OPINION: As Kiwis prepare to trade their keyboards for beach towels this summer, a less festive group is gearing up for peak season – cyber scammers, the Grinches of the festive period for small to medium businesses.
In a recent survey conducted by Microsoft, it found only eight percent of small businesses had managed to evade cyber incidents. With half of NZ small businesses (SMBs) boosting their cyber budgets by more than 10 percent in the past year, it’s evident that cybersecurity has become a paramount concern, surpassing even business growth and customer retention as top priority for nearly 30 percent of all businesses.
There are several reasons why this time of year is especially risky in terms of cybersecurity. Retailers and hospitality businesses will be ramping up for the busiest time of year, hiring temporary seasonal staff who don’t always have the same familiarity with security processes (or worse, share logins), and simply seeing much higher volumes than usual. Meanwhile, other businesses will be operating on skeleton staff or closing down for the break, potentially leaving the digital back door unguarded.
Scammers and cyber criminals know exactly how to time their attacks to tie in with these kinds of events, whether it’s crafting emails that look cleverly like a Boxing Day deal or masquerading as an urgent Microsoft alert about a “cyber breach” when you’re at the beach. Especially in the age of artificial intelligence (AI), with threats evolving all the time, it’s essential to always remain vigilant about cyber threats.
So, what can Kiwi small and medium businesses do to help stay safe over the holiday period, and what should they look out for?
Many of the usual rules apply to SMBs as to regular consumers –
- Avoid clicking on links in emails – always check the official website of the organisation to make sure a deal or a notification is legit, especially if it wasn’t something you were expecting.
- Set up multi-factor authentication – when websites and services offer the option of receiving a code or logging into an app to verify your identity, do it. Microsoft has found that this stops 99% of password-based attacks in their tracks.
- Keep your tech up to date – When your device is asking you to update to the latest version, most of the time these updates contain security fixes which are there to plug the security holes on your device. The sooner you can update your device the sooner you are protected.
However, there are a few extra things businesses can do to ensure their cyber security processes are as robust as possible:
- Adopt the Essential Eight – New Zealand’s National Cyber Security Centre has guidelines for businesses to boost cyber resilience. Australian businesses follow a similar Essential Eight approach, which is broken down step by step. As well as MFA and regular systems updates, this includes restricting administrative privileges, restricting applications and web browsers from running certain kinds of scripts, macros or ads that can contain malicious code, and automatically backing up data. There are a lot of different recommendations under each step to help make your systems and data even better protected.
- Test your rapid-response plans regularly – While 85 percent of NZ businesses have cyber insurance and rapid-response plans, the time to realise your response has a few gaps is not when a journalist is on the phone. A good plan should always include regular crisis simulations – every six months – to test different aspects of the cyber response. This is crucial to ensure all processes are working smoothly in a whole range of different scenarios.
- Develop a cyber recovery strategy – The key rule of thumb is to always assume you’ve been breached – the Zero Trust approach. Only around half of Kiwi businesses are equipped with strategies for recovery after a cyber disaster. Rebuilding is actually the most challenging, and lengthiest, part of dealing with any attack, and having a plan to get back on track should disaster happen will save months of hassle (and potentially a great deal of money).
- Harness AI – AI is being widely adopted, and that includes by cybercriminals too. Generative AI can help produce more professional-looking scams. Just as some cyberattackers use company websites to get the names and contact details of senior staff, then spoof their email addresses to trap employees with “urgent” requests, we’re likely to see more personalised attacks. In future, AI will increasingly be used to gather details from social media accounts to target people more effectively. Employing AI tools to counter AI-powered criminals will be core to a solid defence, so make sure to ask your IT provider about the tools now available.
While there’s never a 100 percent foolproof way to keep the cyber-Grinch from your door, taking these steps will help keep tills ringing and stop unwelcome guests from coming down the chimney this Christmas.