"If you spend more on coffee than on IT security, you will be hacked,” American author and cyber security expert Richard Clarke reportedly said. That was back in 2002, but his words are more apt than ever, in New Zealand and abroad.

Baker Tilly Staples Rodway Taranaki Specialist Services director Rob McEwan says statistics shows how quickly cybercrime is growing in New Zealand – and he believes cyber attacks are wildly under-reported and that we’re often not adequately prepared.

It begs the question, does your business or organisation know what a cyber threat might look like? Is it prepared for cyber incidents and does it have cyber security as a separate budget item and not just as part of the IT budget?

Mr McEwan says: “Most of us would recognise the need for having some anti-virus software on our computers and might have an anti-virus filter on our email gateway, but phishing and credential harvesting are a big threat for New Zealand businesses and we’re probably not as good at taking care of that.”

The statistics

In New Zealand, the direct financial loss resulting from cybercrime incidents reported to national cyber security watchdog CERT NZ increased from $5.3 million in 2017 to $16.8 million last year, according to its 2021 report summary.

CERT NZ, which aims to improve cyber security, receives incident reports, tracks cyber security incidents or attacks, and provides advice on response and prevention. In 2017, its year of inception, 1,131 incidents were reported to the organisation. Last year that figure soared to 8,831.

Anecdotal evidence is that these figures are the tip of the iceberg, says Mr McEwan. He’s found many people are reluctant to report what they see as a shameful financial loss, don’t see the benefit of reporting it or aren’t yet aware of CERT NZ.  

According to the organisation’s 2021 Report Summary, the top three cybercrime activities reported to it last year were:

• Phishing and credential harvesting (3,709 incident reports)
• Malware reports (1,930)
• Scams and fraud reports (1,897)

Malware was the fastest growing issue (up 24% on 2020), then phishing and credential harvesting (up 9%). Scams and fraud were down 1%, but accounted for almost $11.9 million (71%) of the total financial loss reported last year.

The latter encompassed employment, “business opportunity” offers, the buying, selling or donation of goods online, unauthorised or falsified money transactions, and more.  

Profile of a hacker   

Today’s hackers are often well-educated (they may have studied computer science at university) and can hide their location, wherever they are in the world, says Mr McEwan.

Organised crime syndicates employ large groups of hackers, but whether they’re working alone or for others, all hackers need is a computer and a bit of time to conduct cybercrime activities. “They are well positioned to take on the challenges that the software presents because they’ve studied it and learned all about this stuff,” he says.

One way they infiltrate people’s accounts is through the many websites that hold millions of usernames and passwords obtained through nefarious means. Hackers can download these in bulk, then set up and walk away from a script that quietly tries them against commonly used accounts and services, such as Netflix, Facebook, and LinkedIn, and any matches will be waiting when they return.

Years ago, upon gaining access to people’s personal accounts, hackers wreaked havoc as quickly as possible then got out, afraid that they would be discovered and held accountable. These days, they’re likely to quietly observe what’s happening on your network, how far their reach might extend and decide how to exploit their access in the most beneficial way possible.

If they take money from you, they’ve got multiple ways to quickly siphon it out of your account and move it offshore. Occasionally it is recovered, but once it’s left the local jurisdiction, it’s usually gone for good.

And when companies like Microsoft or Adobe release patches to correct security issues, hackers immediately reverse-engineer them to find out what they were fixing, then go after computers that haven’t been patched yet. “They now also look at what’s been patched to see if there are similar vulnerabilities in other parts of the software,” says Rob. “The hackers are getting more sophisticated. It’s a cat and mouse game.”

There are plenty of ways hackers can find and utilise weaknesses so next week we’ll release another article that covers how you can help protect your personal and workplace data.

• If you’d like assistance with any of these things, or to become an ongoing client, please contact Rob at Rob.McEwan@bakertillysr.nz or Greg Taylor at Greg.Taylor@bakertillysr.nz. Their team services clients nationwide.