Small business security guide for property professionals · 2020-06-19 · Avoid software that...
Transcript of Small business security guide for property professionals · 2020-06-19 · Avoid software that...
Small business security guide for property professionals
P R E S E N T E D BY
Protecting your business
REA implements these measures within our
own organisation to protect our customers
and our business in line with recognised
cyber security standards.
This guide was developed using the
Australian Cyber Security Centre (ACSC)
advice. It will act as a readily available, easy
to understand reference for protecting your
business online.
The ACSC provides cyber security advice,
assistance and operational responses to
prevent, detect and remediate cyber threats
to Australia.
If you want to improve cyber security in
your business further, you can find more
information and advice on the ACSC
website at: www.cyber.gov.au.
REA has developed this guide for property professionals to help
protect you from the most common cyber security risks. Our
aim is to provide a checklist of simple and easy to follow actions.
As Australia’s largest property resource, we understand the power of the internet. It offers many benefits but with those benefits also comes increasing security risks.
REA Group is committed to helping you protect your business and stay smart
online. To assist you with this, we have published this simple guide highlighting how
you can protect yourself against online threats. The guide covers everything from
understanding the importance of privacy, to undertaking actions to protect your
network and security devices.
Customised to ensure it has the most impact for property professionals in Australia,
this guide relates specifically to practices you undertake, and common risks
impacting our industry.
We want all Australian property professionals to know that implementing
strong cyber security is fundamental to doing good business, building trust with
consumers across the country and beyond.
Introduction by Craig TempletonChief Information Security Officer, REA Group
Protecting your front door
What? A log on page is often the first step to
accessing systems that hold sensitive or
important information. Be two steps ahead
of threats to your business by enabling two-
factor authentication (sometimes called
multi-factor authentication or MFA) where it is
available.
This means that instead of using just a
username and password to log in to an
account (typically regarded as one-factor), two
factor authentication requires authentication
using two factors — such as something you
know (like a password) and something you
have (like a one-time code sent to mobile
phone) — to gain access.
Create secure passphrases for all online accounts, and always enable two-factor
authentication or verification for additional protection when it is available.
Use a password manager to help protect and organise passwords. TO
P T
IP
Why? Multi-factor authentication provides extra
protection rather than relying solely on a
password. This additional verification step
can help to significantly reduce the risk of
someone unauthorised accessing personal
information or company information.
How?Solutions are available for both mobile and
web applications and should be used in
combination with something you know (such
as a password). This means in the event a
password becomes known, an extra layer of
protection prevents access to your systems.
All websites are different and may enforce log
on rules differently. In cases where two-factor
authentication is not offered, the following
can be used as a guide to ensuring strong
password or passphrase standards.
Try not to use passphrases that might be
expected or easy to guess. For example, we
wouldn’t recommend ‘Richmond 3121’ as a
secure passphrase.
These are examples of a passphrase:
• mirror meet lesson clock
• day above pipe purple
• free central myself clean
Keep your credentials safeYour information is valuable, keep it private
What?Make sure that you keep passwords and any sensitive business or customer data stored
electronically safe.
Why?Your business information is a valuable commodity. Employees should only have access
to the information they need to do their job. By limiting that access on a need-to-know
basis, you reduce the risk of confidential information leaving your business.
Secure passwords and administrative systems will help keep you and your business safe
online.
How?
Avoid software that gives day to day users the same access privileges as administrators.
Administrators need greater access levels so they can undertake activities that may
impact several users or business processes.
Don’t share credentials (for example, usernames and passwords) within your business.
Each employee should also have individual access credentials for each business system
(not shared credentials).
Each employee should understand the
importance of information security. Encourage
discussion and awareness of privacy
requirements via team meetings, posters etc.
Always remove old user accounts when
employees leave the business and regularly
review current access.
T O P T I P
AwarenessWhat to keep an eye out for
Why?It’s important to be aware of what is happening
in the online world and stay up-to-date with
the latest scams, spam and internet threats.
The more aware people are about online
security, the more capable they are of applying
that knowledge to protect their business.
How?Awareness also means knowing the right
questions to ask. If you are the principal/owner
of your agency or head of your business make
sure you have an informed discussion with
your IT provider to ensure your team’s needs
Unsolicited messages or phone calls
requesting personal/financial information, or
seeking payment of invoices into a different
bank account should always be treated with
suspicion at the first instance.
If you provide your details to a suspicious
caller or sender and you have some concerns,
immediately change your passwords and
associated information where possible. You
should also alert service providers such as your
bank and ask them to monitor your accounts
for unusual activity.
will be met. Refer to the questions at the end
of this guide to help you.
Awareness also extends to being on the
lookout for suspicious messages, including:
• Phishing emails or text messages (these
messages try to lure you into providing your
passwords/passphrases, online banking
details, payment of invoices, or other sensitive
information).
• Spam (unsolicited advertising or promotional
messages), and fake telemarketing calls
requesting personal or financial information.
If you have any doubt regarding the legitimacy of a phone call or
email message, contact the organisation to confirm it by using
a phone number, address or form sourced from its legitimate
website or contact details you have on file. TO
P T
IP Click hereNeed more Information?
Stay up-to-date with current scams
Network and devicesecurity
What? It is essential to have regularly updated antivirus software and to set your systems to
automatically update software.
Why? Updates provide new and improved versions of software which help keep you
safe online.
How?Ensure automatic antivirus software updates are turned on.
Mobile phones and tablets also provide access to your sensitive business
information. Make sure you use a PIN in case of loss or theft and limit business
information stored on them.
Treat any network that is not controlled by your business as insecure, particularly
public Wi-Fi. Avoid performing financial transactions on these networks.
Be aware of plugging unknown USB drives into your devices as these drives may
contain viruses. You can also improve the safety of the business by using separate
devices at home for personal activities.
Criminals have more recently turned to online extortion as a way of obtaining money
from businesses. Extortion techniques include tricking employees into infecting
computers with software that encrypts files so the criminals can demand payment
for the decryption key. This is known as ransomware.
Keep your operating system software up to date
and back up your data to devices or locations
isolated from your corporate network.
Turn on ‘auto-update’ to ensure y ou receive the
latest security updates.
T O P T I P
Click here
Need more Information?
If you are impacted by ransomware there is
help available
BackupsInsure your data: back it up
What?A backup is a digital copy of your company’s most important
information and business data.
Business data includes accounting files, invoicing and quoting
systems, letters and emails, information and resources, and even
your website files.
Why?Regularly backing up your data or setting devices to automatically
back up can help you quickly recover from a physical disruption
(for example, fire or flood), hard disk failure or cyber incidents
(such as becoming infected by ransomware).
How?Back up your data to a removable storage device such as a hard
drive or a cloud backup service. It is not recommended to back
up data to your computer as it may become compromised too.
Take your backup offsite or store it securely, like other important
documents. Test your backup system regularly to ensure that it
restores all information correctly.
Need more info?Microsoft provides ‘Backup and Restore’ functionality with some
versions of the Windows operating system - Microsoft Support
website.
Apple provides a few backup methods to users – one is based in the
cloud while the others can choose a different location (such as a USB
drive). On the Apple Support website you can find:
• How to restore iPhone and iPad data
• How to backup or restore your Mac
T O P T I P
ChecklistKey questions to ask to ensure your website and IT systems
are secure
Do you have two-factor authentication and strong passphrases
implemented in your business systems, such as your CRM?
Do you have a technical process to manage changes made to your
website (for example: a staging environment for changes prior to
publication of your content)?
How do you monitor security events and are alerts monitored?
What are the processes in place to detect suspicious events and
alerts on your business infrastructure, and what happens if they are
related to a security incident?
How are security incidents managed? Once a security incident has
been discovered, what is the process to manage, resolve and learn
from the incident?
If you use an external hosting provider, do you know where your
information is located?
Who owns the intellectual property on your site and how can
you gain access to it? Will you have any issues in the event of an
incident or trying to recover your information?
Is security currently embedded into your website, and is this
security protecting your most important data and information?
Best practice secure web design should be applied through the
definition, development and deployment of your website.
Has your website been independently verified?
Do you have a process to effectively back up your site and recover
lost information? If so, does it meet your business availability
requirements?
Who are the people that control the content and access to your
website? Do you know exactly who can access non-public facing
sections of your site? Limit access to individuals who need to
perform administration or content deployment.
Do you and your staff use unique credentials to access your
information? How do you prevent unauthorised users from
accessing your content?
How do administrators access your site? Do you have rules and
regulations about where and when the site can be updated?
The eSafety commissioner also has tailored content for parents, teens, children and seniors
The Australian Cyber Security Centre is updated regularly with alerts and awareness content
Need to contact us about Security? Head to our Security Help Centre
Click here
Click here
Click here
Click here
Would you like to know more?
Want to be secure at home too?
Subscribe to Scam Watch alerts