Page Comparison

• Is your business email tied to your Domain Name? Or are you using a public email provider like gmail, or your ISP’s webmail?

  • A friend recently found that she could no longer do email marketing from Mailchimp as she had been using her ISP email address as her business email address, and many email accounts will no longer allow bulk email to be received from domains that are not set up with the right security.

• Your team does not log into another team member’s email. You have procedures in place for dealing with emails while a team member is away, or after they have left. (Eg see Google’s help docs for how to do this in Google Workspace, and M365, but you are not alone if you find all of Microsoft documentation impenetrable, and you need your Technical Advisor’s assistance).

• Understand the key terms you need to know to be more secure with your Email. ASD has a great reference page on this topic.

• The UK Gov has a good page with examples of phishing emails that may be helpful.

• Don’t click on links from emails you are not expecting. If you are using Chrome, Google should spot a malicious website, but it’s the seemingly legit websites that can be tricky.

• Use some https://tddprojects.atlassian.net/wiki/pages/createpage.action?spaceKey=CYZ&title=URL%20Tips%20and%20Tricks&linkCreation=true&fromPageId=3011117160 to check the URL if it is something you are not quite sure about but really want to open.

• I have an email scanning tool linked to my main email account. I use Guardz, which is great, and cost effective. Bleach Cyber is another similar tool.

• Your email may have some built in settings to help reduce spam that gets to your inbox. Check with your Technical Advisor.

• Training for your team must include topics on best email practices. At a minimum, the ASD website has some great content. Cyber Wardens is a good program to enrol your team in, and my email scanning tool, Guarz, has cybersecurity awareness training built in.

• If you want to buy additional email training, there are some great options out there, Huntress, My Business, and Cyber Eclipse but remember, we don’t blame team members who click on links, we educate.

• You have your DMARC, DKIM, and SPF settings all set on all the domains your business uses for email.

• Your Email Marketing tool has those settings verified and you can send your bulk emails without half of them bouncing.

• You will have up to date, or automated patching of your email software.

• You will have a vulnerability scanner for your email (and other business systems software).

  • Your Technical Adviser can suggest some advanced settings on your M365. (And no, the Australian Government’s Essential 8 does not give advice for any other platform than Microsoft 365, so talk to your Technical Advisor if you use Google Workspace. But Google has some documentation and here is an easy to read guide.

Who looks after your Website?

• Does it have the latest version of your website software (eg WordPress)

• Are all the plugins and themes updated to their latest version?

• Who checks this at least monthly?

• Who checks that the website up and working as intended.

  • If your website looks suss, I recommend using a service like https://sucuri.net/ to get you out of trouble.

  • Other services like https://www.wpbutler.com.au/ provide one-off or ongoing help at reasonable prices.

• Who checks that the privacy policy on your website is accurate and reflects what your business does?

• Does your website have a login function for clients, or a shopping cart, or do you store client data? (if so, the scope of this document is not enough, so talk to your Technical Advisor).

  • Even your Contact Us form will store data by default, and should be deleted after you have dealt with the Contact request.

• Does your website have other apps that link in to it? Like Email Marketing, a Booking System, or similar. These services are just as important as your website, so make sure your Technical Advisor knows about them and how everything works.

• By now, hopefully, you have implemented a SSL certificate on your website. Note down the date of expiry of the certificate so you can be sure to update it.

• Set up website scanning tool to monitor your website and ensure it is free from malware and other issues. I use https://sucuri.net/ but your website hosting provider may have it included also.

• Think about the difference between data and content. Data does not belong on your website. Data you collect should be removed as soon as practical after you have done something with it. Many forms tools have an auto delete function.

• Who else has Admin access to your Website?

  • Your Website Host

  • Your Website Developer

  • Your SEO specialist

  • Your Shopping Cart specialist

  • Your Integration Specalist

• What level of access to your website do you staff have?

  • Why do they need Admin access?

• Where is your website hosted?

  • Does your hosting provider provide details of when their systems have last been updated and patched?

  • Do you have a dedicated server? Do you know what the hosting company does for patching and updates, or do you have to look after some aspects of this yourself?

• Do you have someone actively looking after your website, and ensuring it is regularly updated and all the plugins updated and working smoothly?

• Is there a way you can have your SSL certificate updated automatically so it doesn’t expire?

If you are at this level, your website is most likely a key part of your service delivery, and is not treated differently from any of your other critical business systems.

• See my page on Websites and Salesforce for more technical details as to how a website can work as the basis for your whole business systems.

Your Domain Name is the gateway to your business.

• Who is the Domain Reseller?

• Is the Domain contact details up to date (and in your name).

• What is the expiry date of the Domain?

• Do you have the domain set to auto renew? And is the credit card up to date?

• Who do the important domain related emails come to? How do you ensure they don’t get missed?

• Do you own the domain names for every aspect of your business (eg every trading name).

• Do you own the domain names for miss-spelling or similar names? The ASD has some good advice.

• Do you own the .au domain for your business?

• Is your personal email sent to your business domain? (A friend recently retired and gave up her registered business name. Unfortunately that meant she could no longer keep her .com.au domain that she had been using for 20+ years as her only email address. Don’t let this have to be a thing you have to think about changing in your elderly years!

• Who hosts your DNS?

  • That may be different from your Domain Registrar, and it even may be different from your Website Host.

  • Know where it is hosted, and know how to update it when needed.

• Are your DNS records correct?

  • After many years there may be A records, or TXT records that are no longer in use. Ensure they are updated to be relevant for your business now.

  • My security scanning tool, Guardz tells me about random DNS records that may need looking into.

• Are all your domains redirected to your main website?

There are many more considerations for Domains as your business gets larger or more technically complicated. Your Technical Advisor will be able to help. Here is a good guide for DNS related issues.

• Do you know all of the devices on your business network?

  • This includes desktops, laptops, mobile phones, game devices, TVs, thermometers, fridges, coffee machines, robovacs, door locks - anything connected to the internet.

• Implement an Asset Register to record details of every device connected to your network, especially if they hold client data.

• You may want to have some form of MDM (Mobile Device Management) solution to remotely update and / or wipe business owned devices.

  • Both Apple and Google have solutions, but you may need a third party solution if you have a mix of devices in your business.

• You will want an auto discovery tool on your network to tell you every device that is connecting to your network.

• Do you know all the applications your business uses?

  • You would have already done this when you looked at your passwords, but there are other applications that may not need a password, eg applications installed on your device.

  • Which applications do you think are “mission critical”, or really important for your business.

• Which applications can you delete?

  • Old software that is not in use anymore.

    • Do you need to export data from it before you delete it?

  • Trial versions that you never used.

• What is installed on other users' devices?

  • Is there anything on there that you didn’t know they were using?

  • Is it something to delete, or make a part of the standard business systems for your business?

• Which applications store business critical data?

• Which applications store client data?

• Are all these applications up to date for the latest versions, or if you have chosen to not upgrade to the latest version, are there any security patches from the vendor that they require or recommend?

  • If you choose to not update an application to the latest version, document the reasons why.

• All those applications you discovered, especially the ones that are business critical or hold client data, add them to a register of digital assets for your business.

• You will want to implement some form of automated Application Allow Listing (previously known as Whitelisting).

• What happens if you lose your phone?

  • Google now have some good remote locking and wiping features as well as the Find My Device feature

  • Here’s the Apple support for iPhones.

• Have automatic updates turned on for all applications on your mobile devices.