Page Comparison

As you go through your day, think about your passwords.

• What is this password protecting? (your banking, payroll, client documents).

• Is it a good password?

• When did you last change it?

• How did you know this password? (eg memory, stored in your browser, written on a post it note).

• Is it unique? (yes, really unique!).

• Who else, apart from you, uses this same login and password? (eg do staff members who have left the business still know this password?).

• Does this login also have Multi Factor Authentication?

• What type of MFA (eg sends a text message, uses an authenticator app).

• Change any passwords that are not unique.

• Change any passwords that have not been changed in 12 months.

• Turn on MFA everywhere you can. If there is an option for MFA that is not text or email based, then choose that first.

• Ensure all Social Media accounts, and your main Email / Office account has MFA.

• Make a note in your password manager for those passwords where you can’t use MFA (eg banking), but what protection do they have (eg text message for new suppliers).

It may be time to start setting up Single Sign On (SSO) for your main systems. Both Microsoft and Google can be set up for SSO.

• Also think about hardware keys (eg Yubikey) for your main accounts rather than push or authenticator based MFA on your phone.

Start using a Password Manager, even the free version of LastPass.

• Think about getting a team plan of LastPass or 1Password and get your whole team, and even family onboard.

• Set up a long passphrase for logging into your Password Manager - but don’t forget it! There is no way to re-set your password for a Password Manager if you don’t already know your existing password.

• Ensure passwords are not saved in your browser anymore (the setup for the password manager should help with this).

• Set up your Password Manager to be on your Phone and in your Browser.

• When you need to share a password with someone, how do you do it? (

Get onto the team plan of LastPass or 1Password.

• Ensure no passwords are saved in your browser.

• Use the change password feature of your password manager to update passwords.

• Shared logins are marked as such, and shared with only the team members that need them.

• Each team member should have their own logins to all services.

• Get the family onto a Password Manager also.

• Keep business and personal passwords separate (eg LastPass for personal and family sharing, 1Password for the team).

• Who has access to your business passwords in case of your death or incapacitation - especially the passwords that are needed to have the business run in your absence.Store backup login codes separately to your

  • Eg if you are the only one who can release payroll, then you may need to have someone designated and approved by your bank to release payroll in your absence.

• Store backup login codes separately to your logins.

• Set up Time Based Authentication (TOTP) separately to your Password Manager.

• Eliminate Shared Logins where possible.

• Ensure Logins and Passwords are disabled as soon as a team member leaves.

• Is your business email tied to your Domain Name? Or are you using a public email provider like gmail, or your ISP’s webmail?

  • A friend recently found that she could no longer do email marketing from Mailchimp as she had been using her ISP email address as her business email address, and many email accounts will no longer allow bulk email to be received from domains that are not set up with the right security.

• Your team does not log into another team member’s email. You have procedures in place for dealing with emails while a team member is away, or after they have left. (Eg see Google’s help docs for how to do this in Google Workspace, and M365, but you are not alone if you find all of Microsoft documentation impenetrable, and you need your Technical Advisor’s assistance).

• Understand the key terms you need to know to be more secure with your Email. ASD has a great reference page on this topic.

• The UK Gov has a good page with examples of phishing emails that may be helpful.

• Don’t click on links from emails you are not expecting. If you are using Chrome, Google should spot a malicious website, but it’s the seemingly legit websites that can be tricky.

• Use some https://tddprojects.atlassian.net/wiki/pages/createpage.action?spaceKey=CYZ&title=URL%20Tips%20and%20Tricks&linkCreation=true&fromPageId=3011117160 to check the URL if it is something you are not quite sure about but really want to open.

• I have an email scanning tool linked to my main email account. I use Guardz, which is great, and cost effective. Bleach Cyber is another similar tool.

• Your email may have some built in settings to help reduce spam that gets to your inbox. Check with your Technical Advisor.

• Training for your team must include topics on best email practices. At a minimum, the ASD ACSC website has some great content. Cyber Wardens is a good program to enrol your team in, and my email scanning tool, Guarz, has cybersecurity awareness training built in.

• If you want to buy additional email training, there are some great options out there, Huntress, My Business, and Cyber Eclipse but remember, we don’t blame team members who click on links, we educate.

• You have your DMARC, DKIM, and SPF settings all set on all the domains your business uses for email.

• Your Email Marketing tool has those settings verified and you can send your bulk emails without half of them bouncing.

• You will have up to date, or automated patching of your email software.

• You will have a vulnerability scanner for your email (and other business systems software).

  • Your Technical Adviser can suggest some advanced settings on your M365. (And no, the Australian Government’s Essential 8 does not give advice for any other platform than Microsoft 365, so talk to your Technical Advisor if you use Google Workspace. But Google has some documentation and here is an easy to read guide.

Who looks after your Website?

• Does it have the latest version of your website software (eg WordPress)

• Are all the plugins and themes updated to their latest version?

• Who checks this at least monthly?

• Who checks that the website up and working as intended.

  • If your website looks suss, I recommend using a service like https://sucuri.net/ to get you out of trouble.

  • Other services like https://www.wpbutler.com.au/ provide one-off or ongoing help at reasonable prices.

• Who checks that the privacy policy on your website is accurate and reflects what your business does?

• Does your website have a login function for clients, or a shopping cart, or do you store client data? (if so, the scope of this document is not enough, so talk to your Technical Advisor).

  • Even your Contact Us form will store data by default, and should be deleted after you have dealt with the Contact request.

• Does your website have other apps that link in to it? Like Email Marketing, a Booking System, or similar. These services are just as important as your website, so make sure your Technical Advisor knows about them and how everything works.

• By now, hopefully, you have implemented a SSL certificate on your website. Note down the date of expiry of the certificate so you can be sure to update it.

• Set up website scanning tool to monitor your website and ensure it is free from malware and other issues. I use https://sucuri.net/ but your website hosting provider may have it included also.

• Think about the difference between data and content. Data does not belong on your website. Data you collect should be removed as soon as practical after you have done something with it. Many forms tools have an auto delete function.

• Who else has Admin access to your Website?

  • Your Website Host

  • Your Website Developer

  • Your SEO specialist

  • Your Shopping Cart specialist

  • Your Integration Specalist

• What level of access to your website do you staff have?

  • Why do they need Admin access?

• Where is your website hosted?

  • Does your hosting provider provide details of when their systems have last been updated and patched?

  • Do you have a dedicated server? Do you know what the hosting company does for patching and updates, or do you have to look after some aspects of this yourself?

• Do you have someone actively looking after your website, and ensuring it is regularly updated and all the plugins updated and working smoothly?

• Is there a way you can have your SSL certificate updated automatically so it doesn’t expire?

If you are at this level, your website is most likely a key part of your service delivery, and is not treated differently from any of your other critical business systems.

• See my page on Websites and Salesforce for more technical details as to how a website can work as the basis for your whole business systems.

Your Domain Name is the gateway to your business.

• Who is the Domain Reseller?

• Is the Domain contact details up to date (and in your name).

• What is the expiry date of the Domain?

• Do you have the domain set to auto renew? And is the credit card up to date?

• Who do the important domain related emails come to? How do you ensure they don’t get missed?

• Do you own the domain names for every aspect of your business (eg every trading name).

• Do you own the domain names for miss-spelling or similar names? The ASD ACSC has some good advice.

• Do you own the .au domain for your business?

• Is your personal email sent to your business domain? (A friend recently retired and gave up her registered business name. Unfortunately that meant she could no longer keep her .com.au domain that she had been using for 20+ years as her only email address. Don’t let this have to be a thing you have to think about changing in your elderly years!

• Who hosts your DNS?

  • That may be different from your Domain Registrar, and it even may be different from your Website Host.

  • Know where it is hosted, and know how to update it when needed.

• Are your DNS records correct?

  • After many years there may be A records, or TXT records that are no longer in use. Ensure they are updated to be relevant for your business now.

  • My security scanning tool, Guardz tells me about random DNS records that may need looking into.

• Are all your domains redirected to your main website?

There are many more considerations for Domains as your business gets larger or more technically complicated. Your Technical Advisor will be able to help. Here is a good guide for DNS related issues.