As many businesses have upskilled and adapted to working in an increasingly digital, cloud-based manner, there is an increasing need to upskill in the space of cyber security as well – with cyber attacks on the rise as more people work from home.

However, while the threat is very real, recent research from global information technology company Unisys show that only 22% of Kiwis were concerned about the risk of a security breach while working remotely, and 26% were concerned about the risk of being scammed.

Given the recent high-profile cyber security attacks on platforms including NZX, Radio NZ and Metservice, it’s a timely reminder to upskill and take the appropriate measures to protect your data.

We asked Tony Snow, Chamber board member and director of IT company Stratus Blue, for some top tips on the subject to help businesses. 

In layman’s terms, how do you describe cyber security and why is it so important?

Security in the digital landscape is much like that in the physical world. Customs officials are scouring the networks and data to see who has the right to enter the ‘country’ (your network) and who they send back home.

Border control allows the right data or ‘people’ into the country, vehicles that have the right keys for the locks to transport data and when the destination is reached, does the hotel or house have an alarm or are the doors locked or not?

However, the level of sophistication for fake passports and over-stayers has got smarter over the years.

If any of these pieces are missing, you could be letting anyone have access to data and can then use it for other purposes, encrypt it for a ransom or bombard you with more and more visitors/ unwanted guests until all systems crash (recent NZX attacks)

With more and more activities occurring online – and reported 20 billion devices worldwide access internet  – more and more breaches and security attacks are going to occur.

What are some potential threats that businesses need to be aware of in the cyber space?

It is not the kids in their bedrooms pinging servers to find the one left unguarded to worry about… these days hackers are part of organised crime cartels, driven by a commercial imperative.

1. Common threats such as online identify and credential theft are becoming a bigger threat globally as we all store more information such as credit card details and government-issued documents (Drivers license/ passports etc.)
2. Denial-of-service (DoS) attacks aim to restrict or impair access to a computer system or network. They typically target servers to make websites and payment services unavailable, preventing legitimate users from accessing the online information or services they need.
3. Ransomware is a type of malicious software that denies a user access to their files or computer system unless they pay a ransom. This typically encrypts files so that you can no longer read / understand or access them – unless you pay a ransom to get the ‘key’.
4. A common type of email scam. The sender pretends to be a trustworthy organisation in an attempt to get you to provide them with personal information. It generally affects many people at once, and targets them at random.
5. Spear phishing and whaling scams are much more targeted in their approach. Their goal is to get information about a company or organisation from someone who works there. Whaling specifically targets the management or executives in a company: The ‘big fish’. These are usually the people who have the most authority and the most access to sensitive business information. It’s important to note that spear phishing and whaling attacks can be a precursor to another, more serious attack.

How does NZ compare to the rest of the world when it comes to our cyber security literacy and protocols?

In New Zealand, our she’ll be right philosophy, may no longer be accurate. Do not think that small businesses are not a target. In fact, you are probably been hit right now.

All the cyber criminals see is an IP address. Like the old phone book, they are just hitting numbers and don’t care about what size business or what you do. It is just a string of numbers. Granted, bigger companies are targeted directly, but credentials or even small business computers may fall in the hands of someone that has paid for access to them and you end up inadvertently buying missiles or other unwanted items, or be taking part in attacks on organisations, such as the recent oldest and crudest form of attacks on the NZX.

Cybercrime is growing and although our physical borders are closed, the virtual ones are not. Individuals, governments and companies play by the rules, but the people trying to attack your systems don’t. New Zealand small businesses are still behind in literacy and awareness of these issues. There are security awareness training programs that all businesses should go through and be kept up to date with. The new Privacy Act coming into force in December 2020 is also changing to take into account some of the cyber threats and leaders should be aware of these changes and liabilities.

SMBs need to take this seriously. Connection to the rest of the world via the internet is an invaluable asset for New Zealand and it has bought the rest of the here. New Zealand is a great test market for new technologies as well as new ways to break those technologies.

The last few governments have been looking at the growing trend of cyber protection and have implemented CERT.govt through MBIE to focus on cyber security. A number of education institutes are also providing research with businesses, such as University of Waikato’s  STRATUS project.

What are a few common mistakes businesses make in the cyber security space?

1. Not taking it seriously.
2. No governance, policies and procedures around IT systems, including off-boarding of staff, contractor data access or loss of mobile devices.
3. No security training and awareness of malicious emails etc.
4. A guest wifi not separated from admin or operational internet access.
5. Mobile phones connected to business internet.
6. Improper technology tools and processes. No backups, no disaster recovery plans. A synchronisation is not a backup and email/data in the cloud is not necessarily a back up.

What are some of the top cyber security challenges facing businesses in a COVID-19 world?

Currently cyber is a challenge for modern business leaders, particularly in an environment in which more people are working remotely online.

COVID has seen the mass evolution of the Remote Office and Branch Office (ROBO), and protecting distributed data and systems for robust business continuity is becoming a challenge. Not only do we need to provide the services and products of our business – now business operators are meant to become technology and security experts as well, and do this without adding risk or financial pressure onto the business.

What are the top five ways a business can start protecting their digital assets?

1. Install software updates. Patches add new features to software, but also they often fix security vulnerabilities.
2. Backup key data. Have a backup of key data including email, therefore if any malicious attacks occur, a backup can be restored.
3. Implement multifactor authentication (MFA or 2FA). With privacy and customer information access and security becoming a legal requirement, anyone who logs in to your system will need to provide something else on top of their username and password, to verify that they are who they say they are.
4. Implement security awareness training for users. Train your staff to know what to look out for. Make sure they understand what to do in certain circumstances.
5. Secure your network and think about the connections both going in and going out of your business network when you start thinking about how to secure it. Put Antivirus and key technology tools on all devices.

Some other key items to note with new Privacy Laws coming into play:

• Create a plan for when things go wrong!
• Only collect the data you really need and be clear on why you need the information you have.
• Conduct penetration testing and disaster recovery planning initiatives every quarter.

What do you see ahead in the next six to 12 months in this space? What can businesses expect? How might this area develop? Will there be new technology or regulations?

Privacy and security is continually developing.

Government regulations will change as we are seeing. Malicious activity will continue to evolve with Artificial Intelligence and machine learning, meaning that the ‘good guys’ will need to be smarter and quicker.  Cyber security specialists will be one of the hot jobs in the coming years!

Not only do we need to be smarter than the ‘bad guys’, we need to take cyber security to a much more granular level to all our IT systems. We also need to rapidly ramp up the number of experts we have in the field. We need to encourage more students to take up cyber security as a discipline as they think about career paths and getting into the workforce.

It’s the IT community’s responsibility to ensure clients are protected against cyber threats, and we are striving to bring standards to small business New Zealand.

Stratus Blue are holding an event on this subject, looking at the Privacy Bill 2020, the changes to it and cyber security. You can find out more here.