After reaching record-high figures at the end of 2021, the number of cybersecurity incidents targeting New Zealand businesses continues to dwindle, the latest quarterly report from the government’s Computer Emergency Response Team (CERT NZ) has revealed.
The number of attacks reported to the agency decreased further by 14% to 2,001 between April and June compared to 2,333 in the first three months of the year, which saw a 41% drop from 3,977 in the previous quarter. Despite the sharp decline, CERT NZ reminded businesses not to let their guard down when it comes to cyber care.
Read more: Cyber safety now a valuable life skill
“On the surface, it might look like nothing much has changed, with incident numbers remaining steady and only a small increase in direct financial loss,” said director Rob Pope. “But it’s been another busy quarter across the threat landscape, and every incident reported has had an impact on people and businesses.”
Although the volume of cyberattacks went down, these incidents have resulted in higher financial losses, costing New Zealand companies a total of $3.9 million – a 5% rise from $3.7 million between January and March. Figures also show that about a fifth (19%) of all incidents have resulted in monetary losses.
Phishing and credential harvesting remained the most common incident category, according to CERT NZ’s second-quarter report. This was followed by scams and fraud, unauthorised access, and malware.
From April to June, the agency has also observed a spike in scam calls where attackers pretended to be a bank employee, tricking recipients into sharing their financial information. If successful, this type of cybercrime allows hackers to access a victim’s bank account or their personal devices remotely.
“Attackers are constantly evolving techniques to try and catch people out,” according to the report. “In these specific scam calls, they use ‘phone spoofing’ software, which changes out the scammer’s actual phone number and instead shows a phone number of the scammer’s choosing – like a bank’s phone number – on the recipient’s caller ID.
“CERT NZ is aware of New Zealanders losing large sums of money to these types of scams, with some recipients experiencing these incidents more than once – this happens when scammers call back, pretending to be from the bank and offering help to recover from the previous scam.”
Here’s a breakdown of the top cybersecurity incident categories based on CERT NZ’s latest data landscape report:
Phishing and credential harvesting accounted for more than half, or 56%, of all incidents CERT NZ has responded to, making it the most reported category from April to June. The number, however, was a 19% drop from the previous quarter.
Scams and fraud took up over a quarter, or 26%, of all cybersecurity incidents reported to the agency in the first quarter of the year. The majority of these incidents involved buying and selling goods. Dating and romance scams was the next biggest category, with the number of incidents steadily increasing in the past four quarters.
Incidents of unauthorised access increased marginally (1%) in Q2 2022. CERT NZ received 230 reports of such breaches, which occurs when an attacker gains access to an account, service, or device through vulnerabilities in software, or weak or stolen credentials.
After topping the list of the most reported incidents in the final quarter of last year, malware cases slid an astonishing 95% in the first three months of 2022 and a further 23% in the second quarter. The agency attributes the massive decline to the conclusion of the Flubot campaign, which wreaked havoc on businesses in the second half of 2021.
Read more: New Zealand sees surge in cyber fraud cases
With the rapid pace of digital transformation giving rise to unique and evolving cybersecurity challenges, the Insurance Council of New Zealand (ICNZ) is urging businesses to consider taking out a cyber insurance policy. The council reminds companies, however, that this type of coverage cannot replace due diligence and good cyber hygiene as the top line of defence against cyber threats.
Cyber insurance policies in New Zealand typically provide two types of protection, namely first-party and third-party coverage. Here’s what these different types of coverages pay out for.
“Some insurance policies also provide enhanced benefits such as a retained response team of IT, legal and public relations professionals, who are on standby to respond to an event as soon as it happens,” INCZ added.
The council pointed out, however, that “not all cyber insurance is the same.”
“The scope of cover offered by each insurer will be outlined in full in their policy wording,” it said. “As with any type of insurance, we strongly recommend you read and understand the policy wording before buying. If you have questions about the cover offered, you can seek advice from your broker or an independent legal adviser.”
According to the comparison website Finder, a company with an annual turnover of $1 million and has taken out $500,000 worth of cyber liability coverage can expect to pay about $2,000 in premiums annually.
The cost of a cyber insurance policy, however, is dictated by a range of factors, including:
Read more: How New Zealand businesses can safeguard against cyber threats
To help prevent businesses from falling victim to cyberattacks, CERT NZ has published a guide, which highlighted how companies can protect their data, network, customer information, and reputation. Here are the 11 practical steps firms can take to keep themselves safe from cyber threats, according to the agency.