CIO

Keeping yourself, your business and your clients safe online: Lessons from Xero

Like a hospital is charged with protecting patient security, businesses need to keep their data, and their customer and client data safe.

Whether you are a CEO, a CIO, a tech company or a small business owner, cybersecurity is everyone’s responsibility.

Paul Macpherson, Xero

As head of security at Xero, we are fully aware of the email and invoice fraud and account compromises targeting small businesses and the accounting and bookkeeping industry. As more and more businesses manage their operations and do business online it is important that they are keeping their data safe.

Statistics from security software vendor Norton show that cybercrime costs more than $126 billion a year globally and more than 680 million people have been victims of online crime. A large proportion of these cyber attacks originate from email - including phishing, ransomware and malware delivery. And these figures are on the rise.

Because of this, it's never been more important for all businesses operating online to raise the priority of online security and safety, and ensure everyone in their organisation is aware and adhering to best practice guidelines. This isn't a nice to have anymore, it's a basic necessity of running a business - whether working on desktop or using cloud technology.

When it comes to cyber security, businesses need to take practical steps to minimise the risks of being hacked. Like a hospital is charged with protecting patient security, businesses need to keep their data, and their customer and client data safe. The saying goes, a chain is no stronger than its weakest link. This goes for the people in every organisation who operate online. Whether you are a CEO, a CIO, a tech company or a small business owner, cybersecurity is everyone’s responsibility.

Understanding what to do to avoid an attack and how to avoid becoming a target will help.

At the heart of this is that security is an industry issue.

Paul Macpherson, Xero

How are hackers getting in?

There are a number of ways business may be targeted. They include:

  • Via hacked email accounts, which are then used to send out fraudulent invoices that look just like the real thing, but with a fraudulent payment bank account number

  • With a phishing email to steal information like your usernames and passwords, credit card details, and bank account numbers

  • Or a bogus invoice email containing links and/or attachments that deliver malicious software to your PC, such as ransom-ware or password stealers

How do I best protect myself and my business?

Here are some simple, easy-to-implement steps to share with your teams to better protect your information and that of your clients online.

  • Always use strong, unique passwords for each site or service you login to, and never share passwords. Having a unique password helps prevent a compromise of one login becoming a compromise of many. Password-safe software can help you manage your multiple logins

  • Use two-factor or multi-factor authentication (2FA/MFA) wherever this is available. This is particularly important for your email account, which is usually the means to hackers being able to reset your passwords for other sites

  • Install anti-malware (anti-virus, anti-spyware) software and keep it updated. It is one of the easiest and most effective things you can do to protect yourself

  • Keep all of your software up to date with security patches

  • Communicate frequently and often with your team about the importance of password security,  in particular the fact that it is not acceptable to use passwords that are also being used anywhere else (in particular for personal purposes, eg social media sites)

Tech companies must have a robust, layered defence

With more than one million subscribers, Xero is growing globally and our infrastructure is scaling with it.

At Xero, protecting and defending our environment against today’s sophisticated cyberattacks is of critical importance.

The Xero Security Team monitors around the clock and across every timezone for patterns of malicious activity using the latest account takeover detection technology. We investigate and respond to suspicious activity by notifying users with steps to take to protect their account. In some cases we disable the account as a precautionary measure and notify the user to change their password and scan for malware.

At Xero, we are no stranger to the potential for account takeovers and take our responsibility to protect our customer’s data seriously with strong security controls and monitoring to detect suspicious access. We invest millions of dollars every year and our team works hard  to strengthen security practices every day.

But at the heart of this is that security is an industry issue.

Business advisors need to educate themselves on the best ways to keep themselves and their clients’ information safe and secure, and start implementing changes to strengthen their online practice as soon as they can.

Paul Macpherson is head of security at Xero.

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.