Tax Talk: Are you subject to FIF rules? If so, changes are coming…
New Zealand’s foreign investment fund (FIF) rules have created much angst for Kiwis over the decades...
Following on from last week’s look at the changing face of cybercrime, let’s consider ways to protect your business from hackers, using the latest advice from CERT NZ and Baker Tilly Staples Rodway Taranaki Specialist Services director Rob McEwan.
Time to read: 6 mins
Every year, after noting which attacks have been reported, national cybersecurity watchdog CERT NZ releases a list of Critical Controls to help you protect your software and systems. “If you don’t have these controls in place, you have a soft underbelly and hackers will come after you,” says Rob. “But when you implement them, they will prevent the majority of what’s out there.”
Let’s look at those controls and other means of protection…
Passwords are the key to our most sensitive and important data, yet many people don’t observe safety protocols, which include:
Password managers enable storage and encryption. They can also create long, complicated, unique passwords for each site or account you log into, avoiding replications that could be exploited.
This will help protect against the scripts detailed at the end of our cybercrime article last week, so it’s important to quickly patch all your software, from operating systems and applications to firewalls and routers, after security patches have been released. We recommend doing it each night.
“PCs and laptops are being used in home networks, airports and hotels, so it’s really important to patch those devices as soon as they become available,” says Rob.
If a hacker acquires your username and password, multi-factor authentication will likely prevent them from going any further due to the request for secondary proof of identification.
Set up alerts with service providers such as Office 365 to notify you of suspicious logins. These should be sent to someone who will see and act on the alerts, if necessary. “It’s about trying to take action as it’s happening, as well as finding out what went wrong and fixing it,” says Rob.
It’s important to manage and maintain your assets through their lifespan from purchase to usage, retirement and disposal. This includes deleting data if a computer is disposed of or passed from one user to another.
All your data should be backed up and stored securely offline or in the cloud to reduce the impact of ransomware attacks, and backups should be run automatically from a schedule.
“We still come across businesses where back-ups constitute a USB thumb-drive that gets a couple of files put on it and goes home at night and that’s really not good enough in the modern environment,” says Rob. “Also, test your back-up and recovery plans to make sure they work and take action if they don’t.”
Most malware is introduced through malicious email attachments, unintentional file downloads from websites, or downloads that people authorise without understanding the consequences. Application control can include “allowlisting” (formerly known as “whitelisting”), which governs which apps your employees can run on their PCs.
Providing the minimum level of access that users need to perform their role makes Admin accounts less exposed to attack, helps protect against installation of unsafe software, limits access by segregating duties, and guards against accidental or deliberate actions that can cause security incidents.
Larger businesses can make it harder for would-be attackers to move around their network by breaking it down into smaller segments and setting appropriate access controls.
Attackers often use macros to hide malicious programs in software like Microsoft Office. You can help prevent this by using secure defaults and macros, forcing them to run only in sandboxed environments, or disable macro use if you don’t use them.
Cyber insurance will help protect your business in the aftermath of cybercrime, however, it’s critical to carefully read the wording, comply with your obligations and talk to your insurer or broker if you have any doubts.
For example, a clause that requires “written” cybercrime training materials for your employees with “regular” updates could mean your insurance is invalid if you instead provide video training or don’t meet your insurer’s definition of “regular”.
Sometimes policies no longer reflect current best practice, for example, requiring employees to change their passwords every six weeks. This is no longer considered best practice because many people just add numbers to their passwords (e.g. Britannyt1, Britanny2, Britanny3). “When a hacker sees that a password has a number on it – a one or two or three – they’ll just try the incrementals,” says Rob.
Office environments generally offer more protection, like firewalls and additional network controls, but when people take their laptop home, they’re often on the same network as home computers, devices or smart TVs and appliances that contain security vulnerabilities or can’t be updated or patched, or apps that could allow hackers to get into your network. “So you need to make sure that computer is safe at home, the hotel, the airport – everywhere else that it’s working.”
One way to do this is to set up your work equipment on a separate network from your home devices and appliances.
Employers can also provide a level of protection by controlling how work computers are configured, but if employees use their own computers, you can create and enforce policies, for example, staff can’t log in until the computer has verified that it has working anti-virus, current patches and so forth.
DISCLAIMER No liability is assumed by Baker Tilly Staples Rodway for any losses suffered by any person relying directly or indirectly upon any article within this website. It is recommended that you consult your advisor before acting on this information.
Our website uses cookies to help understand and improve your experience. Please let us know if that’s okay by you.
Cookies help us understand how you use our website, so we can serve up the right information here and in our other marketing.