After experiencing a record number of cybersecurity incidents at the end of 2021, New Zealand businesses have seen a huge drop in attacks in the first three months of this year, the latest quarterly report from the government’s Computer Emergency Response Team (CERT NZ) has shown. The organisation, however, reminded companies to not let their guard down when it comes to cyber care.
“CERT NZ figures show a decrease in [cybersecurity] reports this quarter,” said director Rob Pope. “Although this may sound like good news, it doesn’t mean we can approach our online security with any complacency. It’s quite the opposite, in fact.”
The agency’s data reveals a 41% decrease in the volume of cyber incidents it has responded to from 3,977 between October and December last year to 2,333 in the first quarter of 2022. These incidents have caused $3.7 million in financial losses – a 44% decline from the previous quarter’s $6.6 million. Figures also show that less than a third of all incidents have resulted in monetary losses.
What are the top cybersecurity threats facing NZ businesses?
According to CERT NZ’s first quarter report, phishing and credential harvesting has remained the most common incident category, followed by scams and fraud, unauthorised access, and malware.
The agency, however, noted only marginal movements across each category, with reports of credential harvesting increasing by 0.1%, scams and fraud dipping by 0.5%, and unauthorised access decreasing by 3.8% compared to Q4 2021 numbers. The only exception is malware reports, which registered a remarkable 95% drop. CERT NZ attributed the decline to the conclusion of the Flubot malware campaign that peaked in the country at the end of last year.
Here’s a breakdown of the top cybersecurity incident categories based on CERT NZ’s latest data landscape report:
1. Phishing and credential harvesting
Phishing and credential harvesting accounted for more than half, or 59%, of all incidents CERT NZ has responded to, making it the most reported category from January to March. During the period, the agency received 73% more reports of such incidents compared to any other category.
2. Scams and fraud
Scams and fraud took up almost a quarter, or 24%, of all cybersecurity incidents reported to the agency in the first quarter of the year. The majority of these incidents involved buying, selling, and donating goods. Tech scams involving phone calls was the next biggest category, which saw a 53% jump from the previous quarter. Extortion or blackmail, dating scams, and scam phone calls rounded up the top five categories.
Read more: New Zealand sees surge in cyber fraud cases
3. Unauthorised access
Incidents of unauthorised access dropped almost 4% from Q4 2021. The category’s impact has been mostly felt in the sectors of public administration and safety, and transport, postal, and warehousing. At least one incident related to unauthorised access has cost businesses more than $100,000.
After topping the list of the most reported incidents in the final quarter of last year, malware cases slid an astonishing 95% in the first three months of 2022. CERT NZ attributes the massive decline to the conclusion of the Flubot campaign, which wreaked havoc on businesses in the second half of 2021.
How can New Zealand businesses protect against cyber threats?
At the beginning of the year, Pope said that the agency has witnessed how attackers were using a range of new methods to “try to get their hands on” people’s finances and personal information. These include the use of phishing as a stepping-stone to other types of attacks and taking advantage of the rising popularity of non-fungible tokens (NFTs) to carry out various kinds of scams.
“But while attackers use ever-evolving methods, our advice to help safeguard from these attacks remains constant,” Pope noted. “We need to keep doing what we know works best and continue to improve our cyber defences.”
To help prevent businesses from falling victim to cyberattacks, CERT NZ has published a guide, which highlighted ways on how companies can protect their data, network, customer information, and reputation. Here are 11 practical steps firms can take to keep themselves safe from cyber threats, according to the agency.
1. Install software updates
To keep their systems safe, businesses must make sure their devices are still supported by the manufacturer and software updates or patches are installed as soon as they are available.
“Patches aren’t just about adding new features to software, they often fix security vulnerabilities, too,” CERT NZ explained. “Attackers could use these vulnerabilities to gain access to your system. Installing patches, which fix them is a simple way to prevent this happening.”
2. Implement two-factor authentication (2FA)
Implementing 2FA is one of the most effective ways of protecting a company’s system and its customers’ accounts, according to the agency.
“It means that anyone who logs in to your system will need to provide something else on top of their username and password, to verify that they are who they say they are,” CERT noted. “You can implement it on internal systems and your customer-facing systems.”
Key systems that would benefit from enabling 2FA, include email services, cloud aggregator services – including Office 365, GSuite, or Okta Cloud Connector – document storage, banking services, social media accounts, accounting services, and any system that stores customer, personal or financial data.
3. Conduct regular data backups
Keeping data safe is crucial for every business and in the event it gets compromised, companies must ensure they have a backup, so they can have it restored. CERT NZ shared two tips on how this can be done properly:
- Set your backups to happen automatically so you don’t have to remember to do it. How often you do them depends on how important your data is. If you have new customer data coming in every day that would be impossible to re-create, set your backups to happen a few times a day.
- Store your backups in a safe location that’s easy to get to – and isn’t on your own server. Ideally, you need to store your backups somewhere offline. If you use a memory stick or external hard drive to store your backups, make sure you disconnect it from your network every day.
4. Set up logs
Logging can help businesses find out when an incident may be about to occur – when there have been multiple failed logins to their network, for example – or when an incident has happened – like a logon from an unknown IP address.
“Logs record all the actions people take on your website or server,” CERT NZ explained. “Set up alerts to notify you if an unusual event occurs. Make sure someone checks the logs when an alert comes in.”
The agency advised companies to set up logs for the following:
- Multiple failed login attempts, especially for critical accounts, including cloud aggregator services like Office 365 or GSuite
- Successful logins to your CMS and changes to any of the files in it (if you don’t change them often)
- Changes to your log configurations
- Password changes
- 2FA requests that were denied
- Anti-malware notifications
- Network connections going in and out of your network
5. Create an incident response plan
Companies must also take the time to create an incident response plan to get their business back up and running quickly if they were targeted by a cyberattack.
“Having a clear plan in place will help you through what could be a stressful time,” CERT NZ wrote. “It’ll help your team respond to an incident quickly and improve your business’s resilience.”
6. Update default credentials
Default credentials are login details that give the user administrator-level access to a product and should only be used for the initial setup, then changed afterwards, CERT NZ explained. However, the agency said this does not always happen, which leads to issues later.
“Default credentials are easy to find or guess or find online,” the group warned. “Attackers could use them to get into your system.”
7. Choose the right cloud services
Using cloud services to manage a firm’s IT needs yields several benefits, including getting access to software without needing to purchase it themselves, accessing company data from any device at any time, and having storage space and backups for their data.
“There’s a lot of cloud services providers out there, and you need to make sure you choose the right one for your business,” CERT NZ wrote. “It’s important to know that they take your security needs and your data seriously. Before you commit to a particular provider, make sure they can give you the kind of services and protection you need.”
8. Collect only necessary data
A company’s risk level is often based on the amount of data that they have. Because of this, CERT NZ advised businesses to only collect customer data that they really need.
“The more you collect, the more valuable it is to an attacker,” the agency noted. “This means you carry a higher risk if you’re targeted by a security incident. By only collecting what you need, you reduce your risk.”
9. Secure your devices
Enabling anti-malware software on any device that accesses business data or systems prevents malware, including viruses or ransomware, from being downloaded, CERT NZ noted, adding that businesses must implement this both in company-owned devices and any BYOD units that belong to employees.
10. Secure your network
To do this, according to CERT NZ, companies must configure network devices, such as firewalls and web proxies, to secure and control connections in and out of their business network. They can also use a 2FA-enabled VPN if they need to remotely access systems on their network.
11. Check financial details manually
“A lot of business takes place over email, and it can be hard to tell when an email recipient’s behaviour is ‘phishy’,” CERT NZ cautioned. “If you're doing business online and you get an unusual or unexpected request, check it manually before you go ahead with the transaction.”
According to the agency, this means that businesses need to check the request with the person or company they are dealing with through another channel – by phone or through text messaging, for example. Having manual checks can help prevent businesses from getting caught up in online scams and fraud.
“If we all put in the mahi and take one step at a time to improve our online security, this will go a long way to keeping ourselves better protected and help build a more cyber resilient Aotearoa New Zealand,” Pope said.
He also advised individuals and businesses to visit the CERT NZ website for more practical advice and information on how they can stay safe online.