Research: NZ easy-pickings for cyber-criminals
New independent research commissioned by Aura Information Security paints a stark picture of the cybersecurity battle New Zealand businesses are facing.
More than half of businesses have been successfully targeted by a ransomware attack in the past year, with one in five businesses saying the attack caused serious disruption to operations.
One in five businesses estimate their organisation is affected by 16 or more ransomware attacks per quarter.
Two-thirds of businesses admit they would pay a ransom to retrieve data after a ransomware attack. One in ten businesses would be willing to pay $50,000 or more.
A third of businesses saw an increase in cyber-attacks during the Alert Level 4 lockdown. Two in five businesses say they have been targeted by a COVID-19 themed phishing attack.
Half of IT decision-makers don't know about the Privacy Act amendment, despite it coming into law December 1 this year.
The rise of ransomware
New Zealand has a growing problem with ransomware attacks.
The number of IT decision-makers who estimate their organisation is affected by 16 or more ransomware attacks per quarter has doubled over the past 12 months1. In today's business environment, one in five Kiwi companies say they are fighting off more than 60 ransomware attempts per year.
Aura general manager Peter Bailey, says these numbers are alarming but it could get even worse.
"The research shows more than half2 of New Zealand businesses have been successfully targeted by a ransomware attack in the last 12 months. Not only that, but one in five hacked businesses say it caused serious disruption to their operations.
"Unfortunately, this is just the tip of the iceberg. Over the past year, we've not only seen New Zealand businesses get pummelled by ransomware, but we've also seen a big resurgence in distributed denial-of-service attacks (DDoS).
"While there's a general belief that much of the cybercriminal world is still focused on the United States, there's nothing stopping these hackers from shifting their focus towards New Zealand and, quite frankly, most of our businesses aren't prepared.
Cybercrime pays
The official advice from the New Zealand Government is to not pay ransoms demanded by cybercriminals. Despite this, two thirds3 of businesses admit they would pay a ransom to retrieve data after a ransomware attack. One in ten businesses would be willing to pay $50,000 or more.
"It's a grim reality for businesses trying to decide what to do when their data is being held ransom. Not only is data locked down and out of reach, but systems can be offline as well, meaning critical business actions can't take place. Sometimes the best option seems to be paying the ransom, but many businesses pay up and still never see their data again," Bailey says.
"The best approach is to prepare your business so you're unlikely to ever face a ransom situation in the first place.
In August 2019, the Institute of Directors (IoD) experienced a website breach perpetrated by an overseas hacker collective.
Even though the attack was spotted in under 10 minutes, and no customer data was compromised, it caused weeks of disruption as the site had to be taken down and thoroughly vetted.
This affected all online interactions with IoD members and customers, took enormous staff effort and incurred costs associated with data security.
IoD general manager brand marketing and communications Sophi Rose says the IoD's crisis communications plan was a great help, dictating who needed to do what, when.
"Our main concern was for members and customers. The speed at which we were able to take the website down, which was under 10 minutes, and being able to understand any impact was key to our response.
"We also made decisions in accordance with our values. We let our members know immediately even though there was potentially no impact. We thought about how we'd like to be treated in a similar situation and openness and honesty were our mantra.
The upcoming Privacy Act
Nearly half of IT decision makers4 still don't know about the Privacy Act amendment, despite it coming into law on 1 December 2020.
"These are the people looking after Kiwi companies' cybersecurity and many are unaware of impending changes which will impact how they do their job and how to manage a security breach," Bailey continues.
"Even more alarming is that this number hasn't changed year-on-year. Since we started the Aura survey in 2018, we've seen roughly the same result. Changes to the Privacy Act include mandatory breach management and fines of up to $10,000 for offending businesses, and Bailey notes this research highlights that many IT decision managers may also not be aware of the flow-on repercussions.
"Organisations might not yet be aware that The Privacy Act 2020 gives affected individuals or groups the ability to take class action against organisations that have failed in their duty to safeguard data.
"Never has data, and the protection of it, been so important. It's time New Zealand businesses started to get up-to-speed on the new legislation and what it means for them.
COVID-19 cyber-attacks
Unsurprisingly, Kiwi businesses saw a surge5 in cyber-attacks during the Alert Level 4 lockdown. Two in five6 businesses say they've been targeted by a COVID-19 themed phishing attack.
"There was a lot of information going around when the COVID-19 outbreak first happened. People were looking for advice and hackers were able to ride that wave by mimicking reliable communications channels to trip people up. This is a common technique for cybercriminals, and it was also used to carry out many attacks when both the Christchurch earthquakes and mosque attacks occurred.
"The fact many of us were working from home and away from our typical work environment during lockdown meant regular office software protections were no longer in place. No matter when and where you're working, it's vital you pay attention to email senders and any attachments to ensure they're legitimate.
A set and forget mentality
Research also shows New Zealand businesses remain somewhat unaware of how their data is secured, with three in five7 businesses that store data in the cloud mistakenly believing this provides an added layer of security.
"It's not surprising that a quarter8 of businesses say they have suffered a cloud security breach over the past 12 months. While the cloud adds some security, moving data to the cloud is not a set and forget security exercise.
"Businesses need to get into the habit of an 'always on approach,' one that includes regular employee training, the right policies and procedures, and regular testing of outward-facing assets like websites and applications," says Bailey.
It's only getting worse
Year-on-year, the number of IT decision-makers that expect their organisation to be targeted by a cyber-attack is rising.
In 2018 it was 27%, in 2019 it was 42%, and this year more than half9 of businesses expect to be hit by a cyber-attack over the coming year. In larger (those with 300 or more internet-connected devices) Kiwi organisations that skyrockets again to 69%.
Bailey notes that businesses must always be vigilant online and urges people to stop thinking it won't happen to them.
"All New Zealanders need to remember that everyone is a target. Whether a big or small business, ransoms are adjusted to increase the likelihood of the hacker getting paid.
"Experiencing a hack also isn't just about financial loss and system compromise. Business reputation can also be hugely impacted which is often more important than any financial burden. If your customers can't trust you to keep their data safe, they're going to go elsewhere.
Notes
[1] In 2019, 9% of respondents said they estimated 16 or more ransomware attacks to affect their business every quarter. In 2020, 20% of respondents gave the same response. This is up 11%age points.
[2] 33% of respondents said their business had been successfully targeted by a ransomware attack in the past 12 months, but that they were able to resolve the breach before any significant damage was done. 20% of respondents said their business had been successfully targeted by a ransomware attack in the past 12 months and that the attack caused serious disruption to their business
[3] 34% of respondents said they wouldn't pay a ransom to regain access to data that was stolen/locked in a ransomware attack
[4] 55% of IT decision-makers say they're aware of impending changes to the Privacy Act.
[5] 30% of IT decision-makers said their business saw an increase in cyber-attacks over lockdown
[6] 42% of respondents said that either themselves or their organisation has been subject to a COVID-19 themed phishing attack
[7] 73% of respondents who use the cloud to store data believe this adds an extra layer of security or defence for the data it holds.
[8] 25% of businesses using cloud services have suffered a cloud data breach, either accidental or through a cyberattack, in the last 12 months.
[9] 51% of IT decision-makers responded 'yes' when asked if they expect their businesses to be a cyber-attack target in the next 12 months.