New independent research commissioned by Aura Information Security paints a stark picture facing New Zealand companies in the cybersecurity fight. In the past year, more than half of companies were successfully attacked by a ransomware attack, with one in five companies claiming the attack caused operations to be seriously disrupted. One in five organizations reports that 16 or more ransomware attacks per quarter impact their organization.

After a ransomware attack, two-thirds of companies say they will pay a ransom to recover data. One in ten companies will be able to spend 50,000 or more dollars. During the Warning Level 4 lockout, a third of organizations saw a spike in cyber-attacks. Two in five companies report being hit by a Covid-19 thematic phishing attack. With the December 1 legislation coming into force this year, half of IT decision-makers do not know about the Privacy Act amendment.

Ransomware’s rise

Ransomware attacks are a growing issue in New Zealand. Over the past 12 months, the number of IT decision-makers who estimate that their organization is affected by 16 or more ransomware attacks per quarter has doubled[1]. One in five Kiwi businesses in today’s market world claims they are fighting off more than 60 ransomware attempts a year.

Peter Bailey, Aura General Manager, says these figures are troubling, but they could get even worse. The study shows that over half[2] of New Zealand organizations have been successfully attacked in the past 12 months by a ransomware attack. Not only that, but one in five hacked companies claim that their activities have been severely interrupted.

“That’s just the tip of the iceberg, sadly. We’ve not only seen New Zealand companies get pummelled by ransomware over the past year we’ve also seen a massive resurgence in distributed denial-of-service (DDoS) attacks. “While there is a general perception that the United States is still the target of most of the cybercriminal universe, there is little to stop these hackers from moving their focus to New Zealand and quite frankly, most of our companies are not prepared,” Bailey says.

It pays for cybercrime

The New Zealand government’s official advice is not to pay ransoms requested by cybercriminals. Despite this after a ransomware attack, two-thirds[3] of companies admit they will pay a ransom to recover data. One in ten companies will be able to spend 50,000 or more dollars.

For corporations seeking to determine what to do when their data is ransomed, it is a bleak fact. Data is not only locked down and out of control, but devices can also be offline, ensuring that important company activities can not take place. The only solution often seems to be to pay the ransom, but many companies pay up and then never see their data again.

“The safest way is to plan your organization so that you are unlikely in the first place to ever face a ransom situation.” The Institute of Directors (IoD) suffered a website breach committed by an overseas hacker community in August 2019. While the attack was identified in less than 10 minutes, and no customer data was compromised, as the site had to be taken down and fully vetted, it caused weeks of disruption. This impacted all online communications with representatives and customers of IoD, took tremendous effort from employees, and incurred data protection related costs.

Sophi Rose, IoD General Manager of Brand Marketing and Communications, says the crisis communication strategy of the IoD was a huge aid, dictating who had to do what where, when. Our primary emphasis was on members and customers. Our response was vital to the pace at which we were able to take down the website, which was less than 10 minutes, and to be able to understand any effects.

In line with our values, we have also made choices. Even though there was theoretically no impact, we let our members know immediately. We spoke about how we would like to be handled in a similar situation and our mantra was transparency and integrity.

The upcoming Act on Privacy

Almost half of IT decision-makers[4] are also unaware of the amendment to the Privacy Act, despite it coming into law on 1 December 2020. “These are the individuals who look after the cybersecurity of Kiwi businesses and many are unaware of imminent changes that will affect how they do their job and how to handle a security breach,” Bailey continues.

More alarmingly, this figure has not improved year-on-year either. We’ve seen roughly the same outcome since we began the Aura survey in 2018.  Changes to the Privacy Act include mandatory violation management and fines for breaching firms of up to $10,000, and Bailey states that this study highlights that many IT policymakers might not be aware of the impact flow as well.

Organizations may not yet be aware of the right of impacted persons or associations to take class action against organisations that have failed to safeguard data under the Privacy Act 2020. Data has never been so important, and the security of it is so important. It’s time for companies in New Zealand to get up-to-date on the new law and what it means to them.

Cyber-attacks with Covid-19

Unsurprisingly, during the Warning Level 4 lockout, Kiwi companies saw a surge[5] in cyber-attacks. Two in five[6] companies say they’ve been hit by a phishing attack on the Covid-19 theme. “When the Covid-19 outbreak first occurred, there was a lot of knowledge going around. People were looking for advice, and by mimicking trustworthy communication networks to trip people up, hackers were able to ride the surge.

This is a popular tactic for cybercriminals, and when both the Christchurch earthquakes and mosque attacks occurred, it was also used to carry out several attacks. The fact that many of us worked from home and away from our normal work environment during lockdown meant that there was no longer standard office software security in place. No matter what and where you are working to ensure that they are genuine, it is vital that you pay attention to email senders and any attachments.

A fixed attitude and forget it

Research also reveals that New Zealand companies remain somewhat ignorant of how their data is secured, with three in five[7] companies falsely assuming that storing data in the cloud provides an additional layer of protection.

Not unexpectedly, over the past 12 months, a quarter[8] of companies say they have experienced a cloud security breach. Although the cloud offers some protection, it is not a set and forget about security exercise to transfer data to the cloud. Businesses need to get into the habit of a ‘always-on strategy,’ one that requires frequent training for staff, the right policies and practices, and regular testing of outward-facing assets such as websites and apps,’ Bailey says.

It just gets worse

The number of IT decision-makers who expect their organization to be hit by a cyber-attack is growing year-on-year. It was 27 percent in 2018, 42 percent in 2019, and more than half[9] of corporations plan to be targeted by a cyber-attack over the coming year this year. Kiwi organizations that surge to 69 percent again are larger (those with 300 or more Internet-connected devices).

Bailey states that online organizations must always be cautious and encourages individuals to avoid believing that it won’t happen to them. It is important for all New Zealanders to note that everyone is a goal. Ransoms are tailored to maximize the chance of the hacker being paid, whether it is a large or small company.

Experiencing a hack is often not just about financial loss and compromise in the system. Company credibility, which is always more valuable than any financial burden, may also be hugely affected. If your clients can’t trust you to keep their data secure, they’ll go somewhere else.