An independent survey commissioned by Aura Information Security has found that more than half (55%) of New Zealand businesses who responded said they have been successfully targeted by a ransomware attack in the last year.
Of those businesses who responded yes, the majority were able to resolve the breach before any significant damage was done. Only 18% of the total respondents said ransomware attacks caused serious disruption to their businesses.
Hilary Walton, Chief Information Security Officer at Kordia Group says that this highlights why businesses should ensure they are able to recover quickly in the event of an attack.
"Ransomware is a matter of when, not if, for New Zealand businesses. While it’s not a new threat, cybercriminals have perfected the way they target and breach their victim’s networks. All businesses should be prepared to not just defend themselves, but also to deal effectively with a ransomware attack. Having a robust incident response plan and safely backed up data is critical for ensuring a swift recovery.”
“Whether your business chooses to pay a ransom or not, these types of attacks have the potential to be very costly – when you factor in loss of productivity, revenue and reputation damage, you can quickly start to see how an attack can impact your bottom line. It can take weeks to get back up and running after an attack, and no business can afford to have their systems down for that length of time.”
The New Zealand Privacy Commissioner doesn’t recommend paying ransoms, but 64% of New Zealand businesses would be willing to pay to regain access to their data. Nearly one in 10 (8%) would pay more than $100,000.
Earlier this month, the Australian Government released a Ransomware Action Plan, which introduces a specific mandatory ransomware incident reporting to the Australian Government.
“New Zealand cyber legislation often reflects that in Australia, due to similarities between our two markets, so a similar initiative could be on the horizon for our country. Whether or not New Zealand decides to introduce mandatory reporting to the Government specifically for ransomware incidents, it’s certainly a reminder that all businesses should have process in place to quantify the impact of an attack - as well as ensuring there is an adequate response plan in place to mitigate damage,” says Walton.
Working from home amplifies the risk
Remote working appears to be the new weak link. Among ransomware attack victims, more than three quarters (78%) say the attacks happened through a remote connection or while an employee was working from home.
“While this is concerning considering New Zealand’s largest city has been in in lockdown for the latter part of the year, the focus on security issues around remote working needs to stretch beyond just lockdowns. Many businesses have, or will be, implementing permanent remote working policies. Nearly half (43%) of Kiwi businesses have at least 60% of staff working from home at least one day a week. The fact is, our ways of working have changed, and we businesses need to ensure their security posture reflects this.
“As people work more and more from home, and the attack surface increases. There are opportunities hackers have only scratched the surface of: home routers with out-of-date software and firmware, more sophisticated attacks on cloud services, social engineering via other people on the home – the list goes on,”
“It’s great to see technical layers, such as MFA and Zero Trust being implemented, but businesses also need to extend their focus beyond just the technical controls. The human factor is such a prominent risk when it comes to cyber-attacks – hackers know this and will continue to exploit the people in your business with more sophisticated phishing techniques,” says Walton.
High profile attacks a wakeup call for NZ businesses
In 2021 we’ve seen high profile cyber-attacks in New Zealand including the NZX and the Waikato DHB. Walton says New Zealand is no longer viewed as a safe haven.
Just under half of IT decision makers say their businesses take cyber security more seriously as a result of these local attacks. 41% had more discussion around cyber security within their organisation, while 37% expanded their cyber security team or agency. Only 15% say they weren’t impacted on how they view cyber security.
“IT decision makers are realising we aren’t safely hidden away at the bottom of the world, with 85% now considering New Zealand, equally or more at risk as the rest of the world when it comes to cyber-attacks, up from just 67% in 2018. Cyber-crime is a global phenomenon, and geographical distance is irrelevant when business is conducted digitally.
“A concerning finding is 42% of businesses admit not running crisis simulation exercises to assess their ability to respond to a cyber-attack. Companies are focussed on prevention, but don't practice how to deal with attacks. Hackers are aware of this and will use the chaos that ensues following an attack to take advantage of victims.”
However, many Kiwi businesses are rising to the growing challenge. More than half of businesses have increased their cyber security / IT budget in the last 12 months, primarily due to high-profile attacks and COVID-19.
As a result, 70% of IT managers now rate their business’ ability to defend against cyber-attacks as mature or very mature. 68% (compared to 61% in 2020) said they have policies or training in place to prevent cyber breaches, and nearly half (46%) run crisis simulation exercises to assess their ability to respond to a cyber-attack.
Noting that the results are self-assessed, Walton warns that even businesses that consider themselves mature should be seeking external testing and evaluation of their security, to ensure that any blind spots are mitigated, and their defences can withstand a simulated attack.
“We need to remember that cyber criminals are constantly adapting and finding new ways to get what they’re after. Business leaders can’t rest on their laurels. Even if you consider yourself mature, cyber security needs to be deeply embedded into your company culture, and cyber risk needs to be continuously reviewed,” says Walton.