Keep your business safe

Preventing attacks

Protecting your business from online attacks is just as important as locking up when you leave each night. Here's what you can do.

The six most common types of attacks

Your plan should outline your defences against the six most common types of attacks on businesses:

  • Phishing attacks
  • Scam emails
  • Phone fraud
  • Employee fraud
  • Denial of service attacks (DDOS)
  • Viruses, malware and hostageware

Set up your online security policy

Protect yourself from external threats by deciding how your team use your systems and devices. If you have an e-commerce platform or you collect customer data online, your cyber security plan may be a legal requirement.

Your policy helps your team understand the important role they play in protecting your company’s cyber security:

  • Email and web use
  • Mobile device security
  • Handling sensitive data
  • Managing remote access
  • Using USB drives and other portable storage
  • Reporting security breaches

Protect your systems with up to date security software

Install security software on all your team's devices and browsers. Often, this software can be administered remotely by you or your IT security team. 

Choose a system that updates every few days. If a new mass-attack virus appears, check that your security software protects against it or issues an immediate update.

Keep your team's devices secure

Hackers see your team's mobiles, laptops, servers and desktop computers as access points. Keep the operating systems up to date, use security features that let you track, lock and wipe devices and consider encrypting your disks.

Keep passwords strong

  • Tell your team not to use the same password for business and personal use.
  • Avoid common passwords and patterns.
  • Set up your systems to lock out a user after several failed log in attempts.
  • Use two factor authentication where you can, especially if they log in remotely.
  • Make sure your teams don't share log in details to cover each other's tasks.

How to respond to attacks when they happen

If you're targeted, it's too late to start working out what to do. An incident management plan helps everyone in your business respond fast and efficiently.

  • Make sure everyone knows where to find the plan in a hurry.
  • Recognise attacks quickly, to minimise the impact.
  • Keep a paper copy of your plan, in case the attack locks you out of your systems.
  • Monitor - detect and recognise any attacks quickly
  • Report - sound the alarm immediately, and assure people they won't get in trouble if they've made a mistake and let an attacker in
  • Triage - identify the nature of the attack, who to notify and what to do
  • Respond - technical, management, customer communications and legal action
  • Resolve - what to do to shut down the attack and prevent loss of information or money
  • Review - assess what happened, your plan's success, and what you need to change for next time

Email scams - one of the most common methods of business attacks 

Email is an easy tool for scammers to use. They try to trick you or your team into giving away information, logging in to malicious sites, or sending money. Some simple steps can help reduce the risk.

  • Spot scam emails with poor English or no personalisation.
  • Tell your team not to sign up to personal services with their business email address
  • Watch for fake invoices. Have clear processes for ordering and paying for goods, so that your team won’t be taken in.
  • Be careful of any email asking to make changes to a regular supplier's account details. Contact them by phone to confirm the change.

Control your team's access to critical systems

Your trusted people and ex-employees are one of your highest risk areas for business fraud. That doesn't mean you should be suspicious of everyone - but you should put controls in place to reduce the chance of something going wrong.

Identify your critical systems:

Customer data

Accounts and banking

Documents and IP

Set user access privileges where you can

Your people need access to do their job, but not too much.

Don't give every user "admin-level" access, so they can create users or make changes to processes. Most people don't need that level of access. 

Give your team the appropriate level of access to reduce the risk of mistakes and fraud. If an attack happens, it also makes it easier to work out how.

For help with all these steps, call the FastNet Business Help Desk on 0800 22 55 27.

Check your online banking

Use a multi-user system with access control, like ASB FastNet Business. Set aside some time every quarter to check potential issues. 

  • Do some spot checks on supplier account numbers, and make sure they’re accurate.
  • Look for duplicate suppliers in your payee lists with different account numbers.
  • Check your logs for changes to payment details Look for duplicate or odd payments.
  • Look for invoices from unknown suppliers, or invoices that seem higher than usual.
  • Check for unknown users, or people that no longer need to use the system.

For help with all these steps, call the FastNet Business Help Desk on 0800 225 527.

Protecting your business' reputation

Whenever your people interact with the public they’re representing your business. That’s also true on social media.

  • Have a clear social media policy to ensure everyone is on the same page.
  • Only post content that’s in line with your business and brand values.
  • Even their personal activity can reflect on your business, especially if it's inflammatory or extreme.

Regularly review your processes and plans

Online security is a fast-moving environment. Diarise an hour every few months with an IT person to review your policies and plans. It's much better that you discover any weaknesses before the criminals do.

Signals publications

ASB's Cyber Security publication, Signals, aims to empower businesses with unique insights into the cyber threat environment and provide advice to ensure a robust defence.

Contact us

Call us

If you are concerned that there has been a breach in your ASB account security, contact us immediately.

0800 803 804

Suspicious email or SMS message?

Forward any suspicious looking emails to phishing@asb.co.nz.

If you receive a suspicious SMS message please delete it.

If you’re concerned about either an email or SMS you’ve received, call us on 0800 803 804.

Learn how to stay safe with your cyber security How to keep your business safe online