Not only is the level of cyber threat increasing in New Zealand but the nature of the threats is becoming more complex and the sources of them more diverse. One report says that organisations are relying too much on technical solutions for defending themselves against the increased risk of cyber attacks and data breaches.
If anyone was in any doubt about the importance of cyber security in New Zealand today, Andrew Hampton, director of the Government Communications Security Bureau put it very succinctly in a recent address. He said that not only is the level of cyber threat increasing – the NCSC recorded 338 cyber incidents in the 2015/16 year, compared with 190 in the previous year but “the nature of the threats is becoming more complex and the sources of them more diverse”.
Hampton told the New Zealand Institute of International Affairs in November that there’s a growing range of international threat actors, targeting New Zealand organisations for financial gain or as a means of advancing their own position.
“New Zealand organisations, both public and private, have a wealth of information which is attractive to others – whether intellectual property for a new technology innovation, customer data, business and pricing strategies or government positions on sensitive topics.”
He says that in part the increase in recorded incidents reflects increased detection of threat activity by GCSB’s cyber defensive capabilities, particularly CORTEX and this will continue as GCSB develops relationships with its CORTEX customers and makes its cyber defensive capabilities available to them.
CORTEX is a project to counter cyber threats to organisations of national significance – e.g. to operators of critical national infrastructure and Hampton says it involves GCSB implementing capabilities to protect these organisations against advanced malicious software (‘malware’). In some cases, malware is passively detected. In others, it is actively disrupted or ‘blocked’.
“In terms of the types of incidents we are seeing, phishing – often clever, socially engineered email intended to make the recipient open an attachment or visit a website which contains a malicious file, and ransomware are some of the common types of harm being reported to us or being detected by our capabilities.”
Hampton says cyber threats are very real, and New Zealand’s relative geographic isolation offers no protection in our globally interconnected connected world.
So, what’s a business to do?
Advisory firm BDO is urging businesses to get back to basics to ensure they stay ahead of potential cyber security breaches.
In December, the company released the results of its inaugural cyber security survey, done in conjunction with AusCERT, which found that although general awareness of cyber risks had improved, organisations were relying too much on technical solutions for defending against the increased risk of cyber attacks and data breaches.
BDO New Zealand’s national leader for risk advisory, Andrew Sloman said in a statement that the people and process component of cyber defences must be addressed if organisations want to improve their cyber resilience.
“Getting back to basics and understanding the risks, defining baseline security standards to address these risks, and then enforcing these standards, while monitoring how well they are implemented, is critical to improving the maturity of a business’s cyber security posture.”
The report revealed around 40 percent of respondents had security standards and cyber risk management guidelines in place for their supply chain – including third party providers, and the cloud.
Thomas King, general manager at AusCERT, said the fact that less than half of the respondents had security standards for their supply chain was concerning, considering most organisations were becoming increasingly connected to the internet and were highly reliant on third party providers and applications for running their businesses.
“Without proper security standards and oversight of the cyber security risks in their supply chain, businesses risk losing control over the security of their operation.
“As the use of cloud solutions increases, organisations need to prepare themselves by having the right tools and processes in place to manage security risks directly under their control.”
Sloman says transparency around an organisation’s data sources is the best way to address this issue.
“Organisations can start with the simple step of identifying the key data sources and applications they have outsourced to third parties and ensure these have effective security controls in place.
“This will provide them with insights into the cyber risks in their supply chain and what strategies they need to implement to make them more cyber resilient.”
Sloman said the survey findings reinforced the fact that awareness of cyber risks had improved in recent years among business, however there was still not a true appreciation of the consequences and impacts of cyber incidents.
“Although businesses have adopted good security technologies, their cyber security processes and practices are relatively weak,” he said.
“For example, 40 percent of organisations are able to detect security incidents, and 52 percent of organisations are performing regular security risk assessments… But only 21 percent of organisations have a security operations centre in place to investigate and respond to security incidents that may occur and, only 49 percent of organisations regularly report cyber risks to the board.”
A specialist in ransomware, Chester Wisniewski, principal research scientist at UK company, Sophos, who is based in Vancouver, told Management that while it is thought around half of companies have been affected by ransomware, he believes it is could be more and that it’s under reported. He said it was important for companies to realise that the cyber criminals have no idea who the victims are.
“It’s spray and pray. They target 100 million people with fake emails, and maybe 100,000 open them.” They then block the company’s access to its own data and ask for money to unlock it.
Wisniewski says US$500 is the standard amount and if you don’t pay within 48 or 72 hours they will double the amount.
The ransomware “locky” is more common in Australia, NZ and Japan and there have been 40 to 50 variations in the last year or two. He says early on, when the number of criminal groups doing this was smaller, they did unlock the data once payment was received but more recently some groups are not bothering to do so.
A more targeted attack might be to steal information or IP and Wisniewski says in those cases they are seeking passwords and with this, mobile can be a risk, as it’s easier to be fooled on a mobile device and to log into something that is not a legitimate site. On a mobile phone you are looking at a pared down website whereas on a desktop you can see what the website really looks like.
So, what can companies do? Wisniewski says at the bigger end of the market, there are three elements involved – people, training and process.
Processes are around training your people and explaining that the type of thing they might see to raise general awareness. Tell them if they suspect ransomware, pull out the network cable.
Have a process so they know to turn the computer off to limit the damage. It means ensuring that you keep people aware that email attachments can be dangerous.
“Try to mitigate the risk through behaviours, as well as technology.” Number one is to have backup solutions.
There are some ransomware solutions on the market and he encourages businesses to look at these, to report any incidences to the police as well as to look at insurance.
One point, he says, which calms everyone down, is to note the ransomware criminals don’t have your files – they are just making sure you can’t get them. They don’t have access to your information. Don’t panic if you have important documentation, no one else can see it. “They have just put an industrial grade lock on your stuff.” M