Close

What you need to know about NotPetya and the 'new norm' of hacking

The recent NotPetya ransomware attack has caused havoc around the globe - and is the second major ransomware attack this year. Peter Bailey, general manager at Aura Information Security, chats with Idealog digital editor Ben Mack about what it means, what New Zealand businesses can do to protect themselves, and if this is the new norm.

Idealog: As everything goes digital, are New Zealand businesses and institutions prepared?

Peter Bailey: In a nutshell, no. There is often a misconception that we’re safe here in New Zealand, far away from scary cyber hackers. It’s a classic case of the Kiwi ‘she’ll be right’ mindset – we know that these events occur, because they make the news headlines all the time, but don’t believe it will ever happen to us or our business.  The recent NotPetya ransomware attack, which affected several well-established New Zealand businesses, is evidence of the fact we aren’t exempt. The reality is cyber security isn’t something you can just dip in and out of – it’s an ongoing thing. Protection against cyber-attack is simply part of running a business in this day and age. It should be considered part of the operating cost. 

When a business operates online it puts both its own data, and those of customers, at risk. This is why cyber security requires an ‘always on’ mindset.

Research conducted by Kordia in March this year showed New Zealand businesses are not as prepared as they could be when it comes to cyber security. 25 percent of New Zealand businesses surveyed believed they did not have enough tools available to them to make informed cyber security decisions. Furthermore, 20 percent stated their company had no policies in place relating to online security. Of those that had security measures in place, only 70 percent of respondents were confident these measures would effectively prevent a cyber breach, and just 64 percent were confident their business would cope if a significant security breach did occur.

Do we know the risks?

It’s fair to say most businesses understand there is a risk. However, unless they’ve been breached they probably don’t have a full understanding of the risk to their business – and just how much impact an attack could have on the day-to-day running of their business. This is something businesses such as Cadbury, which was targeted by NotPetya, found out the hard way.

In many cases, businesses won’t even know they’ve been breached. According to Ovum, on average it takes 510 days to detect a cyber breach. What’s more concerning is that 55 per cent of them are detected by an external source.

The important thing to remember with cyber security risk, is to treat it like any other risks for your business – understand the risk, what the mitigations are, and what the residual risk impact looks like. We regularly see businesses not understanding the impact of a breach on their bottom line. For example, if your business receives a large amount of its revenue from online purchases, and your site is compromised for an extended period of time, how will this hurt your business? If your business doesn’t have a strong password policy in place, and access to a critical system is compromised through this, what impact does this have on customer privacy, or trust in your brand? These are some fairly basic examples of the types of risks that we see in the market.

With things like NotPetya, are such attacks the new norm?

Not necessarily. NotPetya and WannaCry are just two examples of well-publicised cyber-attacks, and both are examples that use ransomware (software that locks data and is freed only when a ransom is paid). Ransomware cyber-attacks have become the single greatest online security issue in terms of number of attacks, however there are multiple forms of cyber security breaches including extracting information from a database without alerting the database owner; denial of service attack where legitimate users can no longer access your web application; and physical attacks, where attackers get on-site to gain access to your network.

Cyber-crime is ever-evolving as are the types of threats facing businesses – this is why the cyber security market is expected to grow from US$122.45 billion in 2016 to US$202.36 billion by 2021.

Cyber criminals are becoming more and more sophisticated, however, in our experience, the same approaches that have been used for years by hackers are still the most effective – the most effective of these being social engineering. This can include tricking an employee into clicking on an infected link, revealing a user name and password or paying an invoice that looks like it has come from a legitimate source. The shift from physical to digital workspaces certainly means that cyber-attacks are becoming more frequent and this constantly evolving landscape reinforces the necessity for regular communications, training sessions and awareness initiatives.

If we’re seeing attacks on the scale of things like NotPetya, how can New Zealand businesses – or even individuals – possibly cope or be prepared?

Absolutely. There are a couple of ways to minimise the risk of an attack – to sum it up in two words, it’s all about preparation and education.

  • Make cyber security part of your organisation’s culture – encourage staff to be cyber-aware, and let them know what to do if they notice anything suspicious.
  • Educate staff – run simulation exercises (fake phishing attempt or similar), run a training session.
  • Have the right policies in place – especially for passwords, BYOD, regarding password complexity, and provide a ‘report an incident’ function.
  • Take proactive precautions to protect your business – patch regularly, run regular back-ups, ensure anti-virus is in place, and do regular audits of your technology so you know where there may be vulnerabilities (e.g. legacy code).

Most security breaches can be attributed to employee error - or ignorance. Employees who use weak passwords or use the same password across personal and work accounts can prove to be the weak spot that hackers use to penetrate your business. Therefore, a cyber security mindset should become an ingrained part of company culture, where all employees and staff take responsibility for information security.

Having basic cyber security training as a part of employee training and/or new employee induction is a great place to start – in fact, it should be compulsory. Kordia’s specialist cyber security arm Aura Information Security recently launched an e-learning tool, which is designed to provide businesses with the ability to educate staff whilst also identifying areas for improvement and a great option for training staff.

In the case of ransomware, our advice is here: https://www.aurainfosec.com/news-and-events/files/notpetya-what-you-need-to-know-and-do.html

Do you think we could ever see a decline in hacking?

It seems very unlikely that there would ever be a decline in hacking activity. Society is moving towards a more interconnected world. As we see the rise of the Internet of Things (IoT), we are going to see more and more activity happening digitally, and this in turn will increase the attack surface for hackers. Unlike in the past, when hackers may only have been able to research your details or networks through a computer or smartphone, they may now be able to do this through your web-enabled fridge. IoT will also be used more frequently in the future in areas like transportation or medicine, where attacks from hackers will have more far-reaching or even life-threatening impacts.

As the rewards for hackers continue to grow, alongside the greater use of interconnected devices,  we will continue to see an increase in hacking activity.

Do you think technological advancements, like what we’ve already seen, are worth the hacking risk?

Yes. We are in a new revolutionary phase in working practice - what is being called the third industrial revolution. The way that our society functions today requires greater levels of connectivity and the automation of many tasks. Anyone who stops implementing these changes will be left behind, as other businesses move forward taking advantage of these changes.

What we have to try and do is become smarter about developing and implementing these changes. When the Internet was first developed, it was an inherently insecure system, because it was about sharing information, not protecting it. We have pushed the internet to its limits, using it for activities it was never designed to do.  We have an opportunity now, with the new functionality that is being developed, to create it with security in mind. If we start to build inherently secure products and networks, we make it more challenging for hackers to find the holes they are typically looking for.