Peter Bailey, general manager at Aura Information Security, said hackers ran a business with a cost-model like any other: "the more energy they put in, the more money they want to get out".
Cyber-attackers have previously focused their efforts in the US but are increasingly turning towards other affluent markets that are more vulnerable to attacks, such as Germany, the UK, Australia and New Zealand.
"Hackers are looking for the best deal effectively, the least amount of energy to get the most amount of money," Bailey told BusinessDesk. "The better your defence, the more it costs them to attack you. It doesn't mean they are not going to attack you, but you become a less interesting target."
Targets
And it's not just limited to commercial operations. Governments have been raising their firewalls to stave off coordinated attacks, which have become increasingly sophisticated and sponsored by governments seeking to steal secrets or to damage crucial cyber-infrastructure.
Australian public and private organisations are being urged to safeguard their technology networks after the country's government and essential services were subjected to a major cyber-attack last week. Prime Minister Scott Morrison blamed sophisticated state-based cyber hacks by an unnamed country, widely presumed to be China.
Andrew Little, NZ's minister overseeing intelligence agencies, said while there wasn't a similar national attack on this side of the Tasman, cybercrime has been on the rise.
CERT NZ received 4740 reported incidents in 2019, up from 3445 in 2018 and 1131 the year before. The majority are phishing attempts, online scams and unauthorised access.
A 2018 study by Microsoft found NZ was the most scammed country in the world per capita. Aura's Bailey said NZ was developing a reputation for being an easy target.
Lockdown
The problem only got worse as Kiwis opened thousands of poorly secured backdoors to their companies' systems when they worked from home during lockdown.
Police estimate that NZ businesses lost $2.2 million to scammers in this period.
Bailey said there had been a recent wave of ransomware attacks, in which scammers access a system through a phishing email then extract company information before encrypting the whole system.
They can then threaten to release sensitive data if the ransom is not paid — as opposed to just promising to decrypt the system if the ransom is paid — increasing the pressure on victims.
Ransomware is usually delivered by email, which means staff are a source of vulnerability, often making cybersecurity a culture problem rather than tech problem.
Hilary Walton, chief information security officer at Kordia, said laid-back Kiwis were particularly vulnerable because they felt safely isolated at the bottom of the world.
"We have this national culture of being friendly, polite and trusting. Which is lovely, but in a cybersecurity context that puts us in an awkward position," Walton said. "So much of security is behavioural. Often it is the human security behaviours that need to be strengthened to make the organisation safer."
Walton would know. She holds a master's degree in psychology which led her to becoming a leader in workplace security culture. Her expertise has been sought out to manage a security project for the British intelligence agency MI5 and information security for the 2012 London Olympics.
Understand risks
Good cybersecurity training that motivates staff to be conscious of the risks is the first place to start securing your system, Walton said.
"It is even more important now with people working from home and the office, in a hybrid model," she said.
"At home, people are potentially more relaxed and I don't want those relaxed behaviours coming into the office."
Training needs to go beyond just awareness of threats; it needs to motivate people to be more secure, she says. Managers should model good security behaviour and use a mix of peer pressure and rewards to reinforce security culture in the workplace.
Bailey said the most effective team behaviour preventing cyber-attacks were simple "hygiene" measures to make sure your company is not vulnerable.
This includes strong passwords, two-factor authentication, keeping software up to date, training staff to recognise phishing emails and backing up the system for a speedy recovery in the event of a ransomware attack.
"If you haven't done backups, and are unable or unwilling to pay, you really don't have any options," he said. "Your data is gone, which can be devastating for some businesses."
- BusinessDesk