Pākiki Blog

The latest insights, vulnerabilities, research, and release information from the Pākiki team.

Follow us on social media:

3 Tips to Improve your Security Posture

Published on by Glenn
Categories: Security
Tags: Explanation

It was our honour to present at TechFest, run by Canterbury Tech, on the 24th of May 2024. This talk was designed as an introduction to improving your business’s cybersecurity posture. It’s aimed at small to medium businesses who are either unsure of where to start, or are rolling out new systems.

Tip #1: Know your assets

If you don’t know what you’ve got, then you can’t make decisions about how to protect it. Start by listing out all of the systems you can think of, including any vendor-managed/supplied systems, Software-as-a-service products you use, any hardware you have in your office, any servers that you run or are responsible for.

Also think about it in terms of your core business functions, what do you use for:

Then also think about the physical assets you have:

Now with that list in mind, you want to start thinking about the impact to your business if an event happened to any of those systems.


We often think about business impact at a high level in terms of:

CIA Triangle

Let’s take a couple of examples of these:

You could then put this data into a table:

System Purpose Confidentiality Integrity Availability
Website Present information about the business. Hosted on X. 1/5 4/5 2/5
Core System Hosted software provided by Y. 5/5 4/5 5/5
VPN Remote administrative access. Using Z. 3/5 2/5 1/5
Emails Using Office365. 4/5 4/5 2/5
Laptops Day to day office use. 2/5 N/A 2/5
Mobile phones Remote access for staff. 2/5 N/A 1/5

With all of this information in-hand, you can start to make smarter decisions about what’s important to your business.

If you aren’t responsible for a given system, don’t be afraid to ask your vendors. Remember it’s still your data that is in the system!

Tip #2: Keep them up to date

It sounds simple, right? Just turn on automatic updates, and you’re good.

In about 75% of cybersecurity reviews we do, there’s some element which hasn’t had security updates applied. In many breaches, a lack of security updates plays a role. If an attacker can identify what software you are running, then look up known vulnerabilities and use off-the-shelf exploits, then it’s significantly easier for them.

In some cases, outdated software may not be practically exploitable, but if a big vulnerability comes out tomorrow and you’re 3x versions behind, that upgrade becomes a lot more risky and time consuming.

While you can turn on automatic updates, are people ignoring them? And what about non-pc devices? Mobile phones, networking devices, anything hosting your software (if you’re responsible for it). Lastly think about the software on the computers (pdf readers, office software, etc) and the components which are relied upon by the software you use (called the dependencies)

Start with the asset map you made earlier, and work through it also thinking about any third party software or dependencies. You can start with the systems which contain the data you want more protection on.

Tip #3: Enable Multi-factor Authentication

Multi-factor authentication is where you log into a system with something you know (IE: A password) and something you have (EG: A code from your phone, or by plugging in a USB keyfob, etc). If somebody senior within the organisation shares their password with another unrelated service, or chooses a weak password, and there’s no second factor of authentication, what would that give somebody access to? Would it give access to their emails fully remotely? How would you even know that’s been compromised?

About half of the incident responses we’ve helped clients with would have been avoided if multi-factor authentication was in use. Most systems support it. As an initial step, we recommend getting all of your staff to enable it for all systems practical.

If you happen to use Microsoft 365 or Google Workspace, you can level up this trick by using them as an identity provider. This means your other applications trust them to log your users in. This means that they can make risk-based decisions about when to prompt for a password, you can enforce multi-factor authentication, and your staff only have one password. It also has the benefit of allowing you to on-board/off-board staff in one place.


While there’s debate within the security community about what are the most effective security measures at any given point in time, these tips would have prevented about 75% of the incident responses we’ve been called in to help with.

If you want more, CERT NZ has a list of their top 10 security controls: https://www.cert.govt.nz/it-specialists/critical-controls/10-critical-controls/. These are based on the assistance they’ve given to NZ organisations.

To sum up:

  1. Know what you’ve got
  2. Keep it up to date
  3. Use Multi-factor authentication

Please feel free to get in touch if you would like to learn more.