Personal Information Security
We are committed to keeping secure the personal information you provide to us. We take all reasonable precautions to protect the personal information we hold about you from misuse and loss and from unauthorised access, modification or disclosure.
We have a range of physical and technology policies in place to provide a robust security environment. We ensure the ongoing adequacy of these measures by regularly reviewing them. Our security measures include, but are not limited to:
- Restricting access to our computer systems and physical records to authorised persons and preventing users from accessing information they have no need to access
- Requiring employees to use unique passwords to gain access to systems. These passwords are changed regularly and their use is independently monitored
- Encrypting data sent from your computer to our systems during internet transactions and customer access codes transmitted across networks
- Employing firewalls, intrusion detection systems and virus scanning tools to prevent unauthorised persons and viruses from entering our systems
- Using dedicated secure networks or encryption when we transmit electronic data for purposes of outsourcing
- Providing secure storage for physical records
- Detecting and preventing unauthorised access to buildings by employing physical and electronic means such as alarms, cameras and guards as required. Where information we hold is identified as no longer needed for any purpose we ensure it is effectively and securely destroyed.
Receiving communications by email? Things to be aware of
Email is a fast, convenient and environmentally friendly way to receive your Colonial First State communications. Set out below are some of the steps that Colonial First State is taking to help keep your email communications reliable and secure, together with some tips for you to consider.
Ensuring the security of your personal information
In the unlikely event that correspondence we email you is intercepted by someone else, key aspects of your personal information may be 'masked'. Some of the details that may be masked include your address, online identity number (OIN), tax file number, salary and smoking status. In place of this information will be the '*' character.
Your Colonial First State account number and your bank account number may also be masked, except for the last three digits.
Your date of birth will display the year you were born, while the day and month may be masked.
Masking details is not possible when it is an ad-hoc request. An ad-hoc request is when email is not the preferred communication choice and you advise us to send document/information via email on a one off basis.
Ensuring our emails are delivered to you
In order to receive your Colonial First State communications by email, your email address needs to be current. There are a number of ways you can update your email address with us.
||Call us on 13 13 36|
||Log into FirstNet then select [Change my details]|
|Write to us at Colonial First Sate, GPO 3956, NSW|
Ensuring you can open our attachments
Some of the correspondence we email you will be in the form of an attachment. You will need Adobe Reader software to open these attachments. It’s possible you already have this software on your computer. However, if you don’t have this software, click on the following link to install it.
Ensuring you follow safe computing practices
We encourage that you follow safe computing practices and to consider the following tips:
- Password protect your computer to stop others accessing your email. Safeguard any computer-related passwords.
- Never click on an email that asks you to login or asks for personal information. Colonial First State will never send you an email containing such requests.
- Use email spam filters to help protect you from receiving hoax/spam emails. Anti-virus/anti-spam software and Internet Service Providers (ISPs) now offer email spam filtering services. These spam filtering services intercept many hoax emails preventing them from reaching your email inbox. You may need to contact your ISP either by telephone or via their website in order to activate spam filtering on your email account. You should check that your or your ISP's spam filters are not blocking Colonial First State emails.
- Avoid opening, running, installing or using programs/files you have obtained from a person or organisation that you do not know you can trust. Be particularly careful of unsolicited emails containing file attachments.
- Always scan new programs/files for viruses and spyware before and after opening, running, installing or using them.
- To help keep emails secure, you should always maintain up-to-date versions of firewalls, anti-virus, anti-spam, anti-spyware, anti-phishing and other security software and tools. A number of vendors provide such products. You should also download and install the most up-to-date patches and fixes for the operating system and other software that you use on your computer.
In order to ensure best practice security standards to protect our online communications and your personal information, both we and you have important and significant roles to play at each step of the way when you use our online services. These steps and the respective roles and obligations are outlined below.
Step 1: When you use your computer to access FirstNet via the internet.
It is important that you, and only you, are able to gain access to your accounts via your computer. To assist with protecting your information, WE:
- Issue you with an online identity number and PIN
- Provide a secure way for you to enter your online identity number and PIN
- Send your PIN only by mail to your registered address
- Automatically log you out of your account if you have been inactive for more than 30 minutes in the case of investors, and 3 hours in the case of advisers. This prevents unauthorised people from accessing your online investing session if you leave your PC unattended without logging out.
The easiest way for someone to gain unauthorised access to your personal information is by guessing, stealing or overlooking your password, rather than by accessing your password over the internet. To ensure our security measures work effectively, YOU must:
- Protect your online identity number and PIN from access by others (don't write it down or store it on your computer)
- Never click on the browser pop-up option to "Auto-Complete - remember this password" when entering your OIN and PIN
- Regularly (ie, each month) change your PIN via FirstNet
- Not choose a PIN that can be easily associated with your obvious personal information
- Correctly log off from your accounts after accessing FirstNet
- Notify us immediately if you believe your PIN has been lost or stolen, or of any unauthorised use.
Step 2: Sending your personal information via the internet.
The information that we exchange via the internet must not be read or changed by unauthorised parties. To assist with this, WE:
- Provide the necessary technologies to enable us to exchange messages protected from access by unauthorised parties. This is achieved by using the strongest level of industry accepted encryption. Encryption is supported bySecure Sockets Layer technology.
- Continuously monitor the system for suspicious activity and immediately follow up on any detected issues. This includes the utilisation of technology, people and best practice processes which allows us to isolate the system in the event of detected risk or vulnerability.
To ensure our security measures work effectively, YOU must:
- Install the appropriate version of web browser, Microsoft Internet (version 7.0 or higher) or Mozilla Firefox
- Install and regularly use an up to date, recognised virus scanner. Some viruses may be able to obtain passwords, PINs and other personal information from your computer.
Step 3: Protecting our systems from the internet.
Our systems that are connected to the internet must be protected from unauthorised access. To assist with this, WE:
- Have installed a series of sophisticated firewalls that protect our systems. A firewall is a type of computer system that recognises and accepts messages or requests from desired parties and accepts only those with appropriate authorisation.
Step 4: Storing your data on our systems.
Your personal information stored on our systems must be protected from unauthorised access both from outside and within Colonial First State. To assist with this, WE:
- Provide physical and technical protection for the information storage systems
- Implement and enforce rigid guidelines and policies for our own use of personal information
- Provide access to allow you to update your information
- Ensure that for changes to critical information such as your address, we receive your written authorisation prior to making a change. You will also be able to do this via FirstNet soon.
To ensure our security measures work effectively, YOU:
- Must keep your personal information up to date.
Step 5: Collection of information via web site activity.
For statistical purposes we collect information on web site activity (such as the number of users who visit our web site, the date and time of visits, the number of pages viewed, navigation patterns, what country and what systems users have used to access the site and, when entering our web site from another web site, the address of that web site) through the use of our website log files.
This information on its own does not identify an individual but it does provide us with statistics that can be used to analyse and improve our web site. We may also collect your personal information via your use of online forms available through our web site.
When you use our FirstNet, we send you a temporary cookie that gives you a unique identification number. A different identification number is sent each time you use our web site. Cookies are used for the temporary storage of information that allows us to deliver online applications and customisation of the users of our web site.
To evaluate the effectiveness of our web site, we may use third parties to collect statistical data.
You can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Please refer to your browser instructions or help screens to learn more about these functions. If you reject all cookies, you may not be able to use our web sites.
At the end of your interaction with our web site, the cookie "crumbles". This means it no longer exists on your computer and therefore it cannot be used for further identification or access to your computer.
Some commonly used security related terms
Encryption: information sent is coded using random mathematical "keys" in a technique that allows only you and us to easily unscramble the information. These keys are created each time you log onto our system, and are only used for the duration of the session.
Secure Sockets Layer (SSL): this technology allows us to communicate with you in a way that prohibits data transmission from being altered or disclosed. It provides encryption and authentication. Information is encrypted to prevent unauthorised disclosures. Information is then authenticated to ensure that it is being sent and received by the correct parties. SSL provides "message integrity" to prevent the information from being altered during interchanges between us and you. We use "128 bit" encryption which is at the highest and strongest level of encryption currently available online. For further information, you may wish to visit www.verisign.com.
Cookies: A 'cookie' is a packet of information that allows our applications to identify and interact more effectively with your computer. For further information, you may wish to visit www.w3.org.
For further information about the security related terms we have used in this statement you may wish to visit www.w3.org.
Tips to stay safe online
Tips to help you browse safely online
Your web browser is your window to the digital world. Whether it’s entertainment and news, or the ability to connect with friends and go shopping, the internet offers great experiences and a wealth of information. It’s hard to imagine our lives before the internet.
As in real life, when you’re online it’s important to be aware of your surroundings and ensure you trust those that you interact closely with.
Protect your device
Keep your operating system, security software, web browser and add-ons up-to-date by ensuring automatic updates are enabled or installed as soon as they are available. This dramatically reduces your device's exposure to malware. Be sure to read reviews of security software (such as anti-virus) to assess its reputation before you download them.
Is your browser session secure?
Before making a transaction or entering personal information on a web site, check that your browser address window is green, the URL (web address) has changed from 'http' to 'https' and that a closed padlock icon is present. Find out more about browsers that support this feature.
Go directly there
The safest way to access any web site is to type its web address directly into the browser and bookmark it. Hover over web links with your cursor to check for spelling errors or unexpected web addresses before you click. Phishing emails often contain links to dangerous sites. Learn more about email security and phishing.
Create strong, unique passwords
Choose passwords for your online services that are difficult for anyone else to guess. A strong password is long and complex (a variety of letters, numbers and other characters), unique (not re-used for other apps), current (changed at least every 90 days) and not obvious (avoid dictionary words, dates, names etc). Learn about how to create stronger passwords.
Maintain your privacy
Take charge of what you reveal about yourself online. Think twice about handing over any personal details unless you are confident it is absolutely necessary.
Take extra care when shopping and banking
Take extra security precautions whenever you log on to online banking or make other financial transactions.
MOBILE & APPS
Securing your smartphone and apps
Our smartphones have become central to the way we live our lives. They are our wallets, our loyalty cards, our maps, our personal secretaries and increasingly much more. By observing some simple practices, you can protect the information on these essential devices.
A secure device
Your mobile phone is normally under your watchful eye, but we all know someone who has lost their phone or had it stolen. Set your phone up to protect your information in the event this happens to you:
- Set your mobile device to lock after a short period of non-use.
- Use a strong, secret PIN/passcode and/or fingerprint detection.
- Sign out of websites when you’ve finished browsing.
- Use Apple’s Find my iPhone or Google’s device manager for Android, to help you locate your phone and wipe the data should it fall into the wrong hands.
Keeping up to date
Make sure your operating system and apps are up to date by ensuring automatic updates are enabled. Old versions of software can have security issues that fraudsters could use to get access to your data.
The way you use and download apps plays an important role in keeping your phone secure:
- Only install apps from official stores, such as Apple's App Store or Google Play (for Android phone or tablet).
- Check the name of the publisher before downloading the app.
- Avoid installing apps from links received in an email, social media post, text message or a web page that doesn’t look right. The best way to download an app is to go to the store and download it from there.
- Read user reviews and ratings to assess if an app delivers a good experience.
- Many apps collect and send personal data from your phone, including your location and contacts. Keep on top of this by reviewing and managing permissions for each app. On an iOS device, this can be done under the 'Settings > Privacy' function. On an Android device, you can find them under 'Application Manager'.
- Read the terms of any app looking to access your contacts, location or other personal information when you log in using a third party service (such as Facebook or LinkedIn).
Rooting and jailbreaking
Removing hardware restrictions (called rooting on Android and jailbreaking on Apple) on your mobile device in order to install unapproved third party apps or features weakens the in-built security protection, leaving your phone susceptible to malware and viruses.
Staying safe when using social networks
Social networks such as Facebook, Twitter, LinkedIn and YouTube are great for connecting us with friends, family and colleagues as well as others that share our interests.
The profiles we create on social networks can reveal a lot of information. Have you ever thought that someone could use all this information in order to commit identity theft? What could a stranger learn about you by reading posts written by you or others on social networks?
It’s important for your online safety and privacy to think about the sort of information you’re sharing and who you’re sharing it with. The good thing is there are ways you can protect yourself online.
Circles of trust
You can be confident using social networks when you’re in control of who sees what you’ve posted, or anything posted about you. Here’s a few tips to help you build that circle of trust:
- Be selective about with who you connect with
- Did you know you can use your privacy controls to determine who can see your posts and information? On some networks, you can restrict posts exclusively to certain groups, such as your family or close friends.
- Assume that anything you post on social networks is not completely private. If you don’t want anyone to see what you’ve posted it probably doesn’t belong on social.
Consider your digital footprint
The best way to protect yourself against online identity theft is to limit the ‘digital crumbs’ a stranger can gather about you. This means being careful about putting personal information such as your home address, phone number or account details on public forums.
Why don’t you try checking your ‘digital footprint’ now? Simply log out of all of your social networks and then look up your name in a search engine and assess the results.
Careful posting on social networks not only protects your reputation but also your physical safety, something you may not have thought much about.
Some social networks will offer you ‘geo-tagging’. This means they can put your location information in your posts. Before letting them do this it’s worth asking yourself some questions:
- Does the service really need to know where you are to be useful?
- Could there be other consequences from revealing where you are or where you spend your time?
- Tempting as it is to put that post up to say you’re on the holiday of a lifetime on a tropical island, is it wise if your home address can be found online?
Another way social networks use tagging is when others post information and ‘tag’ you, for example, they have a photo of you and ‘tag’ you in it. You can set up an alert to let you know when this happens so you can see what is being posted about you and stay in control of your reputation.
Safe browsing habits
Safe browsing habits are just as relevant when using social networks:
- Use strong passwords for all your social networks
- Do not use the same passwords you use to log on to your online banking
- Be careful with any unusual posts, such as a post from a friend recommending a website they wouldn’t normally be interested in
- Sign out of your social network account when using a public computer
- Hover your mouse over links presented in social posts to make sure they direct to a site you trust.
YOUR PRIVACY & IDENTITY
Protecting your privacy and identity online
The digital world offers great online experiences, whether it’s connecting with new people, sharing information or shopping and banking online. It is important to protect your privacy to ensure positive online experiences.
What is identity theft and how can I avoid it?
Identity theft is when someone uses your personal information to pretend to be you, usually to carry out fraudulent activity such as trying to access your bank accounts or opening a credit card account in your name.
You can reduce your risk of falling victim to identity theft with these tips:
- Create strong, secure passwords, and change them regularly
- Be suspicious of unexpected or unusual emails
- Make sure your bank has your up-to-date contact details so they can get in touch quickly if they see any unusual activity on your accounts
- If throwing out any personal or financial information such as bank statements or bills, shred or destroy them. If filing them away, make sure they are kept in a secure place in your home/office.
Consider your digital footprint
The best way to protect yourself against online identity theft is to limit the ‘digital crumbs’ a stranger can gather about you. This means being careful about putting personal information such as your home address, phone number or account details on public forums and social networks.
Why don’t you try checking your ‘digital footprint’ now? Just log out of all of your social media accounts and then look up your name in a search engine and assess the results.
Managing your cookies
Cookies are text files that are downloaded to your computer or mobile device when you visit a website. When you’re browsing, cookies gather information about how you use the website.
Cookies can be useful as they help you have an enriched and more personalised experience online by allowing sites to track your preferences as you browse. From time to time, it’s a good idea to check that you're comfortable with what cookies your desktop or device has collected.
You can usually manage your cookies and browsing history via your web browser.
Has your identity been stolen?
The moment you spot suspicious activity on your bank account contact your bank as soon as possible. Other signs of identity theft could be receiving bills for goods and services you didn’t buy or use. You might also notice you’ve stopped receiving expected mail, which could mean it’s being stolen from your mailbox or your mailing address has been fraudulently changed. If any of these are the case contact your local police immediately.
If you’re keen to know more check out ScamWatch or pick up a copy of 'ID Theft Booklet – Protecting your Identify' by the Australian Government here.
Keeping your information and money safe online
Whether you’re banking online, shopping on your favourite website or logging on to social media – strong passwords that you never share with anyone, and change regularly, are vital to keep your information and money safe and secure online.
To help you, here’s a guide to strong passwords and how to create one that’s easy to remember. A strong and secure password is:
- More than 8 characters – the longer and more complex your password, the harder it is for someone to decipher it
- Made up of a variety of letters, numbers and symbols
- Unique (not re-used for other websites or apps)
- Current (changed at least every 90 days)
- Easy to remember, difficult to guess (avoid dictionary words, dates, names etc.)
- Never shared with anyone, even family or friends.
Four tips when creating passwords
- Don't use the same password to access all the sites you use.
Create variations and change them at least every 90 days. Use a unique password for each of the most important sites that you visit, such as banking, online shopping and email.
- Easy to remember, difficult to guess.
Choose passwords for your online services that are easy for you to remember, but difficult for anyone else to guess. Don't use every day or dictionary words, part of your name or that of your family members, your date of birth, mobile number or other easily guessed passwords such as sequential numbers.
- Shorten a memorable phrase.
Create a password based on a phrase that only you know. If you’re saving for a trip to Hawaii, your password could be: $5kH?Al0ha! Alternatively, if vegemite is your favourite breakfast spread, try: <3VegeYum1. Naturally, don’t use these exact examples.
- If you need to write down a hint, disguise it.
Don't write down your passwords or PINs. Remember, your passwords unlock your accounts so never share them with anyone. If you need to record a hint, make sure it is disguised and secured.
Tips to stay safe when using email
Email is a great way to stay in touch with friends, send and receive documents, register for online services and subscribe to news and other alerts.
Observing a few simple practices will help ensure that you can stay safe while getting all of the benefits that email has to offer.
How to detect phishing
Phishing is bogus emails created by fraudsters. The aim of these emails is to trick you into clicking on links to fake websites, opening malicious attachments or revealing personal information.
Signs of a phishing email include:
- They may not address you by your name
- Misspelling and inconsistent graphics/ images are common
- They may ask for sensitive information
- Creating a sense of urgency – scammers may try to test your better judgment by stating that something needs your immediate attention
- Sender address – does it look unfamiliar or peculiar?
- They may contain unfamiliar or unexpected attachments – don’t open them as they may contain malicious software.
If you’re unsure about an email, contact the company using a phone number from their website (not from the email) before you reply.
Check that links in emails are legitimate by ‘hovering’ your mouse over the link to view the URL without clicking.
Never open an attachment that you’re unsure about as it may contain malicious software designed to infect your computer.
Other examples of phishing emails can be found on ScamWatch.
Managing your email accounts
Using the same email address for everything from banking to signing up to a gossip newsletter is a risk. It may make it difficult to manage your inbox and quickly identify emails that are legitimate. You are also at increased risk of your email being compromised when you use the same email to sign up for lots of services.
Consider having different email addresses for different purposes; one email address for your bank to use, another for family and friends and perhaps a different address for online newsletters.
SHOPPING & BANKING
Tips for safer online shopping and banking
In today’s online world, buying something new, paying a bill or streaming the latest music and movies is just a tap away. To get the most from these online experiences, it is important to be mindful of protecting our personal and financial information.
Consider these simple steps to shop and bank online with confidence.
Is the website safe?
If you're unsure about the legitimacy of a website, here are a few things to look out for:
- Check the web address is what you expected (check for incorrect spelling)
- Check that the site has a consistent design
- Look out for poor grammar or spelling
- Expect a green address bar with a closed padlock icon anytime you are asked to make a transaction
- If you’re still unsure, use a search engine to check on feedback from other users of the service to get a better understanding of its credibility.
What security features should I look out for when I’m shopping or banking online?
You should expect to see that the URL (web address) begins with 'https' and a closed padlock icon in the address window when you are about to make a transaction on a shopping site. This indicates that the communication between your device and the shopping site is encrypted (unable to easily be intercepted or read).
Whenever you are about to log in to an online banking session, check that your browser address window is green and that a closed padlock icon appears in the address window.
Take advantage of additional security options
Protect your transactions with 'two factor authentication', an extra level of security, where available. This tends to take the form of a second way to identify you in addition to your password or pin, via something that you know or have.
Take care with the type of information you type into your web browser when you’re connected to a WiFi network. You can be far more confident when connected to a trusted WiFi network, such as in your home, versus when you’re using an untrusted network, such as public WiFi in a coffee shop.
When you’re shopping and banking online, it’s important to follow general safe web browsing advice. See “Tips to help you browse safely online”
TIPS FOR FAMILIES
Smart, safe and connected families
The internet and mobile technology are firmly embedded in family life. Kids are growing up in an increasingly connected world and find it easy to stream the latest movie, chat with their friends any time they want, research an assignment for school or download the latest games.
It’s a good idea to make sure your kids can navigate the online world safely. This does not have to be overwhelming, in fact with a few simple tips, you can make sure the whole family is smart and safe online:
- Take an interest in what your kids are up to online. Speak with them about who they’re connecting with, what they’re doing, and how much information they’re sharing. That way you can see any potential issues that a child may not be aware of.
- Tell your kids not to give out personal information about themselves or the family e.g. full name, date of birth or address
- Set clear boundaries for technology use and online behaviour, such as time limits
- Keep up with the latest trends, technology and apps to encourage family discussions on online safety. You may even find yourself quietly enjoying the newest online puzzle or game!
- Consider using parental controls where available on your devices.
To help you understand how kids are using technology, and to learn how to guide them in the digital world, the award winning ThinkUKnow program offers training for parents, carers and teachers.
If you feel your child is being bullied online, the Children's e-Safety Commissioner website provides information on what to do and allows you to report online bullying.
Protecting your business
Help staff protect your business
SECURE WEB BROWSING
Safe web browsing at work
Your web browser is your window to the digital world. Whether it's to find a new supplier, perform research on your customers, or create a website for your business, the internet offers great services and a wealth of information. It's hard to imagine how we ever did business before.
It's important you and your staff understand that the way you browse the web can affect the online security and integrity of your business.
Protect your computers
Malware - or malicious software - can be inadvertently downloaded from websites by users and harm the devices and information in your business. Dramatically reduce your exposure to malware by securing your devices, keeping your operating system, security software, web browser and add-ons up-to-date. A convenient way to do this is to ensure automatic updates are enabled or installed as soon as they are available.
By observing some simple advice when browsing the web, you and your staff can further reduce your exposure to online risks.
Is your browser session secure?
Before making a transaction or entering sensitive information on a web site, check that your browser address window is green, the URL (web address) has changed from 'http' to 'https' and that a closed padlock icon is present. If your browser is up to date, it should support these features.
Go directly there
The safest way to access any web site is to type its web address directly into the browser and bookmark it. Hover over web links with your cursor to check for spelling errors or unexpected web addresses before you click. Phishing emails often contain links to dangerous sites.
Create strong, unique passwords
Choose passwords for your online services that are difficult for anyone else to guess. A strong password is long and complex (a variety of letters, numbers and other characters), unique (not re-used for other services or apps), current (changed at least every 90 days) and not obvious (avoid dictionary words, dates, names etc.).
Protect your brand
Take care with what you or your staff reveal about your company online. Think twice if the information you are handing over is sensitive or considered valuable intellectual property for your business.
It's important that staff also recognise that in many circumstances, they are representing your business when interacting online. Both business leaders and staff should ultimately feel a sense of collective responsibility about their reputation and what sorts of online activities are in line with the values of the business. Devising a clear IT policy that is regularly kept up-to-date ensures everyone is on the same page.
Use social networks wisely
Social networks such as LinkedIn, Facebook and YouTube are a great way to connect with customers, colleagues and industry peers. They can help you build your brand and customer base, gain valuable insights and support recruitment.
The way you and your staff use social networks can have security and reputational impacts for both employees and the broader business. In some cases, staff may even use a social network for both their personal lives and to support your business' objectives.
Be mindful about whether the information you or your staff post on social networks, and who you interact with, is in line with the way you want your brand represented and the detail about your business you want revealed.
Take extra care when transacting online
If you or your staff regularly make online purchases or perform financial transactions, there are important security precautions to observe. Learn more about safer online shopping and banking.
Create stronger passwords to keep information secure
Creating memorable and secure passwords that you change regularly is vital to keep your business accounts safe and to protect the privacy of your customers.
Password re-use is a big risk for businesses. When employees use the same passwords at home as they do for your business systems, it increases the risk of a hacker gaining access to your network. Educate your staff on smart password use both at work and at home.
As business owners or administrators, it's also vital to create strong passwords to safeguard higher levels of access to your company systems. A good password is:
- More than eight characters - the longer and more complex your password the harder it is for someone to decipher it
- Made up of a variety of letters, numbers and symbols
- Unique (not re-used for other accounts or apps)
- Current (changed at least every 90 days)
- Easy to remember, difficult to guess (avoid dictionary words, dates, names etc).
Create different passwords for the sites that you visit, and change them regularly
Don't use the same password to access all sites you use, instead, create variations and change them at least every 90 days. Use a unique password for each of the most important systems and sites that you visit, from logging in to a company laptop to completing other activities such as banking, online shopping and email.
Easy to remember, difficult to guess
Choose passwords for your online services that are easy for you to remember, but difficult for anyone else to guess. Don't use every day or dictionary words, parts of your name or that of your family members, your date of birth, mobile number or other easily guessed passwords such as sequential numbers.
Shorten a memorable phrase
Create a password based on a phrase that only you know. If you're saving for a trip to Hawaii, your password could be: $5kH?Al0ha! Alternatively, if vegemite is your favourite breakfast spread, try: <3VegeYum1. Naturally, don't use these exact examples because only you should hold the secret.
If you need to write down a hint, disguise it
Don't write down your passwords or pin numbers. Remember, your passwords unlock your accounts, so never share them with anyone. If you need to record a hint, make sure that it is disguised and secured.
SAFER EMAIL PRACTICES
Tips to stay safe when using email
Learn how you can secure your business
SECURING YOUR DEVICES
Securing your devices
Writers of malicious software (malware) including ransomware and keyloggers rely on users of a system to make simple errors in order to infect a device or gain unauthorised access.
Aside from educating your company's computer users, your best defence as a small business is to 'harden' your devices against these risks. This can be achieved by taking some simple actions.
- Turn on automatic updates
Modern desktop operating systems such as Microsoft Windows or Apple OS X offer regular software updates. These updates often include patches (fixes) for newly discovered security flaws. It is important to install these updates quickly so devices are secure against malware.
The most convenient and secure way to ensure computers are protected is by enabling automatic updates.
Tip! On Windows 10 machines, you can switch this feature on by choosing the 'Settings' menu, selecting 'Updates and security' and then clicking on 'Advanced Options'.
Tip! On an Apple Mac, open 'System Preferences' and make sure the 'Automatically check for updates', 'Install OS X updates' and 'Install system data files and security updates' options are all enabled.
It's also important to enable automatic updates for your web browsers. The latest versions of Apple's Safari and Microsoft's Edge browsers are updated automatically when you update your operating system. Other popular web browsers like Google Chrome and Mozilla Firefox automatically download their own updates, but you'll need to restart the browser for the changes to take effect.
- Install security software and keep it up to date
Security software is a good first line of defence against malicious software (malware).
Modern versions of Windows include free security software called Windows Defender. Microsoft also allows the installation of third-party security software for users looking for a higher standard of protection.
Apple Mac computers don't include security software by default, so it's important to install reputable third-party software.
Good security software can help protect your business from phishing attacks, ransomware and other threats. In selecting security software (such as anti-virus or anti-malware), be sure to first read reviews to assess its reputation.
- Only install software from reputable publishers
Cyber criminals are known to embed malicious code into software that appears legitimate as a way to infect their targets with malware. Often, this software is pirated or available via unauthorised or unofficial sources.
The safest way to avoid downloading malicious code is to only download software from official stores.
The Microsoft Windows Store is the official online marketplace for purchasing and downloading software for Windows. For Macs and Apple iOS devices, it is Apple's App Store.
Google Play is the official online marketplaces for Android devices.
- Limit administrative access to your computers
Each user account has rights to perform specific functions. In small businesses, it's often the case that all users are given full administrative rights by default. That means they have the right to install new programs, change security settings and choose personalised colour schemes and wallpapers.
Larger organisations have learned that restricting administrative access greatly reduces the number of infections and security breaches. Most users simply don't need administrative access, even if they want it.
By limiting users to the access they need, you can prevent them from disabling important settings such as security updates and require them to obtain permission before installing unapproved software.
You can usually configure these user options under the 'Settings' or 'System Preferences' menus of your devices.
- Encrypt your hard drives
Disk encryption ensures that if a computer is stolen, the thief is unable to access the data.
The only way disk encrypted-data can be accessed is if the drive is powered on and the thief has user's account login details.
Microsoft Windows' disk encryption is called Bitlocker. Microsoft provides step by step instructions for using Bitlocker on its website.
For an Apple Mac, a program called FileVault is used to protect hard drive content. Apple's instructions for using FileVault are available from Apple's support website.
SECURING YOUR NETWORK
Secure your office network
Many small businesses don't have dedicated technology staff to install, configure and update their networks and the job is often left to somebody who may not have had formal training.
While networks make it easy to share information within the office and with others, an improperly configured network risks allowing outsiders to disrupt your business activities or steal data.
Here are six essential steps for protecting your business network.
- Change the defaults
An important first step when setting up a network is to change the default password for your router. A router's default password is usually published on the manufacturer's website, making it easily discoverable by would-be attackers. Choose a new, strong password that is at least eight characters long, difficult for others to guess, and isn't re-used for any other service your business uses.
It's also wise to disable 'remote configuration' of your router. Disabling this feature ensures your router can only be managed from a computer within your network rather than from a person logging in from the internet.
- Hide your network
Your office network has a name, known as an SSID. These are the network names you typically see when you're travelling, or are in a public place, and looking for a Wi-Fi network to connect to.
Limit the ability for unauthorised users to find or access your network by disabling the SSID broadcast. You'll need another way to communicate the name of your wireless network to new users - perhaps you can simply tell them.
Find the 'disable the SSID broadcast' option in your router's settings.
- Protect your data
To prevent unauthorised access to your networked files, wireless communications between the computers on your network should be encrypted. Encryption scrambles your data so only the devices that are authorised to use the network can read it.
Setting up encryption on your network is usually done through the 'Wireless Security' settings on your router. It typically involves selecting the type of encryption for your network, and creating a network password or key.
WPA2 is currently the most secure type of encryption for small business and home routers, provided it is combined with a strong password. Users are asked for a password when connecting to the network for the first time, but won't be asked on future occasions.
Less secure encryption options such as WEP should only be used on older routers where WPA2 (or WPA) is unavailable.
It's a good idea to regularly change your network password. Doing so will prevent staff members that have left the business from having ongoing access to the network.
- Create a guest mode for visitors
When guests pop in to the office - be they temporary staff, contractors or friends - it's common to offer them network access so they can use the internet.
Look for options on your router that offer visitors access without granting access to other network resources such as servers or printers. Most routers call this 'Guest Access'.
Modern routers can usually create a separate network that gives connected devices access to the public internet but nothing else. You'll find these options within your router's wireless security settings.
- Turn off features you don't use
Modern routers come with a range of features. Services like FTP, UPnP and WebDAV are useful for specific applications. But if you don't need these services, don't turn them on.
Each enabled service is a potential opportunity for unauthorised users. It's what security experts call the "threat surface" and the best approach to data defence is to make that surface as small as possible.
- Keep an inventory of approved network devices
It's good practice to maintain an inventory of approved devices and update this list any time a device is added or removed from the network. Regularly comparing your network against this list and removing access to devices that are unknown or not approved will improve the security of your business.
Being smart in the cloud
A cloud service can offer small businesses improved productivity, flexibility and reduced costs by delivering data storage services or applications such as accounting packages over the internet. While using these services can create new opportunities for your business, cloud also introduces some security and privacy risks.
If you're using cloud, the security and privacy of your data is largely in somebody else's direct control. Listed below are six key considerations to help you make smarter decisions about the cloud services you choose and how your staff use them.
- Read the Terms and Conditions
When you choose a cloud provider to deliver a service - be it managing your payroll or storing your data - you're effectively outsourcing a business activity. It's your responsibility to ensure that service provider is acting in your business's interest.
Take note of the legal jurisdictions your cloud service operates in, including country and region or state. Laws relating to data and intellectual property vary globally, so you'll need to know to which jurisdiction the terms and conditions of your cloud service apply in order to understand where legal disputes may arise and be heard.
Also consider whether and what data may be shared with third parties, when and how your business is notified of any service outages and what processes are in place, should a security breach occur.
- What are the access controls?
If more than one person in the business needs to access the cloud service, you need to make sure you can manage access appropriately for each individual or role type.
For example, with a cloud accounting service it may be important to segregate the access of your accounts payable and receivable staff. It's also unlikely all of your users need administrative rights to create and delete user accounts - this should be limited to those who genuinely need it.
It's important to revoke access of staff when they leave your business, given cloud services are accessible by anyone with an active user account and an internet connection. Make this part of the exit process for departing staff.
- Secure your data
Your business data is one of your most important assets.
Ensure that your cloud provider encrypts all your data, both when it's at rest (i.e. held in storage) and in transit (i.e. being sent or received).
In-transit data is usually protected using HTTPS, a common communications protocol used across the internet. Cloud providers will list the use of HTTPS in the list of features on their website and in the Terms and Conditions.
Similarly, you should read about specific information pertaining to the type of encryption used when data is at rest (stored on the cloud provider's servers).
Using a cloud provider doesn't relieve you of your responsibility to protect business data.
Before committing to a cloud provider, make sure you can also create a local backup of your data. This helps protect your business data against the failings of your cloud service provider, whether caused by a security incident, a system failure or any other failure of their business.
- Security starts at the keyboard
Even the most secure systems in the world become vulnerable if not used correctly.
Remind your staff to use strong passwords and to log out when they've finished working. Ensure they can't disable the security software on their workstation.
- Keep tabs on your provider's practices
When you trust a cloud service provider with your data, you make assumptions that the provider is following solid processes for ensuring cloud systems are well maintained.
Confirm that your cloud service provider keeps its underlying IT infrastructure up-to-date with the latest security and reliability patches.
As your business grows, you will likely need to re-evaluate the risks associated with using a cloud service. You might, for example, negotiate access to system logs maintained by the cloud service provider so that you can monitor user access to your data, or investigate security incidents and service outages.