Protecting your business from online attacks is just as important as locking up when you leave each night. Understanding the types of attacks your business could be exposed to and effectively planning your response is the best defence against cyber-crime.
Your plan should outline your defences against the most common types of attacks on businesses:
An attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials and more.
An unsolicited phone call or email that tries to illegally acquire money with false claims.
The use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the employing organisation's resources or assets.
An attack meant to shut down a machine or network, making it inaccessible to its intended users by flooding it with traffic.
Malicous software used specifically to harm and infect the host system. Advanced malware such as ransomware are used to commit financial fraud and extort money from computer users.
Protect yourself from external threats by deciding how your team use your systems and devices. If you have an e-commerce platform or you collect customer data online, your cyber security plan may be a legal requirement.
Your policy helps your team understand the important role they play in protecting your company's cyber security:
Install security software on all your team's devices and browsers. Often, this software can be administered remotely by you or your IT security team.
Choose a system that updates every few days. If a new mass-attack virus appears, check that your security software protects against it or issues an immediate update.
Hackers see your team's mobiles, laptops, servers and desktop computers as access points. Keep the operating system and applications up to date, use security features that let you track, lock and wipe devices and consider encrypting your disks.
If you're targeted, it's too late to start working out what to do. An incident management plan helps everyone in your business respond fast and efficiently.
Below are some basic steps you can follow to help you plan and prepare for how to respond to a cyber-attack. You can find a more detailed guide on Cert NZ.
Monitor - detect and recognise any attacks quickly
Report - sound the alarm immediately, and assure people they won't get in trouble if they've made a mistake and let an attacker in
Triage - identify the nature of the attack, who to notify and what to do
Respond - technical, management, customer communications and legal action
Resolve - what to do to shut down the attack and prevent loss of information or money
Review - assess what happened, your plan's success, and what you need to change for next time
Email is an easy tool for scammers to use. They try to trick you or your team into giving away information, logging in to malicious sites or sending money. Some simple steps can help reduce the risk.
For more information, read our guide on how to protect your business from email payment fraud.
Your trusted people and ex-employees are one of your highest risk areas for business fraud. That doesn't mean you should be suspicious of everyone, but you should put controls in place to reduce the chance of something going wrong. Identify your critical systems, such as:
1. Your people need access to do their job, but consider carefully who you give access to, which systems and what level of access they have and make sure you review this regularly.
2. Don't give every user 'admin-level' access, so they can create users or make changes to processes. Most people don't need that level of access.
3. Give your team the appropriate level of access to reduce the risk of mistakes and fraud. If an attack happens, it also makes it easier to work out how.
Use a multi-user system with access control, like ASB FastNet Business. Set aside some time every quarter to check potential issues.
Whenever your people interact with the public they're representing your business. That’s also true on social media.
Online security is a fast-moving environment. Diarise an hour every few months with an IT person to review your policies and plans, remain informed and run checks on your businesses cyber security. It's much better that you discover any weaknesses before the criminals do.
You can also use online tools like 'Have I been pwned' to check if your email accounts have been linked to any of the major data breaches that have occurred across the globe. This can prompt you to take the necessary steps to protect your business such as changing your passwords, making your passwords stronger or upgrading your security.
For more information on how to deal with a cyber security problem as a business or individual, please visit Cert NZ.
If you think you or your business is under attack, let your bank know immediately.
If you're an ASB customer and you think you've been targeted, please call us on 0800 327 863 and we'll do everything we can to help.
ASB's Cyber Security publication, Signals, aims to empower businesses with unique insights into the cyber threat environment and provide advice to ensure a robust defence.
Every business is different and has unique banking needs, discover your options.
This page is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and should not be relied on. This information has been prepared without considering your objectives, financial situation or needs. We recommend you seek independent professional advice before acting on this information.