Many New Zealand companies think their biggest cybersecurity threat comes from sophisticated criminals or disaffected countries like Russia, North Korea or Iran.
But Alastair Miller, principal consultant at Aura Information Security (the cybersecurity consultancy owned by state-owned enterprise Kordia), says the "sophisticated cybercriminals" can often be a 16-year-old who has purchased a cheap, ready-to-use cyberattack kit off the dark web.
"It's called ransomware as a service," says Miller of the new trend where ransomware (where cyber attackers encrypt a company's data and extract a ransom to release it) is available from the internet's darkest recesses. "Unfortunately, if something is forbidden, it becomes more attractive to some people.
"You can buy quite advanced attack kits for $20-$30 now and a lot of people, often in their teens or late teens, are doing that. You don't even need to know how to code or be overly technical to use these – almost anyone can deploy them.
"This makes New Zealand even more vulnerable," he says. "We hear from companies here all the time that, as we are so far away from the more famous parts of the world that attract cybercriminals, we are not noticed."
Unfortunately, the internet and its ability to bring any location in the world into your office or living room just doesn't respect those geographical boundaries – and some of the statistics attached to cyberattacks in New Zealand are, Miller says, scary.
The stats are difficult to pin down because many companies hit by cyberattacks do not report their losses – fearing either loss of brand equity and reputation or deciding that, as the attack may not be covered by insurance, not to pursue matters further: "Some companies just decide to call it a cost of doing business, re-install [the affected software] and move on," Miller says.
CERT NZ, in their 2021 cyberattack report, said there had been more than 8800 incidents reported, some of which led to financial losses of just under $17m. The Reserve Bank aim higher – estimating yearly cyberattack costs to businesses of between $80m-$140m.
Miller says Aura's research last December surveying IT decision-makers showed that, in the previous 12 months, 55 per cent of New Zealand businesses surveyed have been successfully targeted by ransomware. He estimates the real cost of cyberattacks at $100m-$200m a year.
A recent report by the Technology Users Association of New Zealand (TUANZ) – based on an international network readiness index by the Portulans Institute – says New Zealand is ranked 56th in the world when it comes to cybersecurity, but needed to be in the top 10.
New Zealand has also been rocked by attacks on some major players – like the NZX and the Waikato District Health Board last year and, earlier this month, Pinnacle Health confirmed that hackers had managed to steal patient information. While there is no sign that the incident has cost Pinnacle financially, Miller confirms that the breach was probably enough for hackers to assume a person or persons' identity – leading to cyber-theft down the line.
"It's also a matter of real concern for a company – particularly in the financial or medical sectors – that their brand has been compromised," he says. "It's true of all companies, even SMEs [small to medium enterprises, a mainstay of New Zealand business] because everyone has embraced the need to be a strong online player these days – and trust is a big part of that."
Aura's Cyber Security Market Research Report 2021 found just under half of IT decision-makers say their businesses had taken cybersecurity more seriously as a result of this kind of local attack – 41 per cent had more discussion around cybersecurity within their organisation, while 37 per cent expanded their cybersecurity team or agency.
While 85 per cent of IT decision-makers considered New Zealand equally or more at risk as the rest of the world when it came to cyberattacks, Kordia's report also found that less than half were running crisis simulation exercises to assess their ability to respond to a cyberattack.
Miller says phishing – gaining entry to a company's IT systems and networks by conning a staff member or partners like suppliers into clicking on a link in an email – is the most common entry point for ransomware or other cyberattacks.
The biggest need in protecting against cyberattacks is thus staff education, he says: "There are well-documented cases where an employee has inadvertently let an attacker in by approving an authentication request. Whether it's 'approval fatigue', or employees simply not understanding how the system works, it can and does happen.
"So you can have the biggest, best, most expensive cybersecurity system in the world – but human error can still undo it."
Miller's top tips for effective cybersecurity include:
- Staff education – simple videos, quizzes and testing staff resilience with fake phishing emails are "No. 1"
- Educating supply chain partners – "They can also be a weak link, letting someone into your network who shouldn't be there but who gains access through them".
- Better password control – "The old 8-letter password doesn't cut it any more. Use 12-16 characters or, even better, use a long password like the lyrics to a favourite song – no one will be able to guess that."
- Give security leaders the influence they need to be effective and make cybersecurity everyone's issue, not just that of the IT department.
- Make cybersecurity more relevant by talking less about security and more about the trust enjoyed with customers and stakeholders.
Finally, says Miller, accept that there are multiple security threats out there – and it is becoming so commonplace and easy to do that even 16-year-olds with do-it-yourself kits are getting in on the act.