top of page
Search

SecureStart – Business Essentials

  • Writer: Joseph Rapley
    Joseph Rapley
  • Jun 6
  • 9 min read

Updated: Jun 30


ree

In today’s digital world, even the smallest business can face serious security threats. Hackers, malware, and even simple mistakes can lead to data loss, downtime, and damage to your reputation. You don’t have to be a large corporation to be a target.


This guide is designed to help you take easy, practical steps that make a real difference. You’ll find clear, jargon-free advice on the essentials of business security. No specialist knowledge is required, just follow each section and tick off the key steps as you go.


By working through this guide, you will:


  • Understand which assets matter most and how to prioritise their protection

  • Learn how to secure personal and business accounts

  • See why multi-factor authentication and password managers are so effective

  • Discover how to spot phishing emails and avoid costly mistakes

  • Apply simple techniques to keep software, devices, and networks secure

  • Plan for backups, incident response, and appropriate user permissions



Use this guide as your first step toward stronger security. When you’re ready to test your current setup or want expert feedback, visit www.cyberoptic.co.nz — we’re here to help.



Understanding Your Business Assets


An important first step to take is ensuring that you are aware of all the computer related assets that are in use by your business. This includes physical devices such as laptops, server, phones, network hardware, etc. cloud based systems such as servers, storage, etc. Assets also include non-physical systems such as email services, websites, etc. Keeping record of all the assets your business utilises enables you to keep track of what needs to be secure.


Write down a list of all of these assets, and ensure it is kept up to date. This can be something as simple as a spreadsheet. Along with each device document additional information such as its purpose, location, date of installation, and any other information you think may be pertinent.


It is important to maintain this list and keep it up to date; add or remove assets as your business evolves. Keeping an up-to-date list ensures you aren’t in the dark about the systems your business uses. This list can then be used for ensuring that all your assets are appropriately secure.


Key Steps


  • 🖥️ List all physical assets (computers, servers, mobile devices, office hardware)

  • ☁️ List all digital assets (data, email, cloud services, business apps)

  • 🔍 Score each asset from 1–5 based on the impact if it were lost or compromised

  • 🔐 Prioritise security protections for your most critical assets




Securing Your Assets


Your physical and digital assets are only safe if you lock them down properly. For physical items like laptops, hard drives and paperwork, use lockable cabinets or drawers when you are away from your office. If devices are taken offsite, keep them in a secure bag or lock them to your bag with a cable lock. When leaving your desk for a short time, ensure that you lock the screen on your laptop.


Digital assets such as files, databases and cloud accounts also need simple protection. Make sure only the people who need access can get in, this is referred to as the principle of least privilege. When someone leaves your business, remove their access right away. Regularly check who can see sensitive folders and cloud drives.


Key Steps


  • 🔒 Store laptops and documents securely when not in use

  • 🧳 Secure offsite devices with bags or cable locks

  • 👥 Limit user permissions to what is necessary

  • ✅ Regularly audit access and remove permissions no longer required



Secure Configuration of Your Assets


Proper security starts with how you set up each asset, whether it’s a router, laptop or cloud service. Out of the box settings are often designed for ease of use, not safety. Take a few minutes to check the basic security options on every device and service before you start using it.


For physical devices, change any default passwords (for example on routers or IoT gadgets) and enable built in protections like automatic screen lock when idle. On software and cloud accounts, turn off features you do not need (such as remote access or open file sharing) and enable simple security options (like automatic updates and device firewalls).


Key Steps


  • 🔑 Change all default passwords (e.g. routers, cameras, printers)

  • ⚙️ Disable unused features like remote access, UPnP, or file sharing

  • 🔄 Turn on automatic updates for operating systems and firmware

  • 🛡️ Enable built-in firewalls on devices and routers

  • 🔍 Review and adjust security/privacy settings in cloud platforms



Securing Your Personal Accounts


Your personal accounts can become an unexpected gateway into your business. If a personal email or social media account is compromised, it could be used to reset passwords, impersonate you, or gain further access.


Use a different, strong password for each personal account, a password manager makes this easy and secure. Never reuse work passwords for personal use. Enable automatic updates on all your personal devices, and regularly remove unused apps or browser extensions.


Avoid public Wi-Fi when accessing sensitive information. Instead, use your phone’s mobile hotspot, which is far safer and more private.


These steps help keep your personal life secure and protect your business at the same time.


Key Steps


  • 🔐 Use unique passwords for each personal account

  • 🔄 Enable automatic updates on phones, tablets, and laptops

  • 🧹 Remove unused apps and extensions

  • 📶 Use mobile hotspots instead of public Wi-Fi



Using MultiFactor Authentication (MFA)


Multi-Factor Authentication (MFA) adds a vital layer of protection to your accounts. Even if your password is stolen, MFA can prevent unauthorised access.


Enable MFA on every account that supports it — especially for email, banking, social media, and cloud services. Use an app-based authenticator (like Authy or Google Authenticator) for stronger protection. While SMS codes are better than nothing, they are more vulnerable to SIM-swapping attacks.


Most MFA tools offer backup codes in case you lose your device. Store these securely, such as in a locked drawer or your password manager’s vault.


Key Steps


  • ✅ Enable MFA on all accounts that offer it

  • 📲 Use an app-based authenticator (e.g. Authy, Google Authenticator)

  • 🚫 Avoid SMS-only codes where possible

  • 🔐 Store backup codes securely in an offline or encrypted location



Ensuring Employees Follow Good Security Practices


Your staff are your first line of defence. A clear, simple policy can make a big difference. Start by writing a short security policy that covers things like password rules, device usage, and how to report a lost device or suspicious email. Make it part of your employee handbook and ensure new team members read and understand it.


Provide a basic security setup checklist for new starters — include steps like enabling MFA, setting up their password manager, and configuring devices safely. Encourage a culture of openness so employees feel comfortable reporting anything suspicious.


Supporting staff to use these practices in their personal lives also helps build better habits that benefit your business.


Key Steps


  • 📘 Create a clear, easy-to-understand security policy

  • ✅ Provide a new starter checklist for accounts and device setup

  • 🗣️ Encourage reporting of unusual emails or lost gear

  • 🧑‍💼 Lead by example — follow the same rules yourself



Use Password Managers and Strong Passwords


Strong, unique passwords are hard to keep in your head. A password manager solves this. Choose a trusted tool such as Bitwarden or 1Password and install it on all business devices.


Use the manager’s built in generator to make long, random passwords, or utilise passphrases. Save any recovery keys and secure notes in the same vault. If you need to share a login, use the password manager’s sharing feature rather than emailing or writing it down.


Key Steps


  • 🔐 Choose a trusted password manager (e.g. Bitwarden, 1Password)

  • 🔑 Use it to generate long, random passwords or passphrases

  • 📁 Store recovery keys and sensitive notes in the vault

  • 🔄 Use built-in tools to securely share credentials when needed



Spot and Avoid Phishing Scams


Phishing is the most common way adversaries get in. Always check the sender’s address for small typos or odd domains. If the greeting is generic (“Dear Customer”) instead of your name, treat with caution.


Do not click links you did not expect. Hover over them to see the real web address. Never reply with codes or passwords. If in doubt, call the sender on a known number to confirm the message is genuine.


Targeted phishing attacks are becoming more common place, and if successful can result in your business losing money. If an email appears to be from a trusted source but is asking you to perform tasks such as transfer money, purchase items, or share sensitive information, ensure you confirm the action verbally with the person sending the email.


Key Steps


  • 🧐 Check sender addresses for small typos or unfamiliar domains

  • 📩 Watch out for vague or generic greetings

  • 🔗 Hover over links to verify the actual URL

  • 🛑 Never send passwords or security codes via email or text

  • 📞 Confirm unusual requests with the sender directly



Regular Backups


Even with strong security, things can still go wrong which is why backing up your data is essential. Follow the 3-2-1 rule: keep 3 copies of your data, using at least 2 backup technologies, and keep 1 offsite (such as in the cloud).


Back up your data daily using both a local method (like an external hard drive) and a secure cloud solution. Every month, test your backups by restoring a file. If you can’t restore, your backup doesn’t count. Label each backup with the date to help find the version you need in an emergency.


Key Steps


  • 💾 Back up data daily to both local and cloud/offsite storage

  • 🔁 Test restore procedures monthly

  • 🗂️ Label backups clearly with the date and contents

  • 🛡️ Follow the 3-2-1 rule for effective redundancy



Keep Software and Systems Up to Date


Out of date software may be missing necessary security patches. Bugs are frequently found in software and hardware that enable breaches of your network, and this can be one of the easiest ways in for adversaries. Enable automatic updates on all operating systems, apps and firmware (for routers and firewalls).


Set a regular check in to see if any device failed to update. If you cannot update automatically (for special software), plan a manual patch day each month to keep everything current.


Key Steps


  • 🔄 Turn on automatic updates for operating systems, apps, and firmware

  • ✅ Check for missed or failed updates weekly

  • 🗓️ Schedule a monthly patch day for manual updates

  • 📝 Document your update processes and results



Lock Down Your Network


Devices such as printers, network storage, switches and routers often come with default passwords that are the same for all devices from the manufacturer. If these are not changed, it can be an easy way for adversaries to gain access or progress through your network. Change any default passwords on routers or network devices to a strong, unique password.


For offices, consider segmenting your network so guest WiFi is separate from your main business network. This way a visitor’s device cannot see your most sensitive systems.


Key Steps


  • 🔑 Change all default passwords on network-connected devices and software

  • 🌐 Create a separate guest Wi-Fi network

  • 🔍 Regularly review and update network configuration settings



Encrypt Your Data


Encrypting data makes it unreadable if it falls into the wrong hands. Turn on device level encryption on computers using features such as Bitlocker on Windows. It is essential that when enabling encryption, the recovery codes are stored in a secure but accessible location. As with data storage, recovery codes should be stored in multiple secure locations to ensure they are always available when required.


For sensitive files in cloud storage, use a tool that encrypts them before they leave your computer. This way only people with the right key can open them, even if the cloud account is compromised.


Key Steps


  • 🔒 Turn on full-disk encryption on all business devices

  • ☁️ Use end-to-end encryption for sensitive cloud files

  • 🔐 Store recovery keys in multiple secure locations

  • 🧪 Verify encryption status regularly across all systems



Prepare an Incident Response Plan


Even with all precautions, incidents can happen. Prepare a simple plan that answers: Who do we call? What do we switch off? How do we inform customers?


Keep a printed copy of the plan in your office and a digital copy in your backups. Review the plan every six months and run a quick “tabletop” exercise to make sure everyone knows their role.


Key Steps


  • 📝 Write a basic response plan with contact info and action steps

  • 📄 Keep both printed and digital copies accessible

  • 🔄 Review and update the plan every 6 months

  • 🧑‍🤝‍🧑 Test the plan with a tabletop exercise



Your First Step Towards Stronger Security


By reading this guide, you’ve already taken an important step toward protecting your business. Security doesn’t have to be overwhelming. With small, consistent actions, you can reduce risk, protect your data and build trust with your customers.


You don’t need to do everything at once, but you do need to start. Choose one or two areas from this guide to improve each week. Talk to your staff. Update your devices. Enable MFA. Every small change adds up.




Need a second pair of eyes?

We help businesses test and improve their defences with practical, affordable penetration testing services.


Book a free consultation with us today.

Cyberoptic Security Limited

 
 
bottom of page