Thirty years ago, in the world of landlines and post offices, we couldn’t have imagined how deeply technology would have entwined itself into our lives. Tech now tracks us from home to work, to the gym and the pub, watching what we buy, click on, who we contact, and even knows when we’re expecting a baby.
That personal information is stored in hundreds or even thousands of online systems. It’s a tempting target for cyber thieves, with devastating consequences for businesses and individuals alike.
Unfortunately, cyber attacks are an increasingly common and sophisticated threat, involving IT complexity that is far outside most people’s understanding. For businesses, a data breach caused by an employee clicking on the wrong link or a hacker breaking into IT systems could create months of expensive and embarrassing headaches.
Ransomware is particularly malicious; it’s a form of malware that infiltrates corporate systems and either encrypts data or threatens to release it if a ransom isn’t paid (this is also known as leakware or doxware). Last month, freight and logistics giant Toll Group suffered its second ransomware attack this year. Attackers accessed corporate server files containing information relating to past and present employees – name, residential address, age or birthdate, and payroll information including salary, superannuation and tax file numbers. The company publicly declared it wouldn’t pay, shut down its IT systems and switched to manual processes. Recovery is ongoing.
Other recent cyber-attacks include one on Lion brewery this month, which interrupted manufacturing and customer orders, and foreign exchange currency provider Travelex, which in January was held to ransom by hackers who stole 5GB of customer data and demanded NZ$8.5m. The company was forced to resort to pen and paper to conduct its business, too.
But I know about scam emails, surely I’ll be safe?
Like all scams, cyber-attacks are constantly evolving to get around preventative measures and attempting to trick targets by taking advantage of global events. Crown agency CERT NZ (Computer Emergency Response Team) said in March it had received reports of online criminals using the COVID-19 pandemic as an opportunity to carry out online scams and malicious cyber activity. In May, ACSC (Australian Cyber Security Centre) published advice to help protect Australia’s critical infrastructure from cyber attack during the pandemic. Likewise in the UK, NCSC (National Cyber Security Centre) published guidance specific to evolving business practice during this time, such as remote working and video conferencing.
At Flux, we’re heavily focused on security. Most businesses, from supermarkets to healthcare, hold sensitive customer data in their digital filing cabinets, which makes such threats particularly concerning and difficult to manage.
New Zealand Police and CERT NZ advise individuals and organisations hit by ransomware attacks not to pay a cent. Not only is there no guarantee that data will be returned, but if you pay, you could be seen as an easy target for another hit. Your money could also be used for further nefarious purposes, going to organised criminals who are involved in drugs and human trafficking. It could even be helping to fund human-rights abusing states like North Korea; a UN Security Council report published last year detailed the country’s use of hackers to raise funds for the Kim regime, as a way of getting around international sanctions. And the North Koreans have been quite successful; estimates are that they’ve stolen funds in excess of US$2 billion so far.
Some common threats to businesses are email compromise, where an attacker accesses an employee’s email account to carry out scams such as sending fake invoices or malware; phishing, where fake emails are sent to thousands of people tricking them into logging onto fake sites to gather data like bank logins; credential dumps, where a list of emails and passwords is published online for other scammers to exploit; and data breach, where private information such as health information, intellectual property, or embarrassing information is released publicly, harming brands and destroying customers’ trust.
Safety first: What you can do to protect yourself
To help protect yourself from scams such as these, take some time to go over government recommendations for businesses and implement its measures, working out a strategy ahead of time. CERT NZ publishes two security guides for individuals and businesses to help you protect your business, and ACSC regularly publishes latest advice on preventing and managing cyber threats, from the basics to the more advanced. NCSC takes this a step further by curating advice for a wide range of readers, from individuals and families to small and medium businesses and large organisations.
A preventative approach might include developing a response plan for what happens if your business is affected; only collecting the bare minimum of information from your customers; keeping operating systems updated and backups current; and installing antivirus software and firewalls.
If you are hit with a cyber-attack, these government agencies should also be your first port of call. They exist to improve cyber security, and work alongside other government agencies and organisations to help us understand and respond to cyber security threats. They will also help direct you to the best next steps to take with law enforcement or technical contacts.
With so much personal data now stored online, infections can be devastating for an organisation or individual alike. Not only is data irrevocably revealed, but an attack can damage brands, interrupt trade, and cost a fortune in IT response. Prevention is definitely the best method of protection.