The firm was collateral damage through another New Zealand company’s internet address, linked to the Dunedin company’s IT services. Photo / Getty Images, File
A Dunedin business which paid a ransom after being crippled by a cyberattack has prompted a warning for companies to take the threat seriously.
The business, which is not being named for security reasons, was the target of an attack for two weeks in September.
The attack took out its computer systems, telephone and commercial data.
The business ended up paying the hacker’s ransom to restore its system.
The business’ initial review suggested the attack was an extraordinary case of bad luck. It was caught up as collateral damage through another New Zealand company’s internet address, that was associated with the Dunedin company’s IT services, the owner said.
It seemed the highly sophisticated nature of its IT system exposed the company to greater risks, which resulted in it becoming the target of a professional offshore hacking group.
The attack had been an ”excellent learning opportunity” for the business and it wanted to help others learn from their experience, the business spokesman said.
The company did not reveal how much it paid the cyberattackers.
Standby Consulting managing director Sam Mulholland said the attack served as a reminder for businesses to take cybersecurity seriously as attacks could ”literally ruin” their company.
Mulholland spoke at a Business South event this week about business continuity planning especially in the age of cyberattacks.
He has worked with companies in New Zealand and the Middle East, creating plans for when things went wrong.
“The No.8 wire mentally of ‘she’ll be right’ just doesn’t work anymore.”
Speaking after the event, Mulholland said cyberattacks were a major threat to businesses.
Mulholland said he believed small businesses overall were not taking the threat seriously enough and did not have plans in place for if it happened.
“It is not just the big corporates, the hackers are after anything that they can get their hands on.”
The cyberattack that crippled the Waikato District Health Board in May should be used as an example of how bad an attack could be.
A continuity plan allowed businesses to know what to do with staff, media, assets and even the company’s brand when an attack happened.
Clear communication with stakeholders was also key, Mulholland said.
Cyberattacks used to be conducted by specific groups, but now it was conducted by “software as a service”, which meant anyone could buy ransomware that kept working until it found a link into a businesses’ servers.
A police spokesman said it generally did not recommend paying any ransom demands, despite the temptation to do so.
“Paying ransoms incentivises criminal groups to continue to target New Zealand victims,” they said.
Police asked people to report cybercrime.