Mick Broughton (not his real name) remembers well what he did when cyber criminals hit his international logistics business, one of thousands of examples of cyber crime costing New Zealand businesses an estimated $250 million a year.
"I panicked," he said, when ransomware (software which locks data and is freed only when a ransom is paid) struck. The criminals wanted US$600 to free the data - hardly a fortune but Broughton knew it could have been a lot more.
"If we hadn't had backed-up data, it would have cost us between $30,000-$50,000; it gave us a real fright. I can absolutely believe that it is costing $250m a year and I reckon small and medium businesses are the most under threat; I have friends who have companies, some are tradies and with one exception they don't have any back-up at all.
"They'd be screwed if they were hit by ransomware. You can see how lucrative the criminals are finding it - they can hit people's computers at home and small businesses and I think it is only a matter of time before they up their sophistication level and strike a really big [company] target."
Broughton's company - which he asked not to be identified - escaped without paying the ransom thanks to remedial action led by chief information security officer, Joerg Buss of Origin IT.
Netsafe, the internet security company, have said cyber crime likely costs New Zealand between $250m to $400m. The reason for all this estimating is New Zealand law does not mandatorily require companies to report cyber crime - and many don't. It's embarrassing and damaging to their brand.
As one internet safety professional said: "Who wants to put their hands up and say, 'I lost my client's data' or 'I've been robbed'? It's not easy having to admit that the very thing you use the most in your business - technology - is the thing you know the least about."
Netsafe reported 8570 cyber attacks in New Zealand last year, costing $13.4m, the largest single hit being just over $2m. But that's just the crimes known about; Netsafe estimate that's only about 4 per cent of all cyber crime. Extrapolate that out and cyber crime may be costing the country about $340m a year.
Dr Abdolhossein Sarrafzadeh, director of Unitec's Centre of Computational Intelligence for Cyber Security at Unitec, estimates the monetary loss at about $250m a year and told the Herald last month cyber crime is increasing. He knew one company relieved of $200,000 by someone posing as a Chinese partner on email.
A new report, PWC's Global Economic Crime Survey 2016, has added its weight to burgeoning evidence cyber crime in New Zealand is increasingly damaging - but is either hushed up or some companies are so poorly protected, they don't even know they've been breached and had either data or money stolen.
PWC said, of the 40 per cent of New Zealand businesses hit by all forms of economic crime in the past two years, 29 per cent have experienced cyber crime. There are about 500,000 companies in New Zealand (97 per cent of them small-to-medium enterprises, according to official figures), so about 58,000 enterprises have been compromised by cyber criminals in the past two years.
That's over 550 companies every week. Again, that's just the ones we know about. A further 12 per cent of New Zealand organisations (24,000 companies) said they didn't know whether they had been affected by cyber crime or not - stark evidence of New Zealand's naiveté in this area.
That level of unpreparedness has led one insurance company to take the innovative step of introducing the services of a 'triage team' in their latest cyber insurance product. NZI has put together a team who are on hand and ready to leap into action in the event of a cyber breach to save (business) lives and produce the best possible recovery from a serious injury.
The triage team includes law firm DAC Beachcroft, an international legal company with 1400 lawyers round the world, PR company Porter Novelli and IT forensics companies.
Representatives of each will work with affected companies to stem the bleeding after attack, in addition to the financial insurance cover provided.
They are a brand new team, formed only last month, and Ryan Clark, NZI's national manager liability says: "There's a quote which goes like this: 'There are only three kinds of companies in the world - those who have been hacked, those who are going to be hacked and those who don't know they've already been hacked'.
"Obviously, there could be legal ramifications after an attack and the PR side is there to manage reputational damage; the forensics guys piece together what has happened and how to prevent it happening again."
While the PWC global report didn't attempt to put a dollar figure on cyber crime losses, it also underlined the hidden problem. Of the 51 per cent of New Zealand companies who said they had not fallen victim to a cyber attack, the report said: "...some of the 51 per cent...have likely been compromised without knowing it. A concerning trend...is hackers manage to remain on organisations' networks for extended periods of time without being detected."
PWC said about 50 per cent of New Zealand companies experiencing all economic crime suffered losses of less than $75,000, with about 40 per cent losing in excess of $150,000. Globally, 43 companies reported cyber crime losses in excess of US$7.5m
The true cost, said the report, was difficult to assess as the direct financial loss was often only a small component of the "fall-out from a serious incident" with business disruption costs, remedial measures, legal fees and other costs can be significant and not easily measured.
"Most companies are still not adequately prepared for, or even understand, the risks faced," said the PWC report, adding that a staggering 45 per cent of New Zealand organisations do not have a cyber incident response plan to help the business recover from an attack - and some don't think they need one.
To find out how you can protect your company today click here