New Zealanders are losing millions each year to cybercrime and need to get smarter about protecting their digital systems, say a team of experts who have convened the NZ Cyber Security Summit in Wellington this Wednesday.
Between January and September last year last year there were 5712 attacks reported in New Zealand, or 21 a day, directly causing more than $14 million in losses. But NZTech chief executive, Graeme Muller, says that’s only the attacks that were reported to police or CERT NZ, the government entity that tracks cyber breaches, and is likely the top of the iceberg.
He talked with Jim Mora about simple ways to ward of as much as 80 percent of cyberattacks.
Muller says the pandemic has exacerbated an already skyrocketing number of cyberattacks. And it’s not just data being accessed, it’s stock exchanges and healthcare under attack internationally, reserve banks, power grids, and hospital operating theatres.
“Some of those [attacks] are big and feel so far away from you as an individual – but it generally comes back to a person, the computer systems are quite good at protecting themselves, the vulnerabilities are people.
“There’s a lot of it happening at a level which is not life-threatening or is not going to make your business fall over, but is just seeding the ground for those big ones.”
“That’s why it’s important, whether it’s your own security, small business security, or the entire utility framework for the country, it’s probably going to be the way that we behave as people that will protect it.
He says perhaps the biggest obstacle to cybersecurity is complacency and lack of action to take basic steps for protection.
“You probably know you should do something more, and we think it’s not going to happen to us, and therefore we need more information and more repeated discussion and awareness this is happening to people around us.”
One of his top tips is simply to have a very complex password.
“Most of us use very un-complex passwords, and aren’t good at updating them. There are special tools now available called password safes so you only have to remember one way into that safe, and then you can access all your passwords.
“People are afraid that if they put all their passwords in one place then a baddie could get in and get them all, but … they’re very safe, there’s specialist companies that provide them and companies like Microsoft and Google and the like also have facilities for that, and they’re encrypted.”
Another simple step is using two-factor authentication.
“More and more companies are offering this, it’s really easy. If you’re logging into your Facebook account … they’ll drop you a text back to your phone, it doesn’t cost you anything. You punch in the code that they send you, and the only way they can hack you then is if they’ve physically taken your phone, which makes it much less likely to happen.”
His third recommendation is to enable automatic updates, so any vulnerabilities are closed as soon as the tech company fixes them in their software.
“Big computer companies like Microsoft, Apple… are looking all the time and blocking all the vulnerabilities, and the criminals are looking for new ones – so on your phones, your computer, just set it up so it does it automatically. Every time you get a patch it should happen automatically. It doesn’t really take much effort… it’s really easy.
“Those three simple steps are not actually getting harder, once it’s set up it’s not hard at all because it’s all managed for you.”
Muller says ransomware has become the biggest of the most significant threats.
“It continues to grow as a threat, it really plays into human nature, the fact that at some point you click on a link, and a little bit of software goes onto your computer and then they have control and you have to pay money to get it back or lose what you value.”
But one of the most common reports from New Zealand businesses is unauthorised transfers of money, which Muller says is often done through phishing.
“Emails are sent out that look like real emails and encourage you to click on a link somewhere, for a business one way is they get some information about your customer and then they send you an invoice that looks like it’s coming from that customer, but the bank account details are actually going to the criminal’s bank account.
“Or they can get into your customer accounts and send invoices from you to your customers, but they put their bank account details on it, or they trap it on it’s way out and change it before they send it.
“One way to check is, if you wave your mouse over the links – you’re right to be nervous of clicking anything, but before you click anything… you can see where it’s going to, and if it’s not going to the address you expect it to to go to… for instance a Kiwibank address based in Czechoslovakia, [be suspicious].”
Last week New Zealand signed up to the Council of Europe Convention of Cybercrime, known as the Budapest Convention, an international agreement for countries to cooperate to crack down on cybercrime.
‘Some of them are where you’d expect, criminal bolt-holes like eastern Europe and paces like that,” Muller says. “But there are cybercriminals here in New Zealand, operating, and no doubt stealing from people around the world.”
He says making changes to reduce exposure to cybercrime isn’t time consuming.
“It’s a bit of a hidden threat, because most people don’t talk about it, and most people are victims at a small level so they still remain relatively complacent, and that’s the problem. A lot of this is about humans having to adapt to the new environment we’re in.
“I don’t think it’s any different from when I was growing up we were in an environment where there weren’t so many people and there wasn’t so much crime around, and we’d never lock the door in the house, you’d drive your car to the dairy and leave the key in it. You knew someone somewhere had had their car stolen, but it doesn’t happen in our town.
“This the digital version of that … the value of being in the ocean rather than being in the pond outweighs the risk, which is why the internet works … we’ve just got to get better at behaviour change. The tools are there and are always being adapted and improving.”