Six ways businesses can reduce their cyber security risk as incidents rise

Over half of Kiwi businesses are concerned about cyber security, a survey by Cert NZ shows.
Over half of Kiwi businesses are concerned about cyber security, a survey by Cert NZ shows. Photo credit: Getty Images.

Reports of cyber security incidents are on the rise, but there are simple steps businesses owners can take to reduce their risk, Cert NZ says.

Confirming cyber security reports rose 65 percent last year compared to 2019, Cert NZ, a Government agency that supports businesses, organisations and people affected by cyber security fraud, said Kiwis lost $3 million in cyber security fraud in the first quarter of this year.

An online survey of over 500 small businesses of up to 20 staff conducted in July and November showed 54 percent of owners are concerned about cyber security, but less than half (45 percent) have processes in place to protect against an attack. Just 38 percent thought they were investing enough in cyber security, with 34 percent saying they'd put a lot of thought and planning into it.

CERT NZ director Rob Pope said the recent rise in high-profile cyber attacks indicates no one is immune from being targeted, but the silver lining is online security is more at the front of business owners' minds.

Having a two-factor login authentication for each user is a good place to start.

"A large percentage of incidents reported to CERT NZ could've been prevented simply with a long strong password and the use of two-factor authentication, which provides an extra layer of security for logins," Pope said.

Business owners are typically short of time and often, cash flow.  But Cert NZ says prevention is the best and most inexpensive form of defence.  

Six ways businesses can reduce cyber security risk 

As 46 percent of businesses said they're trying to learn more about cyber security, Cert NZ shares the following six simple actions businesses can take to reduce their risk.

  1.  Install updates on software and devices regularly to prevent attackers from exploiting vulnerabilities.
  2. Back up business and customer data on a segregated network so if it's lost or stolen, it can be recovered quickly. "By separating your network into smaller ones, it means that if an attacker gets access to one area of your network, they won't be able to access them all," Cert NZ says.
  3. Use a password manager to keep track of passwords for each online account and as an extra layer of security, put two-factor authentication on.  "With a password manager you don't have to try to remember lots of different passwords, or risk using the same one over and'll only have to remember the one master password for your password manager,"  Cert NZ says.  "Password managers can also generate passwords for you, so you don't have to think them up."
  4. Enable logging to keep records for investigative purposes.
  5. Monitor logs for unusual activity and talk to service providers about how they can help detect unusual activity on the network, for example: an increase in failed login attempts either on an account or across multiple accounts, activity at times staff don't normally work and activity from places or countries where staff aren't based.
  6. Have an incident response plan to enable the business to be prepared if the worst happens.

A MYOB technology snapshot released on Tuesday confirms almost a quarter (24 percent) of New Zealand small businesses (SMEs) have been victims of a cyber attack or malicious activity. 

Those attacked suffered serious repercussions: two in five (42 percent) said private files were accessed and 30 percent revealed their customer or client data was made available on the 'dark web'.

MYOB senior sales manager (SME) Krissy Sadler-Bridge said being a victim of a cyber attack can be "incredibly scary" - especially if private documents are accessed or personal threats are made.

If businesses have a plan that outlines how to report suspicious behaviour immediately, and a list of contact people if there's a cyber attack, this can help a business "move swiftly and correctly" before the attack has a bigger impact.

She also suggests learning how to be "cybersafe" and identify "red flags" be offered as part of regular training to staff.

For businesses deciding where to invest time and money, Cert NZ has developed a list of the top ten minimum cyber security requirements. When implemented correctly, the controls would prevent, protect or contain most incidents seen over the past year, Cert NZ said.

General information about how businesses can stay secure can be found here.