The Ohnyx Guide to Cyber Security

Recently we've assisted a number of local businesses that have been affected by viruses and malware from the internet  – it's time to get informed! This is our list of recommendations for keeping your ‘online identity' safe and avoiding a cyber attack:

1. Have a strong password or passphrase.  ‘Strong’ is currently accepted to be a 12+ character password that includes both upper and lowercase letters, numbers, and special characters.

2. Use ‘two-step’ or ‘multi-factor’ authentication if it is offered. In addition to a password, adding a second level of authentic prevents an intruder getting into your account even if they have your password. When you attempt to login to a particular website, a code is sent to your phone (either an SMS or via an App) that must be entered in order to complete the login process.  Email accounts and financial companies often offer this service. You can set it to remember your device for 30 days so you don’t need to use a two-step authentication process everytime you login.  

3. Use a unique password for every site you use. If one site gets hacked the others will be vulnerable! Use a different password for each (even if there is only a slight difference). This can require a bit of time to manage but it is the safest option.  Keep a list of your passwords somewhere secure (see below).

4. You should store all those passwords in a ‘safe’ place – but what is safe? Industry recommended practice is to store your list of passwords in a secure place that is protected by a very strong ‘encrypted’ password. According to the U.S government, 128 bit encryption is currently unbreakable and is predicted to remain so until 2030.  Based on this, we are comfortable with password lists being stored in locked, 128 bit encrypted files (as offered in Excel 2013 and above). Don’t save your file as ‘password’ or anything similar however – that’s asking for trouble! To be secure the designated excel workbook must be open-protected and encrypted and your password / passphrase must be strong (refer Paragraph 1. above).

Another option is to use an online ‘password manager’. Some people use sites such as Lastpass and Keypass but we recommend you do your own research on the security and characteristics of each service. Like any online service there is a small risk that these managers could be hacked, so we are unable to vouch for their security.

5. Don’t share passwords with colleagues and don’t use generic company passwords such as ‘guest’ or ‘user’…or ‘password’.

6. Limit ‘admin privileges’ to those who really need them.

7. Put a PIN on your phones and other mobile devices and set all to lock after a period of inactivity.

8.  Find out if your online details or passwords have been acquired in any previous hacks of web-based company databases here.  If your details have been acquired in this manner, make sure you replace your password/s immediately.

9. Put proactive cyber-security steps in place. Often, malicious content can be detected and prevented from even getting to you or your staff's inboxes by the having the right set-up and anti-malware. Use anti-malware software on all computers and mobile devices, and keep it updated.

10. Backup data to a secondary location so that it can be restored in the case of a ‘ransomware’ attack.

11. Allow the updates of your Microsoft packages to run – often theses are 'fixes' of newly identified 'gaps' that cyber attackers use to evade the security measures built into your computer's software. Malware evolves quickly and updates and ‘patches’ should be installed regularly/ when the prompted.  Don’t download Apps from sources you are unsure of – read the reviews first to check they are legitimate

12. If you get an email from a sender that you don't know do not click on any links in the email or open the attachments (especially .zip attachments) – even if it’s personally addressed to you! These may actually be malware installers. Once its opened the game's up. Put it aside and contact Ohnyx who will assess its legitimacy for you.  

13. Do not provide any details in response to requests for passwords and pins, bank accounts, or credit card numbers via email. Look-alike emails, and emails that look legitimate because they are addressed to you is a common method for duping unsuspecting people into giving away their passwords (and money!) This is ‘phishing’ (an opportunistic attempt at getting you to divulge personal details, bank details, passwords etc.) and other scams are often delivered as emails with attachments and links.

14. Don’t open Multimedia Messages (MMS) received on your phone without checking that you recognise the sender – they have been used to spread malware.

15. Never plug in USBs / data sticks that you find – finding a USB in the carpark and taking into the office to 'see if you can figure out who it belongs to' is a huge no-no and often the means for the introduction of malware into computer networks. Don't take USBs from home to the office either.

One in five New Zealanders has been affected by a cyber attack – be proactive to avoid being a statistic! 

cyber threat