Cyber resilience and the Covid effect
18 Oct 2021
While this week is officially Cyber Smart Week in Aotearoa New Zealand, you would be forgiven for thinking that every week is cyber week. It seems that not a day goes by without news about another cyber attack or breach, or the introduction of new laws to fight cybercrime in some part of the world. There is no doubt that cyber attacks are on the increase and everyone needs to play their part in understanding the risks our increasingly online lives present. So, what has happened in cyberspace in the past year, and what impact has Covid had on cyber trends?
There has been a number of high-profile cyber attacks this year. First was an attack on the Reserve Bank of New Zealand, which recently resulted in the first-ever compliance notice being issued by the Privacy Commissioner under the Privacy Act 2020. In May, it was the Waikato DHB’s turn. They were subject to an extended ransomware attack which resulted in a temporary return to a paper-based system for the DHB, and, in September, the release of the personal information of some 4,200 individuals. Denial of service attacks were the order of the day during September, with Vocus NZ (who owns Orcon, Slingshot and Stuff Fibre), NZ Post, Inland Revenue, MetService, Kiwibank and ANZ all affected. Of course, these are just the attacks we read about in the news, and don’t include the countless families, individuals, and small businesses affected by cyber attacks.
There are a number of organisations in Aotearoa working hard to keep us safe online. CERT NZ is one, providing information and advice to reduce risks of cyber incidents for individuals and businesses. They also report some, at times, very sobering statistics about the cyber threats faced by New Zealanders. Their latest report shows a slight decrease in the total number of incidents reported this quarter to 1,351, but a 30% increase in financial loss of $3.9 million. There has also been an obvious trend emerging since the onset of Covid-19 in early 2020 with steep increases in incidents during the quick move to working-from-home when the virus hit. This change to working-from-home has been linked to the global increase in cyber attacks. Experts say that this move has created network vulnerabilities, and poor personal security has made the issue worse. People at home often use unsecure devices or personal accounts which allows attackers an opportunity to infiltrate a network.
The problem with cyber attacks is the lack of boundaries that apply. Aotearoa is all too familiar with catastrophic natural disasters which have the potential to devastate an area, but cyber attacks can impact Aotearoa, Australia, the United States, and Luxembourg, all at the same time. Ransomware in particular, is becoming more common around the world. In Aotearoa, there has been a 150% increase in ransomware in the second quarter of 2021, compared to the first quarter. Ransomware encrypts a victim’s computer and a ransom must be paid to recover their files. “Double extortion” is also now becoming increasingly common. This is where not only is a ransom demanded to unlock the files, but there is a further ransom requested so that any information stolen during the attack is not released.
In comparison to Aotearoa, Australia has faced a 15% increase in ransomware over the past 12 months. That figure, however, is enough to prompt the Australian Government to take action to combat ransomware. On 13 October 2021, Australia’s Minister for Home Affairs announced the launch of the Ransomware Action Plan. The Plan proposes a number of steps to make Australia a less attractive target for cybercriminals. This includes the introduction of a mandatory ransomware incident reporting regime which would require anyone making extortion payments to notify the Government. This may affect insurers in particular, who currently cover extortion payments, should their insured choose to meet a demand.
Some of this information can be confusing, which is understandable when we are dealing with the complex world of technology and cyber security. So, what simple resources are available for people to use to help protect themselves online? One place to go is CERT’s top 11 tips for cyber security. These tips include creating strong passwords, using multi-factor (or two-step) authentication, and being careful about what information you post on social media. Multi-factor authentication in particular, is simple to do, and research in the United States shows that it can potentially block up to 99% of bulk phishing attacks, which is where an attacker sends out large amount of fraudulent messages in an attempt to obtain someone’s sensitive information.
Small businesses may also want to consider adding cyber insurance to the insurance policies they take out each year. You must remember however, that a cyber insurance policy is not a replacement for protecting yourself against cyber threats, it is just one part of good cyber hygiene. Cyber insurance can help manage the response to a cyber attack. It can cover incident response, system remediation, defence costs if you are sued by a third party or charged with breaching legislation, reputation management, and extortion or ransom payments. It is also possible that some of your other insurance policies may provide some limited cover in the event of a cyber attack. If you are looking to insure yourself or your business against cyber risks, it is best to speak to your broker.
The risks presented by our online lives and connectivity can seem daunting, but the best place to start is by educating yourself. Check out CERT’s resources and guidance to learn more about some of the risks we face and what steps you can take to up your online defences. This Cyber Smart Week, it’s time to Cyber Up Aotearoa!