Protecting your business online

Back
Anti-virus Software

Viruses, spyware and other malicious software or malicious code (malware) can stop your computer working properly, delete or corrupt your files, steal information, or allow others to access your computer and your personal or business information.

The consequences of a malware infection can be serious and far-reaching, from losing access to your files or becoming a victim of identity theft and fraud.

Choosing anti-virus software

Anti-virus solutions differ in effectiveness and the range of malware types they cover. Before choosing an anti-virus product, consider reviews on reputable and trustworthy websites or magazines.

At a minimum, all anti-virus software should provide:

  • protection and detection capabilities for malware, adware and spyware
  • comprehensive anti-virus scanning. 

Some anti-virus products may also include:

  • a site adviser so your browser alerts you when visiting a suspicious or dangerous website
  • malware protection with an integrated firewall. 

Note if you install an anti-virus product with firewall functionality, you may need to disable your operating system’s built-in firewall. See your anti-virus and operating system vendor for more details.

Before choosing an anti-virus product, consider reviews on reputable and trustworthy websites or magazines.

What to do if things go wrong

If things go wrong, there are steps you can take to minimise further harm.

If you’re unfortunate enough to be a victim of malicious software, you can:

  • see our malware, ransomware or restoring your data pages for more information and advice on recovering your computer and valuable files
  • seek technical advice from your anti-virus vendor or a reputable technician
  • contact your bank or financial institution if you believe your banking details have been captured by malware

We are becoming increasingly dependent on the internet for many facets of our daily life. Protecting yourself by securing your devices, software and connections is important, and making the right choices when doing things on the web can make a huge difference to your safety online.

Remember: There are risks involved in doing things online and you can reduce that risk by following our guidance. 

Before you start, update your software

Exploiting email and web browsing applications is the most common way hackers and malware try to gain access to devices and your information.

Protect yourself before you start browsing the web by ensuring your operating system, web browser, security software, browser plugins (like Java or Adobe products) and other applications are up-to-date.

Protect your web browser

Let your web browser protect you 

Some functionality might be limited when using the most secure settings, but they provide the best protection from malicious content. 

Most web browsers will warn you when they detect you visiting a malicious website or possibly being exposed to malicious content. Pay attention to these warnings – they can help protect you from malware, phishing and identity theft. 

Learn more about the security settings on your browser 

Settings and security models are different for each browser. Visit the following vendor websites to learn more about the security settings in your browser: 

  • Apple Safari 

  • Google Chrome 

  • Microsoft Edge 

  • Microsoft Internet Explorer 

  • Mozilla Firefox

  • Opera

Note if your device has different profiles for different users, the browser security settings may need to be changed for each user.

Use safe behaviour

We are becoming increasingly dependent on the internet for many facets of our daily life. Protecting yourself by securing your devices, software and connections is important, and making the right choices when doing things on the web can make a huge difference to your safety online.

Remember: There are risks involved in doing things online and you can reduce that risk by following our guidance.

Making online purchases

When making purchases online: 

  • Check if the site is reputable and has a refund policy. 

  • Check that you are using a secure connection. The URL of the payment page will use ‘https’ instead of ‘http’, and a padlock icon will be displayed by your browser. 

  • If the website looks suspicious or you have doubts, do not proceed. Learn more about making purchases online safely from our guides. 

  • Know that threats such as malware, phishing, identity theft and other types of fraud and scams are a risk online.

  • Be aware that malware can be delivered through malicious advertising (known as malvertising). Using an adblocker can stop malware from being delivered through your browser. Some browsers include an AdBlock feature in their settings under ‘Extensions’. For further help, search for adblocker in the online help or support centre for your web browser. 

  • Avoid using public computers or Wi-Fi hotspots to access or provide personal information. Don’t use online banking or make payments with credit cards using public computers or Wi-Fi.

Cookies and security

Websites use cookies in order to gather information about their visitors. Cookies are small text files – bits of information – left on your computer by websites you have visited which let them ‘remember’ things about you.

Cookies are small text files, or bits of information left on your computer by websites you have visited, which let them ‘remember’ things about you. 

Cookies may also be used to store your preferences and settings for particular websites, which means your experience can be customised based on your past behaviour. 

From a security perspective, cookies are unlikely to be used maliciously against you as they are just text read by your browser. They don’t contain any code that could be executed. However, websites are able to gather a lot of information about you and your website activity. 

If you have concerns about how this might impact on your privacy, you could consider regularly clearing the cookies from your computer or device. Some browsers let you block them altogether. But note that this could affect your experience of some websites. 

Visit your browser vendor’s website for more information on privacy and how to manage cookies.

Your internet connection is a way for you to interact with the outside world, but it also provides a channel into your computer. If your internet connection isn’t secure someone may use it to steal your personal or financial information for malicious purposes.

Public Wi-Fi ‘hotspots’ in places like cafés, airports, hotels and libraries are convenient, but they can be risky.

Tip: Avoid sending or receiving valuable or sensitive information when connected to public Wi-Fi networks.

Remember: If you don’t take steps to protect your internet connection and network, they could be used illegally and without your knowledge.

Use this guidance to learn how to use public Wi-Fi networks safely.

Protect your internet connection

There are a number of easy things you can do to make your internet connection and network more secure.

Computer security professionals refer to these steps as ‘hardening’ measures and they do just that—they make your software, your devices, your network and the connections between them harder to access and more resilient to attack.

Routers and modems 

A router is a small electronic box that creates a network for the devices in your home. A modem connects that network to the internet. Many internet providers offer a combined router/modem unit that performs both these functions in one device, and here we refer to the device simply as a router. 

Setting up your router

  1. Ensure the network password provided by the ISP or router manufacturer is hard to guess, and if not change it to something more secure.

  1. Some manufacturers’ administrator passwords to access the settings for routers are publicly available online, so in this case it’s imperative you change the password on your device. Where possible, also change the default administrator username (typically ‘admin’ or ‘administrator’) to something hard to guess. 

  1. Ensure remote management is disabled. Remote management on your modem or router can allow you to make changes to your internet connection, including passwords by logging into your device via the internet. By disabling this function, you are protected from unauthorised people remotely accessing your router and tampering with it.  

  1. Consider enabling the ‘guest’ Wi-Fi feature on your network for visitors that may need access. This way you don’t need to share your actual Wi-Fi password with them and you can cycle the guest Wi-Fi password as needed without having to reset all your wireless devices in your house. 

In many cases it is straightforward for a cybercriminal to determine the make and model of the device you are using, and then access your router. 

Use the strongest encryption protocol 

Because wireless networks don’t need a wire between a computer and the internet connection, it is possible for anyone within range to intercept the signal if it is unprotected. 

This means you need to use the strongest encryption protocol provided by your router, which is currently WPA2. You should be able to check this by looking at the device settings. The WPA2 protocol was introduced in 2006, so routers purchased on or before this date will not give you the option of selecting it. 

Manufacturers often classify old devices as ‘legacy’ models and no longer develop firmware upgrades for them, and this can leave you exposed to known security flaws. 

If that’s the case, you should consider replacing your router. 

Not using the strongest encryption protocol increases the chances of your internet communications being intercepted by cybercriminals. 

Make sure your router uses the latest ‘firmware’ available 

Firmware is the software embedded into your router that determines the functions it can perform. Just like new software updates for your computer, new firmware for your router will provide improved features and address any security vulnerabilities. 

To find out which version of firmware is installed on your router, some have a button you can click to automatically check if a more recent version is available. If not, you can log in to the device and check its settings. Then if you go to the manufacturer’s website, it will tell you if there’s a more recent version of firmware for your device and allow you to download it. 

Be careful when you do this. Make sure you follow the instructions in your device’s manual and select the correct firmware upgrade version for your model of router, because a failed update can render your device unusable and disconnect all your computing devices from the internet. 

If you don’t feel confident to update your firmware, you could get in touch with a reputable computer technician. You could also think about replacing your router. 

Upgrading to a current router model will offer you significant benefits such as additional features and configuration options, and most importantly, faster data transfer speeds.

Use a secure connection

Wherever you can, avoid using hotspots that are run by people or organisations you don’t know or trust.

Criminals have been known to set up Wi-Fi hotspots in order to steal users’ banking credentials, account passwords, and other valuable information. 

  • Confirm the ‘official’ hotspot name from venue staff and manually connect your device to it. Don’t let your device automatically connect to the first hotspot in its list.
  • Turn off network discovery options like “Remember networks this device has joined.”
  • Turn off file sharing. If you have file sharing turned on and you connect to a public Wi-Fi hotspot, your files could be accessed by others using the same hotspot.
  • Install a reputable virtual private network (VPN) solution on your device. When enabled and configured correctly, a VPN is a service that uses encryption to keep your information secure when using public Wi-Fi, as well as providing a level of anonymity. That said, a VPN doesn’t secure your devices or online accounts, so it’s important that you still keep them up to date with the latest security software updates, and always use strong passwords. Also consider the following when selecting a VPN service provider:
    • Look at independent reviews online. You’ll often find honest reviews from other users, so research the app on reputable blogs, websites or trusted sources that are not the app’s own website. You can also find out more about the app’s description, its content rating and the developer, and whether an app only encrypts some of your data, not all of it.
    • Where the company is based. Make sure you select a VPN provider that is based in a country with strong privacy laws. This reduces the possibility that data collected by your VPN will be shared with others.
    • VPN apps may provide your personal information to third parties. Many VPN apps are funded by advertising (which appears within the app) giving consumers the option to download the apps for free. In exchange, VPN apps may share your information with third parties. If you use a VPN app to keep your internet activity private, make sure you review its terms and conditions and privacy policy, to see if it shares information with third parties.
    • Consider the app permissions. Apps will ask for access to certain information on your device to help improve how it operates for you. For example, the app may request permission to read your text messages or access your photos. These permissions will be outlined and explained on the app store or during installation. Generally, a VPN application should not require access to your personal data.

Don’t do your online banking or shopping, send confidential emails or enter your passwords or credit card details on public Wi-Fi. Wait until you’re using a secure home, office of mobile connection.

When you are using websites while on public Wi-Fi, make sure the websites are secure. Always look for a https (‘s’ stands for secure) in the website address and a padlock on the web browser.

Always remember to disconnect from the hotspot after you have finishing using. it. 

But remember, no public Wi-Fi is 100% secure, so consider using your own mobile data for any sensitive transactions.

Take extra precautions to secure your devices

When accessing the internet at a public Wi-Fi location, you should take extra precautions.

  • Ensure your phone, tablet or laptop has a reputable anti-virus installed.
  • Keep software patched and up-to-date with the latest release version, to ensure that any identified security holes have been closed.
  • Set-up two-factor or multi-factor authentication wherever possible. Online systems such as banks, Google Mail and Facebook offer this option for transactions or when logging into accounts. This way, a malicious hacker can’t log in without also having access to your phone or SMS inbox, even if they know your username and its associated password.
Create strong passwords

The key thing to remember when creating a password is that the longer it is, the stronger it is! 

Think of a passphrase that is made up of at least four words, including at least 14 characters, for example ‘horsecupstarshoe‘. Make it meaningful to you so it is easy to remember. 

  • Using strong passwords lowers your overall risk of a security breach, but they do not replace the need for other effective security controls, such as installing anti-virus software and updates to your operating system as soon as they’re released. 

Do not include the following things in your passwords: 

  • repeated characters 

  • arbitrarily mixed letters, numbers and symbols  

  • single dictionary words, your street address or numeric sequences (such as 1234567) 

  • personal information 

  • anything you have previously used. 

It is also better not to change your passwords frequently, for example each month, as it leads to poor passwords being created. 

Password tiers

Password tier 

Account risk 

Account types 

Action 

Tier 1 

High risk accounts 

  • Banking 

  • Online payments 

  • Social media 

Use unique and complex passwords 

Tier 2 

Low risk accounts 

  • No confidential information 

  • No valuable information 

  • Newsletters, catalogues 

Less complex passwords are required

Use a password manager

A password manager will generate and remember secure passwords for you.

You can install a password manager on your computer, smartphone or tablet. It will generate and remember secure passwords for you and some password managers will sync across your devices. 

The downside is that if the password manager is breached, all your information is accessible.

Comparison of password vs passphrase

Using a phrase or sentence, not one word, as your password

A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:​

  • Used with multi-factor authentication
  • Unique – not a famous phrase or lyric, and not re-used
  • Longer – phrases are generally longer than words
  • Complex – naturally occurring in a sentence with uppercase, symbols and punctuation
  • Easy to remember – saves you being locked out.

Passphrases create greater security & more convenience

  • Harder to crack against common password attacks
  • Easier to remember than random characters
  • Meets password requirements easily – upper and lower-case lettering, symbols and punctuation

 

Brute Force Attacks and Dictionary Attacks​ both generate millions of password/passphrase attempts per second.

 

For all fixed and mobile devices

Passphrases will significantly increase security across all of your business’ devices. See below for a comparison of password vs passphrase security.

PASSWORD/ PASSPHRASE TIME TO CRACK EASY TO REMEMBER COMMENTS
Brute Force Attack Dictionary Attack
password123 Instantly Less than $0.01 Instantly Less than $0.01 Very Easy (too easy) One of the most commonly used passwords on the planet.
Sponges95! 48 hours $587.50 Less than half an hour $6.10 Easy Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack
5ponges!95 24 hours $293.70 Less than 1 hour $12.20 Somewhat Easy Not much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack.
A&d8J+1! 2.5 hours $30.60 2.5 hours $30.60 Very Difficult Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack (against BFA).
I don’t like pineapple on my pizza! More than 1 Year More than $107,222.40 More than 40 days More than $11,750.40 Easy Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack.
Maintain password and PIN hygiene

Maintain password and PIN hygiene to keep them safe 

  • Don’t use the same password for multiple services or websites. 

  • Don’t share your passwords with anyone. 

  • Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem. 

  • Don’t provide your password to a website you have accessed by following a link in an email—it may be a phishing trap. 

  • Be cautious about using password-protected services on a public computer or over a public Wi-Fi hotspot. 

  • If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well. 

Treat PINs in the same way you would a password 

  • Don’t use obvious patterns like 1234, 4321 or 7777. 

  • Don’t use postcodes, birthdays or other significant dates and numbers. 

  • PINs should be a random mix of numbers, letters and characters.

Use two-factor authentication
Two-factor authentication simply means there are two checks in place to prove your identity.

Two-factor authentication (often shortened to 2FA) provides a way of ‘double-checking’ that you’re really the person you’re claiming to be when you log into your online accounts, such as banking, email or social media.

When you log into an online account with a username and password, you’re using what’s called single-factor authentication. You only need one thing to verify that you are who you say you are.

With 2FA, you need to provide two things – your password and something else such as a code sent to your mobile device or your fingerprint – before you can access your account.

This second level of authentication is not new, however, it is gaining momentum as accounts are left vulnerable with weak or poorly-secured passwords. A range of websites including Twitter, Paypal and WordPress have an optional second factor to their log-in processes, and online banking sites have used 2FA for a long time.

Two-factor authentication is also known as multi-factor authentication.

How do I set up 2FA?

Some online services will automatically prompt you for a second factor when you log in. However many don’t, so you will need to activate it yourself. You’ll find the option to switch on 2FA in the security or privacy settings of your online accounts (it may also be called ‘two-step verification’).

The Turn It On website details which websites and apps offer the option to use 2FA and gives instructions on how to set it up.

There are several types of 2FA available based on either something you know, something you have or something you are. Examples include:

  • SMS codes sent to your phone

  • security questions set up by you, which only you would know the answers to when prompted

  • a physical device, like a security token that generates temporary access codes

  • software, such as Authenticator app, that sends a notification to your smart phone (or tablet) or provides a temporary access code. Once you’ve installed one, you can use the same app when setting up 2FA on any accounts which offer this option.

  • fingerprint scans

  • voice recognition.

Some accounts, for example MYOB, also give you a list of backup codes when you switch on 2FA. When asked for a code you can use one of these, but each code will only work once, so you’ll need to create more when you’ve used them all. Backup codes are really useful if you need to log in without a phone to hand. You will need to store the codes somewhere safe.

Do I have to use 2FA every time I access a service?

Generally, once you have set up 2FA, you should only be prompted for unusual activity such as setting up a new payee for your bank account, logging into an account from a new device, or changing your password.

Why is it important?

While it does require one extra step to a log-in process, it provides a much stronger defence for your account. If your password is hacked(accessed by someone else without your permission) and you have 2FA activated on your account—the hacker cannot gain access. They need both levels of authentication.

Having 2FA is not going to remove all risk, however, you are much harder to hack than accounts with only single-factor authentication. This means you are a much less attractive target and you are reducing your risk dramatically.

If you’re travelling or will not have access to your second level for a period of time, consider changing your second criteria to something you will have access to, or obtain some single-use back-up codes. Do not turn 2FA off!

We recommend:

  • wherever possible, activate two-factor authentication (2FA)

  • use strong passwords/passphrases and keep them safe

  • do not use the same passwords across multiple sites

  • use a password manager to keep stock of all your passwords and log-in details.

Engaging online is part of everyday life. From the moment we wake we are connecting, sharing and accessing services that make our lives easier. By securing your personal devices you can maintain a positive online experience and get on with the fun stuff. 

The handy tips in this section can help you protect your devices including your phone, tablet, computer and most importantly your information!

A security measure that requires two or more proofs of identity to grant you access

Multi-factor authentication (MFA) typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token) or inherently possesses (finger print, retina).

Significantly more powerful security

The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity e.g. PIN, but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.

Accessing important internal and external accounts

Small businesses should implement MFA wherever possible. Some MFA options include, but are not limited to:

  • Physical token
  • Random pin
  • Biometrics/ fingerprint
  • Authenticator app
  • Email
  • SMS
Banking online

When banking on the internet follow these steps: 

  • Always access your bank’s website by typing the address directly into your browser. 

  • Keep your computer up-to-date with anti-virus and firewall software and set them to update automatically. 

  • Set strong passwords and update them regularly. 

  • Do not store your password or PIN on your computer. 

  • Look for ‘https://’ at the beginning of the address bar and a locked padlock in the browser to indicate the web pages are secure. 

  • Always log out of the internet banking menu when you finish your banking and close the browser. 

  • Beware of any windows that ‘pop up’ during an internet banking session and be suspicious if they direct you to another website which requests your customer identification or password.

Using mobile devices for online banking

Mobile banking on your mobile device is convenient. Following these simple safety steps can help keep your money safe.

There are risks when using your mobile device for online banking. Refer to Mobile Devices for more information.

Using public computers

Stay safe and avoid using public computers to perform any personal or financial transactions.

Computers at internet cafés, libraries, airports and hotels are convenient, but because so many people use them, they are more likely to be infected with malicious software than other computers. 

Assume they are already compromised with malware that can track anything you do online, including capturing passwords or content you view online. 

Steps to protect yourself when using public computers 

  • If using public wi-fi don’t log onto secure sites or make online purchases as your details may be intercepted. 

  • Don’t allow the browser to save your username and password. Turn off the option when logging into your email account and other websites. Always log out when leaving a website. 

  • Make sure no one is watching you. 

  • Log out if you leave the computer, even if it is for a moment. 

  • Delete your browsing history before you log out of the computer. Go to the tools menu of the browser and select options or internet options. 

  • Make sure the browser has any auto complete function turned off, delete cookies and clear the history. 

  • Do not type in sensitive information. Keystroke loggers can capture your password, credit card number and bank details as you enter them. Avoid financial transactions on public computers that may reveal sensitive information. 

  • Avoid using your USB memory stick. It could pick up malicious software from the public computer and spread it to other computers, including your computer at home. If you need to use your memory stick, scan it with your anti-virus program before you use it again.

Sending and receiving files via email

Simple actions can help protect you when sending and receiving emails.

When sending and receiving files via email, remember the following:

  • Never open an attachment from a source you do not know or are unsure about. 

  • Even if you are comfortable about the source of the file, scan it before opening using your anti-virus software. 

  • Set your anti-virus software to scan every incoming and outgoing email and attachment automatically.

Sending and receiving files via portable storage

When using portable storage devices, simple actions can help you keep your data safe.

Portable storage includes CDs, DVDs, memory sticks or external hard-drives. When using these devices:

  • Never connect or insert a storage device into your computer or open files if you are unsure of its origin or owner, or if your anti-virus software is not up-to-date. 

  • Scan your device before opening any files using your anti-virus software. 

  • If you are sending files to someone else, save the file to the portable device, then scan the device using your anti-virus software before giving it to them.

Peer to peer file-sharing networks

Using peer to peer file sharing networks has some inherent risks. Simple precautions can help keep your devices and data safe.

Peer to peer file-sharing is a system that allows a person to make specific files on their computer available to anyone, anywhere on the internet, who has the same file-sharing software. This software allows its network of users to see and download files from the computers of all the network members who are online at the same time. 

Peer to peer file-sharing has received a lot of publicity because it is widely used for sharing files such as music or computer software.  

Be careful – sharing some files may contravene copyright laws. 

Only join music and movie file-sharing services where you can stream, download or purchase digital files with the copyright owner’s permission. It’s important to keep your file-sharing legal. Downloading copyrighted music, movies and software using peer to peer file-sharing programs without the copyright owner’s permission could have serious legal implications. 

Stop and think before downloading files through these networks. Don’t download files from sources that appear suspect or that you aren’t sure you trust. 

Make sure the peer to peer file-sharing network can only access the files on your computer that you want accessed. 

Users of peer to peer file-sharing software should also be aware they may not be anonymous while participating in these networks. 

Parents should be aware that peer to peer file-sharing networks may contain inappropriate images, audio and video clips, and should monitor their children’s access to, and use of such networks. 

Consider using a dedicated computer for file-sharing.

Due to the heightened security risks associated with participating in peer to peer file-sharing networks, you may want to consider dedicating a computer solely to file-sharing activities. In this case, you should: 

  • Only use this computer for file-sharing, and only have files on it that you are prepared for others to see. 

  • Ensure that all the security software and measures mentioned in this website are installed, activated and kept up-to-date, for example, anti-virus and firewalls. 

  • Always disconnect this computer from the internet once you have finished file-sharing. 

  • Never have this computer connected to other computers in your home or office when sharing files on the peer to peer file-sharing network. 

  • Always scan files downloaded and stored on the dedicated computer before transferring them to other computers in your home or office.

Access Control

What?
A process to regulate who can access what within your business’ computing environment

Access control allows business owners to:

  • decide who they would like to give access privileges to
  • determine which roles require what access
  • enforce staff access control limits.

 

Why?
To minimise risk of unauthorised access to important information

Many small businesses employ internal staff or outsource work to external suppliers e.g. website hosting companies.

Access control systems help you protect your business by allowing you to limit staff and supplier access to your computer:

  • networks
  • files
  • applications
  • sensitive data.

Who?
Principle of least privilege

Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.

 

Protecting against malware

  • Restrict administrator privileges.
  • Do not share passphrases.
  • Remember to revoke accounts.
Employee training

What?
Education to protect your staff and business against cyber threats

Your cyber security incident response plan teaches staff how to:

  • recognise
  • avoid
  • report
  • remove
  • recover.

 

Why?
Employees can be the first and last line of defence against cyber threats

Employees make mistakes. As business owners, you have a legal responsibility to keep your business and customer information safe. That’s why having a cyber security training program is vital.

 

When?
Regular cyber security awareness and training

Cyber security is continuously evolving. Keeping everybody up to date could be the difference between whether or not a criminal accesses your money or data.

 

Quick wins

  • Incorporate, update and regularly repeat.
  • Create a cyber security incident response plan.
  • Reward employees who find threats.
  • Create a cyber security culture.