Cyber criminals go global and Kiwi companies are mostly ill prepared for their siege. Easy tips to keep your company on guard
What’s disturbing is New Zealand companies are ill-prepared to cope with the onslaught of cyber crimes, with some companies having antiquated understanding of the reality hitting them, they say.
The cost to businesses from these cyber attacks are estimated to be as high as $450 million per year.
Everyday, security company Trend Micro detects 100,000 new pieces of malware, 55,000 new spam sources and upwards of 60,000 new bad URL links, says Peter Benson, senior security architect at Trend Micro.
“The globalization of cyber crime is definitely affecting new Zealand. The cyber crime industry [worldwide] is getting close to being worth $100,000 billion a year, which is more than the security industry,” Benson says.
The risks of cyber attacks are increasing given the move towards conducting our daily lives on the internet.
PwC director of risk and control solutions Adrian Van Hest says: “More and more of what we do is powered through computing and the web – such as the bills, Internet banking – it’s all online.”
Many businesses are ill equipped security-wise to deal with the new threats and need to adapt to the changing landscape.
“We’re still seeing organizations existing that understand the security landscape as being what it was 10 years ago. The reality’s so far different from that,” Benson says.
Not prepared for threats
Surveys have shown that businesses are aware of the risks, yet feel like they are ill equipped to deal with them.
Nearly half of the 500 New Zealand businesses surveyed (45%) feel as though they are unprepared to fight cyber threats, according to a survey conducted by the University of Waikato for Vodafone in October.
The primary industry the backbone of our economy – has been singled out among the business sector as having the worst understanding of cyber security threats.
The feeling of unease was also evident in PwC’s 2014 annual CEO survey, which reported 48% of global CEOs are concerned about cyber threats to their organization.
Source: PwC’s key findings from The Global State of Information Security® Survey 2015
One of the reasons why businesses in New Zealand may feel a bit behind the eight ball is due to lack of knowledge of how many cyber crimes happen here due to privacy laws, says Van Hest.
Despite cyber crime occurring regularly, New Zealand is currently one of the few countries where it’s suggested but not required for organizations to give “breach notification”.
This means businesses organizations don’t have to report when information has been compromised – or a cyber crime has occurred – which Van Hest says contributes to the perception that cyber crime doesn’t happen here.
“In most other countries, the reason why you get to hear about credit cards being stolen and other incidents, these organizations have to do it by law. It’s duty of care.”
Van Hest says the New Zealand public and fellow businesses tend to only hear about it when people whose privacy was breached come forward and talk to the media.
This was the case in the ACC privacy breach in 2012, when an ACC manager accidentally sent more than 9000 ACC claims to a member of the public in an email.
“It’s treated as an anomalous thing, where in reality it’s more likely to happen, because we don’t have the training or education implanted to prevent it,” Van Hest says.
How to stay protected
An independent report by the Privacy Commissioner in 2012 found ACC had an “almost cavalier” attitude to claimants and their personal details.
Client information is one of the key things to keep protected, Van Hest says, as losing a client’s trust can make businesses go under.
Not only trust can be lost, but serious money, too – the damage control of Target’s security breach in 2013 of 40 million credit card numbers has been estimated to run into the billions by analysts.
But Van Hest advises against referring to the high profile cases for what to do about your company’s security, as it’s not a “one size fits all” solution.
“What people make a mistake with is they tend to focus on the headlines and what the big risk is out there. I encourage businesses, particularly smaller ones, to take the opposite approach,” he says.
Aside from the basics, such as good antivirus software, he says key advice given by professionals is to ask yourself what’s valuable to your organization and would be seen as a high value asset in terms of the information you have and the digital functions you perform.
In smaller companies, this could be intellectual property, in bigger companies, this could be the large data base of people’s details, he says.
The weakest part of security is almost always the space between the keyboard and the chair, as was the case with ACC’s breach, according to Benson from Trend Micro.
“Awareness training for staff, particularly around email, is always warranted,” he says.
He says employees need to watch out for carefully crafted emails containing malware encrypted in Microsoft Word or PDF documents, as well as plugging in android devices and tablets, such as iPads and phones that have an infected file on it that can spread through the organisation.
The other tip Benson gives is to take a degree of cynicism around jumping to embrace new technology, such as mobile payment systems.
“Assume cyber criminals are not far behind new technology. We already know with mobile payment systems, they’ve set their sights on high value targets.”
Future of more advanced cyber crimes
Trend Micro’s 2015 prediction report predicts increased cyber activity will mean bigger, better and more successful hacking attempts and tools, as well as targeted attacks becoming as popular as cyber crime.
With technology constantly expanding, the smarter solution seems to be stay on top of cyber risks before they get worse.
“The technology in the future will solve today’s [cyber crime] problems, whether it will solve tomorrow’s problems I don’t know,” Van Hest says.
He says businesses should ensure they get to the “root cause issue” of what is the most important to the company and protect it, which will help in the long-term when cyber crime becomes more advanced.