Keeping your business safe online

So much critical business information is held digitally and online. How do you protect yourself? The good news is it isn't difficult or expensive – it just takes a little care and common sense. We've prepared this guide with the help of Connect Smart, the government's National Cyber Policy Office (NCPO). It's part of the Department of the Prime Minister and Cabinet, and works in partnership with a range of government agencies, non-government organisations and the private sector.

If your business is online, it pays to be on guard

Once a business tries online services, it’s usually not long before it adopts them wholeheartedly. Many businesses would struggle without access to the internet for their critical information. Your banking, customer data, business plans, intellectual property and day-to-day workflows are often online or on computers connected to the internet.

But online services do have risks. Symantec says that small businesses are now the target of 30% of all online attacks (Symantec 2013 Trends, Volume 19, Published April 2014), so it’s important to understand your level of risk and take steps to manage it.

You might not have access to security specialists or secure systems. But even simple, common sense security practices can prevent your business from being a soft target.

Who would want to attack your business?

There could be many different motivations behind a cyber-attack on your business. Here are some of the more common scenarios.


Off-shore or local hackers can make a living from finding vulnerable systems. They steal passwords and use your online banking, steal information or lock you out of your own systems and demand a ransom to let you back in. They are motivated by quick money.

Business Rivals

Occasionally one business may try to attack another online. They might try to change content on your website to embarrass or discredit you. They could try to hack your systems to steal customer lists or your intellectual property. This is unusual, especially in New Zealand.


Angry employees or ex-employees often have access to your systems and know exactly how to damage your company. They could release compromising information, disable systems or even access your banking and financial systems.

Four steps to being more secure online


Assess your cyber security

When you’re thinking about your security, the first thing to consider is your exposure. Are you and your employees online all the time to do your work? Is your information online? Are some or all of your systems? Do you interact with customers through your website or mobile? And do you and your employees go online at work for personal reasons as well?

What about your awareness? Do you and your people think about security? Do you take a cautious approach to unknown emails and social media invitations? Do you have a cyber security policy, or talk about it at all? And do you as the business leader take ownership of it? Or do you leave it to your IT team, or the person in the office that knows the most about computers?

Take the Connect Smart business preparedness quiz to see how your business compares for security, and to create an action plan to help close any security gaps.


Develop a cyber security policy for your business

Your cyber security policy sets rules to protect your business. It includes simple security controls for the ways you and your team use your systems and devices.

Having no policy in place exposes your business to security breaches. It could also expose you to potential legal or regulatory problems, especially if you have an e-commerce platform or if you collect customer data online.

Your policy gives your people clear guidance around the right ways to use their mobile devices and online systems. It helps them understand the important role they play in protecting your company’s cyber security.

Having a cyber security policy also gives your customers confidence in your business. You can include it on your company’s website as a way of showing your commitment to their security.

Where do you start? There are a number of areas that a security policy should cover:

  • Safe use of email and the web
  • Securing mobile devices

  • Handling sensitive data
  • Managing remote access
  • Using USB drives and other portable storage
  • How to report security breaches confidentially

Six basic cyber security controls

  • Install security software and keep it updated: a firewall, and anti-virus and anti-spyware software
  • Back up your critical data on a regular schedule - and test your backup to make sure you can recover its data
  • If you don't have an IT Manager, give someone responsibility for your network security. Remember it's everyone's responsibility to comply with you security procedures
  • Use reputable software and keep it up-to-date
  • Use email spam filters and ensure your people can recognise scams and hoaxes, and don’t click links or open attachments from suspicious senders
  • Subscribe to security notification services, like this one from NetSafe, that keep you informed about the latest online safety and security risks and solutions


Establish an incident management plan

Your incident management plan gives your employees guidance on recognising and dealing with a cyber security breach.

The most important step is realising it’s happening. You and your people must be able to identify an attack quickly, so you can minimise its impacts and get back to business.

The second most important thing is having a plan. Knowing what to do before things get out of control is valuable. And while it may go without saying, it’s always a good idea to have your plan laid out on paper – not on your computer.

There are six phases to a prevention plan:

  • Prevention – make sure your day-to-day use and policies make it hard for attackers
  • Monitoring – make sure you and your people recognise and detect any attacks quickly, and report them immediately without fear of getting in trouble if they’ve made a mistake
  • Triage – identify the nature of the attack, who to notify and what to do
  • Responses – your technical, management, communication and legal actions
  • Resolution – what you need to do to shut down the attack and prevent losses
  • Review – assess what happened, how well your defences worked, and how well your plan coped

Connect Smart has a complete guide to setting up your incident management plan in their resource kit.


Review your security regularly

Once you’ve set up your risk management approaches, you need to make them part of your culture.

The type and nature of cyber threats are evolving every day. It's important to review and revisit your approaches regularly, and if new types of attacks pop up.

  • Schedule a regular review time for your cyber security policies, incident management plans and training
  • Update your operating software and anti-virus software whenever possible, and ensure you’re actively notified when updates are available
  • Keep an eye on security updates and incidents in the rest of the business world, and check if your policies would protect you from these new threats
  • Review user access privileges regularly, and when employees leave make sure you remove their access to your systems

Protect your online banking

Almost every business uses online banking. It’s essential to limit access and ensure you adopt best practice when it comes to protecting it from unauthorised use.

Use a different password for your banking, and change it regularly. If you need to write it down, don't leave it near your computer, and never write it on the back of your security token. Think about writing down a clue to your password rather than the password itself. Never give your password to anyone else, including trusted advisors such as accountants.

If your business is getting too big for you to manage the finances on your own, consider upgrading to FastNet Business. You can set up different users with different levels of access, so you can have people help without giving them complete access to your money.

Remember, one of the biggest risks for your online banking are your employees and ex-employees.

  • Use the controls built in to FastNet Business to make sure your people can do and see what they need for their role, but not more than they need
  • Regularly check the FastNet Business Audit (under Administration > Client > Audit Log) to identify any unexpected changes to account numbers, extra payments or logging in after hours
  • Watch for any employees who manage your accounts who never take holidays or refuse any help to do the banking
  • Look out for duplicate or odd payments, invoices from unknown suppliers or invoices that seem higher than usual

Next steps

Connect Smart

You can find out more about protecting your company from cyber-attacks at Connect Smart. It's a Government initiative to help all New Zealanders, including businesses, protect themselves and their information. You can find more tips and practical action plans to help keep your business secure.

Find out more

Report a security issue to ASB

If you think you’ve been targeted by an ASB online or phone scam, contact us. We take security extremely seriously and will do everything we can to help.

Report a security issue

Other helpful guides

Banking with ASB Small business cyber security guide | ASB