In association with

Protecting business data

As data breaches and online threats become more common, it’s important to take active measures to safeguard critical systems and sensitive information. These practical cyber security and data safety tips will help you keep your data safe and secure.

Know the risks

Proper storage and regular backups will help protect your important information from system failures or improper use. But an increasingly complex online world means you need to also protect your data from unauthorised access, whether it’s an accidental breach by someone in your business or by a hacker.

Ignoring cyber security threats and data breaches puts your reputation — and bottom line — at risk.

Recovering from a cyber attack or data breach could be an expensive undertaking. Take precautions so you don’t fall victim.

Cyber security: What is it?

Cyber security is the measures you take to protect information, devices and systems from unauthorised access, attack or other risks.

Common threats to a business’s data and systems include:

  • Data breaches: When private information is released into an unsecured environment. This could be done on purpose or by accident.
  • Malware: Malicious software designed to damage or harm a computer system. Ransomware is a type of malware that denies a user access to their files or computer systems unless they pay a ransom.
  • Denial-of-service: Attacks that aim to restrict or impair access to a computer system or network. Typically, the aim is to prevent legitimate users from accessing websites or payment services.
  • Insider threats: Someone who has inside knowledge threatens your business.

CERT NZ has more details on common cyber security threats.

Types of cyber security threats (external link) — CERT NZ

Cyber security and your business (external link) — CERT NZ

Assess your weak points

To best protect your systems and data, you need to identify and address your vulnerabilities and your important assets.

To work out whether you are doing enough to protect your business from cyber security incidents, take Connect Smart’s short online questionnaire. Based on your results, you will receive an action plan that sets out steps to better secure your business.

How cyber secure is your business? (external link) — Connect Smart

If you have lots of holes and don’t know how to manage them, consider paying a security specialist to help you set up a security process.

Wherever you store personal information, your customers trust you to protect it.

Wherever you store personal information, your customers trust you to protect it.

Plan to protect important data

Protecting important data is all part of continuity planning — being prepared to recover from any problems. Follow these steps:

  1. Identify everything that holds vital data. This is the information, records and systems that you can’t do without, or would be most damaging if lost.
  2. Make protecting vital data a priority. Put extra security measures in place to protect sensitive data from different kinds of threats. This might be customer details, confidential agreements, financial records and any trade secrets or other intellectual property.
  3. Plan ahead for different scenarios. Map out a step-by-step approach of what to do if important data is lost, breached or hacked. You will be able to respond quickly — and have a better chance of minimising any negative impacts. Don’t just think about it. Write it down.
  4. Make sure staff know what to do. This includes training or check-ins, and making sure passwords are protected and updated.
  5. Put your plan into practice. Test different scenarios regularly. Make any changes to your plan if it doesn’t work as expected.

Connect Smart’s toolkit is designed specifically to help small and medium businesses plan to stay safe online.

Connect Smart for Business: SME Toolkit[PDF, 1.7MB] (external link) — Connect Smart

The Privacy Commissioner also has a step-by-step toolkit on how to plan and respond to data breaches.

Data Safety Toolkit (external link) — Privacy Commissioner

Cyber security steps

There are a number of easy things you can do to protect your information. The key is to commit to safety measures. If you have staff, make sure they are trained and kept up to date on any new risks or protective steps.

Passwords and passphrases

  • Always use strong passwords or passphrases to protect your devices and data.
  • Use passphrases, rather than passwords. Passphrases are unique, at least 15 characters long and a combination of different character types, eg IAte23OfDiana'sSandwiches!.
  • Change any default passwords and usernames that come with a new device as soon as you get it.
  • Don’t use the same password or passphrase for more than one of your systems or staff. Hackers could get into all your most sensitive information in one hit.

Do not store passwords or passphrases on your online systems or devices — this makes them too easy to find. Instead use a password manager. There are many free or low-cost options available. Make sure you choose a reputable one.

Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.

Don’t leave factory or administrator passwords in place on your WiFi, modem or any devices.

Change these to strong passwords or passphrases — and make it part of your off-boarding process to change them each time someone leaves the business.


Add a further security layer by encrypting data with a key. Check if a cloud service will do this for you, as doing it yourself can be time-consuming and costly.

Antivirus protection software

Installing paid antivirus software on computers is an easy way to protect your data. Keep your software up-to-date to fight off the latest malware. Install patches and updates from your internet service provider.

Consider getting protection from malware, a term covering software threats, including:

  • Viruses: Code that can copy itself and infect computers and other devices.
  • Trojan horses: Programs designed to breach and take over parts of a system.
  • Ransomware: Software that blocks access to a computer until a ransom is paid.
  • Spyware: Software used to secretly get information sent from a computer about how it’s being used. 
  • Adware: Software that automatically downloads or displays often unwanted adverts.

Digital Resources has more tips on antivirus software and security.

Anti-virus software (external link) — Digital Resources

Always encrypt sensitive data — no matter how you decide to store it.

Always encrypt sensitive data — no matter how you decide to store it.

Encryption makes data indecipherable to those who don’t have authority to access it.


A firewall is software or hardware that protects your computer or device against online threats. It helps you monitor who or what is allowed to access your system. It will also notify you if your computer or device is trying to access something suspicious online. Think of it as a door between your computer and the internet. It helps you let the right things in and keep suspicious activity out.

Automatic updates

Software providers release regular updates to patch — or guard against — the latest hacks and bugs. They’re easy to ignore or put off, but it’s time well spent to keep your systems safe.

Two-factor authentication

Two-factor authentication (2FA) makes it much more difficult for hackers to crack into your systems. 2FA ensures a user can only gain access if they have an extra credential above a valid username and password. This extra credential may be a PIN number, access to a physical security key or token, or a unique identifier, eg a fingerprint. You should enable it for your most important systems, accounts and devices.

Best practice from cyber security experts

Hear the top tips on keeping small businesses safe online from experts from the private sector and government agencies.

Video transcript

Watch full webinar

Cyber insurance

If your business relies on sensitive information, it’s a good idea to think about cyber insurance, which can cover data breaches, website hacking and IT scams. Closely question whether a policy covers your areas of risk. Your broker should help you understand what a policy does/doesn’t cover. If you’re sorting out your own insurance, read the fine print to make sure it covers a cyber attack.

CERT NZ has more practical steps you can take to keep data safe and secure online.

Getting started with cyber security (external link) — CERT NZ

Use a web developer who builds using the OWASP Top 10 guidelines.

Use a web developer who builds using the OWASP Top 10 guidelines.

This is a list of the 10 most critical web application security risks.

Manage online behaviour

Security breaches can often be caused by an employee doing something they shouldn’t, usually inadvertently. If employees use computers and mobiles devices at work, or work devices out of work:

  • Create an IT and social media policy so they know the rules.
  • Make sure everyone who uses your devices is trained to keep data and systems safe.
  • Give staff the right level of access to your systems and apps, and only to staff who need to use them. 

The Privacy Commissioner has short online courses, including Privacy ABC, to train people on privacy best practices.

eLearning (external link) — The Privacy Commissioner

Staff awareness is key to preventing cyber security incidents and data breaches.

Staff awareness is key to preventing cyber security incidents and data breaches.

Make sure everyone in your business knows how to keep important data and systems secure. 

Best practice to keep staff safe

Hear top tips that will help small businesses keep their staff safe online, from experts from the private sector and government agencies.

Video transcript

Watch full webinar

Rating form

How helpful did you find this information?

Rate this