Check the security of third parties accessing your system
If you allow suppliers or contractors to access your systems, ensure that cybersecurity requirements are built into their contracts, and that their cybersecurity processes at least meet your own.
If they in turn outsource your work to another provider, check their level of cybersecurity. Make sure you review access on a regular basis and revoke accounts where necessary.
A register of organisations and their employees that have access to your network will enable you to identify and disable access when circumstances change.
Cybersecurity and mobile devices
Employees, contractors, suppliers and customers that can access your network from their own device present risks. If you do allow such access, limit what such users have access to.
Require employees, contractors and suppliers that can access your network from their mobile devices to password protect such devices and have appropriate security apps installed. Consider enforcing restrictions by limiting access to known devices (known as a whitelist).
Control physical access to your network
Make sure you establish separate user accounts for each employee and require strong passwords that expire at least every three months. With separate user accounts you can track individual users.
Consider restricting who can plug devices into your network to authorised personnel only.
Restricting access to your Wi-Fi networks
If you have a Wi-Fi network in your business for employee use, make sure it is secure (requires password access) and is hidden. If you have a public Wi-Fi network for customers, ensure that it only gives users access to the internet, not your business-critical networks. Never use public Wi-Fi hotspots to access your company network.
Separate your point-of-sale systems
Isolate your point of sales systems from other less secure system. Speak to your bank that provides your point-of-sale systems as they may be able to assist you better secure your system.
Limit employee access to information systems
Employees should only be given access to the systems they need to perform their duties. No employee should have access to your entire system and the installation of software should only occur with specific permission.
Consider requiring separate authority and passwords to access critical data. Once a person leaves your employment, their access to your system, including remote access must be removed immediately.
Limit or disable the use of administrative or privileged user accounts except in limited circumstances where maintenance is required.
Disaster recovery plan
Have a disaster recovery plan in place to help you respond in case you are subject to an attack and your data has been accessed or lost or your system is impacted by a virus.
Consider including in your plan how you will communicate with customers and others if their data has been accessed or lost.
Regularly review your security to see if it is appropriate. You may wish to engage an external to review and advise on the effectiveness of your cybersecurity. This also includes your suppliers and insurance provisions.
Perform random tests, such as phishing emails to educate staff and / or suppliers on potential cybersecurity risks.
As with a break in to your premises, you should also report attempted and actual break-ins to your system. Only if you report such action can law enforcement agencies take action against such criminals.
In New Zealand, you can report a crime on the New Zealand National Cyber Security Centre (NCSC) website see www.ncsc.govt.nz/incidents/