Being cyber-secure is now a business issue, not an IT issue, and taking practical steps to protect your business against a cyberattack is critical.
CERT NZ (Computer Emergency Response Team - a team operating since April 2017 as part of MBIE, handling cyber security incidents) issued a report recently covering its first 3 months of operation. This report indicated that CERT had received 364 reports of cyber incidents in that period, with phishing, malware, unauthorised access, scams & fraud and ransomware accounting for roughly 70% of those attacks. Reported losses from those incidents totalled over $730,000, including: data loss (including business records, personnel records, IP); operating impact (time required to recover from an incident, and impact on BAU operations and productivity); financial loss (money lost as a result of the attack, costs of recovery, investments in new systems or support arrangements); reputational loss, and other losses (e.g. costs arising from having infected customers or suppliers).
If New Zealand follows overseas trends, we can expect the attacks to increase at a frightening pace. Hackmageddon estimated that, as at April this year, 75% of the attacks are criminal, followed by espionage (20%), "hacktivism" (4%) and cyber-warfare (1%). Hacking is a global business (the top 5 hacking countries are thought to be China, USA, Taiwan, Russia and Turkey) with hacking now the focus of much organised crime. The nature of existing laws, and the difficulty of finding the individuals responsible for an attack, and then proving wrong-doing, means that the law does not represent an effective deterrent to the hacking community.
Enforcement agencies world over (including NZ) are getting better at shutting hacking sites down, but the hackers simply respond by "being better" next time. If we were to assume that Moore's Law applied equally to the development of ever more effective (from the hackers' perspective) hacking tools as it does to the creation of ever more effective micro-processing chips, it would seem that cyber-attacks will become more and more virulent, and the work of cyber crime enforcement agencies ever more critical.
Given how critical a business' data is, to everything the business does, all who run a business should take decent steps to protect themselves against cyber attacks:
- Always update your operating system (two of the most widespread attacks in 2017 were spread through operating systems that were not kept up to date with new versions when made available)
- Be very careful with enabling macros in software
- Back up files regularly (to the cloud, or a standalone hard drive)
- Install appropriate anti-virus software (and keep it updated)
- Adopt IT policies applicable to all staff, and make sure they are followed (e.g. not clicking on strange links, installing updates, not sharing passwords etc)
- Identify business critical assets, and consider whether more protection is needed to secure them
- Consider cyber-attack insurance
Dismissing cyber security as an "IT issue" and "we're so small, it's not relevant" is simply not good enough anymore.