Keeping your business safe with cyber security

Protecting your business from online attacks is just as important as locking up when you leave each night. Understanding the types of attacks your business could be exposed to and effectively planning your response is the best defence against cyber-crime.

The most common types of attacks

Your plan should outline your defences against the most common types of attacks on businesses:

  • Phishing attacks

    An attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials and more.

  • Phone or email scams

    An unsolicited phone call or email that tries to illegally acquire money with false claims.

  • Employee or workplace fraud

    The use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the employing organisation's resources or assets.

  • Denial of service attacks (DDOS)

    An attack meant to shut down a machine or network, making it inaccessible to its intended users by flooding it with traffic.

  • Viruses, malware and hostageware

    Malicous software used specifically to harm and infect the host system. Advanced malware such as ransomware are used to commit financial fraud and extort money from computer users.

Set up your online security policy

Protect yourself from external threats by deciding how your team use your systems and devices. If you have an e-commerce platform or you collect customer data online, your cyber security plan may be a legal requirement.

Your policy helps your team understand the important role they play in protecting your company's cyber security:

  • Email and web use
  • Mobile device security
  • Handling sensitive data
  • Managing remote access
  • Using USB drives and other portable storage
  • Reporting security breaches

Protect your systems with up to date security software

Install security software on all your team's devices and browsers. Often, this software can be administered remotely by you or your IT security team. 

Choose a system that updates every few days. If a new mass-attack virus appears, check that your security software protects against it or issues an immediate update.

Keep your team's devices secure

Hackers see your team's mobiles, laptops, servers and desktop computers as access points. Keep the operating system and applications up to date, use security features that let you track, lock and wipe devices and consider encrypting your disks.

Keep passwords strong

  • Tell your team not to use the same password for business and personal use
  • Avoid common passwords and patterns
  • Set up your systems to lock out a user after several failed log in attempts
  • Use two factor authentication where you can, especially if they log in remotely
  • Make sure your teams don't share log in details to cover each other's tasks

How to respond to attacks when they happen

If you're targeted, it's too late to start working out what to do. An incident management plan helps everyone in your business respond fast and efficiently.

  • Make sure everyone knows where to find the plan in a hurry
  • Recognise attacks quickly, to minimise the impact
  • Keep a paper copy of your plan, in case the attack locks you out of your systems

Incident response management planning

Below are some basic steps you can follow to help you plan and prepare for how to respond to a cyber-attack. You can find a more detailed guide on Cert NZ.

  • Monitor - detect and recognise any attacks quickly

  • Report - sound the alarm immediately, and assure people they won't get in trouble if they've made a mistake and let an attacker in

  • Triage - identify the nature of the attack, who to notify and what to do

  • Respond - technical, management, customer communications and legal action

  • Resolve - what to do to shut down the attack and prevent loss of information or money

  • Review - assess what happened, your plan's success, and what you need to change for next time

Email scams - common business attack

Email is an easy tool for scammers to use. They try to trick you or your team into giving away information, logging in to malicious sites or sending money. Some simple steps can help reduce the risk.

  • Spot scam emails with poor English or no personalisation
  • Tell your team not to sign up to personal services with their business email address
  • Watch for fake invoices - have clear processes for ordering and paying for goods, so that your team won’t be taken in
  • Be careful of any email asking to make changes to a regular supplier's account details - contact them by phone to confirm the change

For more information, read our guide on how to protect your business from email payment fraud.

Control your team's access to critical systems

Your trusted people and ex-employees are one of your highest risk areas for business fraud. That doesn't mean you should be suspicious of everyone, but you should put controls in place to reduce the chance of something going wrong. Identify your critical systems, such as:

Customer data

Accounts and banking

Documents and Intellectual Property (IP)

Set user access privileges

1. Your people need access to do their job, but consider carefully who you give access to, which systems and what level of access they have and make sure you review this regularly.

2. Don't give every user 'admin-level' access, so they can create users or make changes to processes. Most people don't need that level of access.

3. Give your team the appropriate level of access to reduce the risk of mistakes and fraud. If an attack happens, it also makes it easier to work out how.

Check your online banking

Use a multi-user system with access control, like ASB FastNet Business. Set aside some time every quarter to check potential issues.

  • Do some spot checks on supplier account numbers, and make sure they're accurate
  • Look for duplicate suppliers in your payee lists with different account numbers
  • Check your audit log for any modifications to your payments after creation
  • Double check your sent payments to check for any duplicate or unusual payments
  • Look for invoices from unknown suppliers, or invoices that seem higher than usual
  • Check your online banking users to ensure they still require access and have the correct permissions & limits

Protecting your business' reputation

Whenever your people interact with the public they're representing your business. That’s also true on social media.

  • Have a clear social media policy to ensure everyone is on the same page
  • Only post content that’s in line with your business and brand values
  • Even their personal activity can reflect on your business, especially if it's inflammatory or extreme

Regularly review your processes and plans

Online security is a fast-moving environment. Diarise an hour every few months with an IT person to review your policies and plans, remain informed and run checks on your businesses cyber security. It's much better that you discover any weaknesses before the criminals do.

IT security practices

Cert NZ have a checklist of 11 top tips to help you implement strong cyber security practises in your business or personal lives.


Cert NZ have some information on 10 critical controls to protect your business from attacks. 

Run checks

You can also use online tools like 'Have I been pwned' to check if your email accounts have been linked to any of the major data breaches that have occurred across the globe. This can prompt you to take the necessary steps to protect your business such as changing your passwords, making your passwords stronger or upgrading your security. 

Stay informed

NCSC (National Cyber Security Centre) Cyber Threats is a great resource for keeping up to date on the latest cyber threats impacting NZ.

Who can help?

Cert NZ

For more information on how to deal with a cyber security problem as a business or individual, please visit Cert NZ.

Your bank

If you think you or your business is under attack, let your bank know immediately.

If you're an ASB customer and you think you've been targeted, please call us on 0800 327 863 and we'll do everything we can to help.

Signals publications

ASB's Cyber Security publication, Signals, aims to empower businesses with unique insights into the cyber threat environment and provide advice to ensure a robust defence.

Keep reading

What's next for your business?