Mitigating the cyber-risk for your business

Businesses have traditionally been overconfident in their cyber controls or buried their heads in the sand when it came to best cyber security practice, resulting in the number of data breaches increasing exponentially from malicious hacking and accidental disclosures by staff. So business owners need to make cyber security integral to their strategy; it’s not ‘just an IT issue’ anymore.


Any effort to create a cyber-resilient business has to be led by the business management team, who recognise the growing complexity of the organisation’s digital presence and can respond with an effective strategy to mitigate cyber risks to create a cyber-resilient business. So how cyber-resilient is your business?


  • Do you know what the biggest cyber risks are in your industry?
  • Do you consider cyber risks during your strategic planning process? Is cyber integrated into your corporate risk management framework?
  • Do you know what to do when you have been breached?
  • How effective is your internal capability to manage these increased cyber risks?
  • Do you have effective cyber security awareness training across all levels in your organisation?
  • Do you know what the costs will be for your organisation to respond to and recover from a serious cyber incident?

With a rise in high-profile cyber attacks across the country, particularly within the health sector, it is important to make sure you have access to the right information to make informed decisions about your business’s cyber risk.


We know SME owners have it tough – you’ve got a million and one things to worry about – but the cyber risk profile has changed, particularly in light of Covid and our increased reliance on remote access and digital platforms. Below are three relatively simple strategies you can implement as a good starting point to mitigate your business’ cyber risks.


Online password manager

As business management continues its great migration into the cloud, it is vital to use unique passwords of increased complexity for each of your different online sites. And, since we have so many sites to access these days, it is hard to keep track of lots of different passwords. Thus an online password management app is a great tool. Not only do they securely store your passwords, they can generate strong passwords for you which can be synced with a range of devices. Often these apps let you group passwords into folders that you can share with your colleagues – perfect for a temporary locum, for example. This can be particularly useful for your accounting software or patient records where you may want a staff member to have basic access for administrative purposes, but don’t want them to know the master password for the account.


Two-factor authentication

Two-factor authentication is a tool that requests identity confirmation via two means of contact before allowing remote access to confidential information. Most often this takes the form of entering your password as routine, backed up by a notification via an app on your mobile phone requesting approval and confirming it’s actually you logging in. Without this secondary approval no access is granted, providing another layer of protection for your systems. This should be implemented for any staff who need to access your booking systems, patient records or patient contact details remotely.


Staff training

Staff awareness of cyber security scams is vital, especially as so many of us now work increasingly from home. Text phishing is increasingly widespread and is being used against companies already strained from Covid. During lockdowns it’s harder for people to check whether an email or text is legitimate, they may not be in as close contact with their colleagues and they’re possibly also stressed, affecting their attention to detail, making it easier for phishing to be successful. There are some great tools available to send simulated phishing emails to your staff, to test if they have the sufficient knowledge to keep your business data safe. It’s a clever option as part of ongoing staff training. Staff should also know:


  • What to do with a suspected scam email and some key tips on how to spot these (email is unexpected, the sender email account is unusual, content directs you to take further action etc.)
  • How to check the legitimacy of a hyperlink in an email
  • The importance of keeping their social media accounts private, and being mindful about what they share online

Increasing education among staff, and making it a regular activity, is essential for keeping your systems secure. So is enabling multi-factor authentication, ensuring protection updates on all devices and sending out regular internal communications about new scams so people know what to look for. These are all actions you can take to reduce your cyber risk – all three of the above should be implemented both in the workplace and on home devices wherever possible to cover all possible breach points and provide your business with robust cyber security.



David Pearson is an advisory partner with chartered accountant and business advisors BDO Hawke’s Bay. He has a special interest in providing advisory services to the optometry sector and extensive experience assisting businesses within this sector. Contact David at or visit


Bottom Banner Advert