting the latest update. So if you're running an out-of-date version of any of anything like that, that's going to be the biggest risk to you, making sure that you have the most up-to-date version that you're getting those updates as regularly as possible, is really the key there to make sure that software is nice and secure.

Just make sure that you're downloading things through reputable sources as well. So, either the genuine website of the organisations or through things like the Play Store, the app store, and those kinds of sources.

[Audio: Host/Hadyn] And, and again, on updates, if someone's got an IT provider that they're using for the, for their software in the IT providers doing the updates.

Do they, as a business owner, do they need to do anything?

[Audio: Speaker/Sam] If the IT service provider is handling all those updates then you shouldn't need to do anything in those cases, but that may be a question that you want to ask them ahead of time. Are they going to handle all the updates for those various pieces of software or are there some that you need to handle yourself?

You can make that part of that asset management process that we talked about. So it actually taking note, OK updates for this one are going to be handled by the service provider, but I need to go on and manually update these ones.

Just a good question to ask those service providers when you are engaging with them.

[Audio: Host/Hadyn] And in regard to backups, it's, if you do have a cloud backup, it is a good to have multiple backups, like in more than one place and more than one location, and more than one service like on an actual hard drive and in the cloud?

[Audio: Speaker/Sam]  Yeah, certainly. And look, the, the level that you want to go to in terms of these things may depend on the size of your organisation and the scope of your organisation, the kind of data that you're collecting and storing.

But absolutely, you could look at a cloud service provider. Do the backups through them. But then actually go through that backup process yourself and that gives you that additional layer. So if something goes wrong with the cloud provider, or something goes wrong with your own physical backup you've got another one - you've got a backup for your backup right just depends how in depth you want to go and it really harkens back to a common concept that we have in cyber security of defence and depth. The more layers that we can put in place to keep ourselves nice and safe, the better off we're going to be.

[Audio: Host/Hadyn] There's a question here which is actually the question for me technically. When are the latest set of critical controls going to be released?

So the critical controls going to be released. So the critical controls, some of the lengths that Sam was mentioning there, and some of the steps were taken from our critical controls, which is a set of essentially rules things things to do in your organisation based on the threats we've seen from the past year. We update them every year and we're about to update them again.

No major changes. So these are spoilers, I guess, you know, major changes this year, but we, one of those things is actually incident report plan, incident response plan sorry so that might be going up fairly soon so we'll get back to you as soon as we know when that's coming out.

[Audio: Speaker/Sam] And talking about the practical tips we've gone through today, I believe it's about six out of 10 of those critical controls.

Now the other part of that is that if you are looking at cyber security insurance, which is a whole topic that we could do another webinar on, they will look to your organisation to see whether or not you have certain controls in place and I think the critical controls are the vast majority of the controls that they're looking at.

So if you start working through that list of critical controls, it's going to set you up in a really good position to consider something like Cyber Security Insurance.

[Audio: Host/Hadyn] Cool. Alright, we are out of time. We still have a lot of questions. So again, we will, we'll answer those in text format and make sure that we get the FAQs up.

So do check that out. We are going to be sharing this on our website and we will send out an email with the links to with links for downloading the slides and to download the recording of the seminar, including the little flub I just made.

It'll have a nice little transcript of everything including the flub. And yeah, so thank you all for your time. Thank you all for your wonderful questions. Thank you, Sam, for your information and we want to do more of these in the future so please at the end you will be given like a little survey if you could fill it out let us know what you like what you didn't like, and what you'd like to talk about in the future.

So thank you again and hope you have a lovely day.

[Audio: Speaker/Sam] Thanks, everyone. 

[Recording ends].