Cybercrime calls for extra vigilance

Stephan van Lieshout says cybercrime in the Bay is in line with other areas.

Awareness of the need to protect against cybercrime is growing rapidly in the Bay of Plenty. But there is still plenty for companies to do in securing their cyber-borders, say regional IT experts.

The problems are now attracting a high level response: the Government last week announced new measures to tackle cybercrime, including a Computer Emergency Response. Earlier this month, Institute of Directors chief executive Simon Arcus said the creation of information-sharing hubs to combat cyber-threats were urgently needed.

"Many companies have no forum to share data and there is often a reluctance to discuss attacks," said Mr Arcus.

"We have an evolving cyber-threat to tackle. Our cyber adversaries move with speed and stealth. We need to keep pace."

The Norton Cybersecurity report, released last month, said approximately 856,000 New Zealanders were impacted by online crime over the past year.

Mark Gorrie, Pacific director of Norton by Symantec, said its findings demonstrated headlines rattled people's trust in mobile and online activity.

"But it hasn't led to widespread adoption of simple protection measures people should take to safeguard their devices and information online."

Stephan van Lieshout, a Tauranga-based information security expert with Spark Digital, said awareness was growing rapidly.

"There seems to be a lot of malicious and criminal activity in the cyber space currently," he said.

Key examples include the Ransomware exploits, where Crypto-Locker software locks people's files and a ransom is demanded for the key to unlock them.

"It's doing the rounds in the BOP and also around the rest of the country. We're also seeing a spate of targeted, well researched emails which are designed to look like they're coming from the CEO and instructing accounts staff to pay money to overseas accounts."

Mr van Lieshout said he had seen no evidence to suggest that the Bay of Plenty was any better or worse off than other regions.

"The problems are the same, and cyber criminals and malware don't really differentiate on the basis of geography: that's one of the key challenges. Certainly, a challenge in the regions is any security efforts cost money and, for smaller businesses, the pot of gold is smaller and there's stronger competition for finite dollars."

Jackson Lee, a business analyst with Cloud IT in Rotorua, said corporate anti-virus protection would usually pick up common threats for businesses.

"Some of our business clients have received bank scams. There have also been incidents of local servers being attacked."

Typically a random bot picks up a server with an open port and attacks the server through that.

"We would recommend getting an assessment done every six months by an IT company or consultant. Things are changing all the time."

Crucial ways to keep out cyber crims - expert

Spark Digital information security expert Stephan van Lieshout says structuring a business against cyber risks involves three key components: Governance, operational safeguards, and increasing education of users.

Mr van Lieshout said governance concerns included:

* Making sure management was aware of cyber security. "If senior management don't understand the risks and the impact they could have on business, then it becomes almost impossible to make any real impact on the problem."

* Identifying the crown jewels. "It is too costly and totally impractical to protect everything. The first thing a business needs to do is properly identify what's absolutely critical."

* Making people responsible and accountable. "Information security roles and responsibilities need to be part of position descriptions at every level," said Mr van Lieshout. "Unless this is the case, security will almost always slip to the bottom of the priority list."

* Having an incident plan that included crisis communication. "People no longer measure trust by whether or not you've suffered an incident, but by how quickly and honourably you deal with it," he said. "The communications approach can make the difference between surviving and not surviving."

* Managing third party vendors properly. "Security is only as good as the organisation's weakest link."

* Sharing information. "As the IoD has highlighted, we need to plug into capable people and lessons learned."

Mr van Lieshout said that even when key governance issues were not fully addressed, there were still generic operational steps companies could take to improve security.

"There's evidence to support the Government's assertion that about 85 per cent of the crime is still opportunistic and not especially sophisticated."

Useful measures included application "whitelisting" - only allowing specific software to run, patching and updating all applications and operating systems, and taking away excessive admin privileges.

"Finally, make sure the users are aware of the issues," he said. That meant updating and protecting personal devices, and maintaining backups of critical information.

"And protect your identity. Often the only thing that stands between information and a bad guy is a user name and password."

Scope of cybercrime

New Zealand's loss to cybercrime in the past year was more than $256.8 million.

On average 22 hours were lost and $300 spent per person dealing with its impacts.

Source: Norton Cybersecurity Report, November 2015