What does ‘high-profile’ mean?
Individuals may become 'high-profile' through the nature of their work and relationships. For example, you may be considered high profile if you’re:
- an elected representative in central or local government,
- in a governance role for a major publicly traded company or public sector organisation,
- an academic or advisor with expertise in a geostrategic area (such as strategic studies, international relations, or advanced research),
- a senior public servant with access to or influence over policy decisions, public spending, or information that impacts New Zealand’s national security, or
- a community leader or someone with a prominent role within a diaspora.
The list above is not exhaustive. If you’re concerned that state actors might target you because of your role, influence, or activities, this guidance is for you. Please follow it.
As a high-profile individual, your cyber security practices need to be more thorough than the average person’s.
Understand the threats you face
Cyber threat actors – including nation state-backed actors, hacktivists, or cybercriminals – may try to compromise your personal accounts and devices. These actors can be highly sophisticated, with many tools at their disposal.
Cyber threat actors won’t differentiate between your personal and work life. They look for where you store valuable information and use the path of least resistance to gain access.
The threat to high-profile individuals is real. There are documented cases of successful compromises and prevented attempts targeting New Zealanders.
The National Cyber Security Centre’s (NCSC’s) Cyber Threat Reports explain the types of threats New Zealanders face.
Knowing the tactics threat actors use can help you stop them in their tracks.
The NCSC’s Own Your Online website is a practical resource with simple, plain language explanations of common threats and risks, plus guides to help you stay
cyber-smart and protect yourself.
Secure yourself against common threats
Cyber threat actors can use a variety of methods to gain access to your accounts and devices – but even basic protections can block some of the most sophisticated attacks.
There are many steps you can take to improve your personal cyber resilience. This guide includes technical settings and everyday behavioural changes that help reduce your risk.
You can also access this advice as a condensed four-step checklist to help you get started.
Without adequate protection, you may become an easier target for threat actors.
Identify your digital assets
Start by making a list of your digital assets. This includes:
- hardware,
- software,
- online accounts, and
- any digital platform where you store important information.
Creating a simple register will help you understand what you need to protect. By following our recommendations, you can reduce your risk.
Have good password hygiene
Long, strong and unique passwords are one of the simplest and most effective ways to protect your accounts. An easy approach is to use a passphrase – four or more random words strung together. Passphrases are easier to remember and harder to crack than a long mix of numbers, letters, and symbols.
Your passwords should have the following characteristics:
- long – at least 15 characters,
- strong – use a mix of upper- and lower-case letters, numbers and special characters (when required), and
- unique – never reuse passwords or use variations of the same one.
A password manager is a smart tool that stores all your device and account passwords in one secure, encrypted vault. You only need to remember the password that unlocks the manager.
Password managers:
- remove the need to memorise multiple passwords,
- can create new, strong passwords,
- store everything securely in one place, and
- can fill in sign-in forms automatically.
Avoid using your browser's 'remember password' feature – if an attacker exploits a browser vulnerability, it could expose your saved passwords.
Learn more about password managers and how to choose one at Own Your Online.
Keep your data safe with a password manager | Own Your Online External Link
Share accounts – don’t share passwords
Sometimes you may need to give others access to information or accounts. These shared accounts often have administrator privileges and are used to manage services.
For example, Microsoft Outlook lets you share your calendar with specific people and choose how much detail they can see in your appointments.
Anyone with shared access should be managed to ensure they:
- have individual access with their own unique passwords,
- are vetted for security (depending on organisational policy), and
- are limited to only those who require access for their role.
When someone leaves your organisation, disable or remove their access immediately. Use that as a prompt to review and update any shared passwords.
Never share your passwords. Only you should know your passwords – and only you should access your password manager where they’re stored securely.
Use multi-factor authentication (MFA)
MFA, or multi-factor authentication – also called two-factor authentication or two-step verification – is a tool that proves you are who you say you are. It works by requiring more than one way to confirm your identity when logging in to an account or device.
MFA combines:
- something you know – like your username and password,
- something you have – like a security token, device, or unique code, and
- something you are – like your fingerprint or face ID.
MFA might be the single most important security step you can take.
As a high-profile individual, we recommend using advanced MFA options that are more secure than SMS (text message) authentication. These include:
- physical security keys – such as YubiKeys, Google Titan keys, or FIDO2 keys, and
- passkeys – a newer and more secure method that replaces passwords entirely.
These advanced options are more secure because an attacker would need physical access to your device or token – unlike text message codes, which can be intercepted or phished remotely.
If you receive an MFA request but haven’t tried to log in, don’t approve it. It could mean someone has your password and is trying to access your account. MFA is working as intended – but you should change your password immediately.
If you’ve reused that password on other accounts, change those too. Use your password manager to create and store unique passwords for each account.
MFA adds an extra layer of protection between you and a cyber threat.
Regular updates and scanning
Keeping your devices up to date with the latest software and firmware patches is one of the most effective ways to protect them. Enable automatic updates for all your devices so that updates happen consistently and without manual input.
This is especially important for:
- your device operating systems,
- your apps and software, and
- your home router firmware (you’ll need to enable this through your router’s settings).
Regular malware scanning helps detect infections early. Most devices come with built-in anti-malware tools.
Configure your device to:
- scan new files automatically when opened, and
- run a full system scan once a week.
We recommend setting your devices to install operating system updates automatically each week and to update anti-malware tools daily.
Devices should be configured to scan for malware whenever a file is opened, with a full system scan once a week.
We also recommend setting up anti-malware scanning for all your devices – not just your laptop or phone. Most routers come with a built-in firewall with default rules for managing your internet traffic. Enabling and configuring your router’s firewall adds another layer of protection.
Review social media settings
Most social media platforms have privacy settings that control how your profile appears to others. Take the time to review these settings – you can usually use the ‘view as’ option to see what strangers or friends can see.
Check that your privacy settings:
- limit how people can find you,
- restrict who can message you, and
- control what personal information is visible.
As with emails and text messages, don’t click on links sent through social media from people you don’t know or trust. Avoid opening unsolicited links to shared files, especially from platforms like Google Drive.
Share as little personal information as possible, and make sure only trusted contacts can access it.
If you want to leave a social media platform, deactivate your account rather than deleting it – this prevents others from registering your username and impersonating you. If someone is pretending to be you online, contact the platform’s support team immediately and report the incident to us.
Learn more about staying safe on social media at Own Your Online.
Stay safe on social media | Own Your Online External Link
Joining Wi-Fi at home and when away
At home
Protect your home Wi-Fi network with a unique password. Make sure you’ve changed the default router name – which often reveals the make and model – as well as the default administrator username and password used to access the router’s settings.
Learn more about securing your home network at Own Your Online.
Secure your home network | Own Your Online External Link
Away from home
Public Wi-Fi networks can be risky – malicious users may try to intercept your activity or access your devices without your knowledge.
Avoid using unsecured Wi-Fi networks in hotels, airports (including airline lounges), cafés or other public spaces. If possible, use your mobile phone as a hotspot instead. Enable mobile data when you’re not connected to a trusted network.
Make sure you understand your organisation’s policies before connecting to any Wi-Fi network.
If your organisation issues a device with VPN (virtual private network) software, it’s there to encrypt your connection and provide secure access to work resources. Use it as directed when working remotely.
External USB devices and public charging stations
Never plug a USB device – such as a memory stick or hard drive – into your computer if you don’t know where it came from or who gave it to you. This applies to both personal and work devices.
When travelling, be cautious about where you charge your phone or laptop. Public USB charging stations may be compromised by cybercriminals to install malware or steal data.
Where possible:
- charge from a mains power outlet, or
- use your own portable power bank.
- Keep physical control of your devices as much as you can.
If you expect to charge your device in a public space and don’t have access to a power bank or wall socket, we recommend carrying a USB data blocker. These small tools stop your data from being accessed while charging through public USB ports.
General security advice
Being aware of good cyber security practices is one of the best ways to protect yourself online.
Malware Free Networks (MFN)
MFN is the NCSC’s threat disruption service, designed to protect a wide range of users from malicious activity. You can check if your internet service provider (ISP) offers this protection by visiting the MFN page on our website. If your ISP doesn’t offer it, consider asking if they provide MFN or other threat-mitigation services.
Be cautious with links
Never click on links in emails, texts or social media messages if they come from someone you don’t know or trust.
Watch for spear phishing
Spear-phishing attacks involve a threat actor pretending to be someone you know. They usually ask for sensitive information or request urgent action. If something feels off, double-check before responding.
Check for data breaches
Use the website Have I Been Pwned to check if your email or other personal data has appeared in known breaches.
Have I Been Pwned External Link
Learn the SOUP method
Threat actors may try to manipulate or target you. Use the SOUP mnemonic to assess their behaviour.
- Suspicious – Are they taking an overly active interest in you?
- Ongoing – Are they repeatedly engaging with you and continuing certain topics?
- Unusual – Are they asking overly specific or strange questions seeking detailed information?
- Persistent – Are they pushing for more and more information?
Keep your devices physically secure
- Set a password, passphrase or biometrics to lock your devices.
- Don’t leave devices unlocked or unattended.
- Watch out for shoulder surfing – people trying to read your screen or passcode.
- Use Find My Device features to locate, lock or wipe a lost device.
- Keep apps up to date and remove ones you no longer use.
- Back up your data and do a factory reset before selling, replacing, giving away or repairing your phone.
Additional security tips for mobile users
Apple users
Turn on Lockdown Mode for extra protection.
Lockdown Mode is for people at high risk of being targeted by sophisticated cyber threats. It limits some phone functionality to make your device harder to exploit.
About Lockdown Mode | Apple Support External Link
Android users
Make sure Google Play Protect is turned on.
Google Play Protect is built into Android and includes a malware scanner, Find My Device, and Safe Browsing.
Report an incident
If you think you’ve been affected by a cyber incident, report it straight away.
Reporting form for individuals and small to medium businesses
Contact us by phone
If you need help with the online reporting tool, call 0800 114 115 in New Zealand.
Our phone lines are open Monday to Friday, 7am to 7pm, and closed on public holidays.
Let your workplace’s information technology (IT) or security team know too, so they can also support you.
Report national security concerns
If you believe a threat may affect New Zealand’s national security, contact the New Zealand Security Intelligence Service (NZSIS).
Keep up to date
We share active alerts and regular updates on current threats through various channels.