Cyber threats are one of the leading risks for small to medium-sized businesses in New Zealand— now more than ever as businesses move to more digital and remote ways of working to curb the spread of COVID-19.
Andrew Beven is a specialist in cyber insurance at NZI, New Zealand’s leading provider of business insurance.
“The switch to working from home happened quickly and unexpectedly — and cyber criminals were quick to take advantage of the situation with COVID-19 themed scams.”
New Zealand’s national Computer Emergency Response Team (CERT NZ) has raised awareness of a range of COVID-19 themed scams, including those designed to attack remote working systems like Nefilim ransomware.
Scammers and attackers are also using the public interest in COVID-19 to create opportunistic online scams and attack by posing as the World Health Organisation (WHO) as an example.
“Reports of incidents were up 38% last year; from 3,445 in 2018 to 4,740 in 2019 according to CERT. The top three attacks were phishing and credential harvesting, scams and fraud, and unauthorised access.
But just like risks to the physical security of your business, you can protect yourself against cyber threats with the right preparation and tools.”
NZI has 10 top tips on how business owners can build their cyber resilience.
But first, what is cyber risk?
“A cyber incident can be as simple as attaching the wrong file to an email which results in sharing confidential information,” Mr Beven said.
“Or it can be more complicated and malicious, such as a hacker attack and loss of customer information.”
Use strong passwords with multi-factor authentication
Use strong, unique passwords for every account and never share them. A good practice is to create a passphrase using a minimum of four words you will easily remember which add up to at least 14 characters.
One of the most effective security controls to prevent cyber criminals from accessing your computers and applications is multi-factor authentication, which means you need to provide a combination of proofs to access your devices. For example, in addition to a password, you might need to provide a code that is sent to your mobile phone.
You can also use a password manager to create and keep track of secure passwords for all your devices, applications and online services. You will only need to remember one master password — but be extra careful to keep it secure.
Don’t ignore software updates
Cybercriminals can use weaknesses and security loopholes in outdated software to access your computer and mobile devices. It’s important to install software updates as quickly as possible, so vulnerabilities can be fixed before hackers have time to exploit them.
Enable automatic updates for your operating system (such as Microsoft Windows or Apple iOS/macOS) and applications (such as antivirus and web browsers). And don’t ignore the notifications to update!
Train your employees to be cybersafe
Your employees probably have different levels of experience and comfort with working online or remotely. It’s important to help them understand that cyber-attacks are increasing, and criminals are using the COVID-19 pandemic to lure people with malicious emails and websites set up to look like sources of information about the crisis.
Make sure employees are trained to use any new devices or software and know how to report a cyber incident. Some warning signs that an email is fraudulent include suspicious attachments or links, poor grammar, messages that are trying to create a false sense of urgency, and low quality of design.
Other good practices to implement include asking employees to verify any request to change bank details by contacting the supplier directly using trusted contact details they’ve previously used; having more than one person approve transactions over a certain dollar amount; and creating a process to make sure the business billing you is the one you normally deal with.
Install anti-virus software
Cyber criminals can use malicious code and software like viruses and spyware to delete or corrupt your files, steal information or allow others to access your computer and your personal or business information. Anti-virus software can help by monitoring and protecting your devices from infection.
Make sure your anti-virus software is set to automatically install updates, so it protects you against the latest threats and viruses.
Use a business VPN
Virtual Private Network (VPN) creates a secure web connection between your home devices and your office network so that you and your employees can safely share data while working at home. Using a VPN will encrypt your network and help make sure it can only be accessed by your employees.
Remember to back-up important information
‘Backing up data’ simply means making a copy and storing it somewhere safe so that you can access it if your data is lost or damaged. You should back-up important data such as customer details and financial information.
There are many ways to back up data, including cloud storage services. Maintaining the security of customers’ data is critical for any business, so you should seek expert advice to ensure you do this to the highest possible standards.
It’s a good idea to regularly test your backups to make sure you can restore your data if and when you need to.
Keep portable devices secure
If your employees are using laptops, tablets or mobile phones for their work, it’s important they update their devices before connecting to your businesses network and make sure they have a basic understanding of cyber security.
The physical security of portable devices is important too. With more staff working from home, there’s a greater risk that mobiles, laptops and other devices will be lost, broken or stolen. So, make sure all portable devices have strong passwords and remind employees to keep the devices safe and secure when not in use.
Assess risk in your home office
For many employees the living room, kitchen table or spare bedroom has become a co-working space they share with their spouse, children or flatmates.
So, it’s important to be aware of how your employees are working, for example by setting up one-on-one video calls to assess their environment and discuss any changes they need to make to their work processes.
In particular, you may need to create new or modified processes for how staff handle sensitive information, such as going to a private room to have confidential phone conversations and ensuring computers are shut down and private information is not viewable on screens by other people in the household.
Once you have put your cyber security measures in place, you need to monitor and keep them up to date. It’s a good idea to conduct an IT audit as least yearly, checking passwords, software updates and the security of your VPN.
The government’s CERT NZ website is a good source of advice for staying safe online and provides more tips for identifying cyber threats and reporting incidents.
Insure against the unexpected
NZI helps customers build cyber resilience by helping them understand and prepare for cyber risks and providing cyber insurance, should the unexpected happen.
NZI Cyber Cover has a broad range of cover tailored for the needs of small to medium sized businesses
NZI also offers a cyber assessment tool here, so businesses can assess their cyber risk
Businesses should speak with their broker for advice on the appropriate NZI cyber cover.