Why SMEs can’t afford to be complacent online

The recent ‘DNS hijack’ on the New York Times, as well as other timely stories about Internet scams targeting New Zealand businesses, have all managed to capture the media’s attention of late.

One story doing the rounds last month, for example, was that of the Auckland business Nuklear Limited that was defrauded over $18,000 through hacked communications with its overseas supplier.

Interestingly, days prior to that story being published, was a much picked-up NetSafe release that stated New Zealandershad lost $4.4 million to Internet scams last year.

While it’s true that that few people in New Zealand have actually lost money or had their identities stolen as a consequence of cybercrime, it doesn’t mean that cybercrime trends aren’t on the rise. In fact, as the NetSafe findings outlined, financial losses where money was paid over to a scammer and not recovered, more than quadrupled last year.

Manager for Security Policy at the Domain Name Commission Barry Brailey says many local SMEs are probably too complacent about online security because high-profile New Zealand attacks have often gone unreported. 

He warns that the message for SMEs is clear: learn about domain names and do your homework. Otherwise you risk being compromised, something most New Zealand SMEs can’t afford.

“Security is more about good processes than products you buy,” he says.

“One basic thingSMEs can do is to get their records and processes straight. Often domain names are renewed on the day, or just before, they are due to expire. By keeping track of these things they can be sure they’re still in control of their domain name.

“If your DNS is changed and a clone of your website is created, attackers can just sit back and collect things like login details and form submissions. This can lead to identity theft.

“Other basic things they can do is to keep logins secured with as few people as possible and to ask your Registrar (the business who has registered your domain name) whether they are DNSSEC-friendly. DNSSEC reduces the chance that visitors to your .nz website are led to fake websites and tricked into supplying personal information.

“DNSSEC may potentially have prevented the 18,000 loss experienced with Nuklear Limited.

“I would also advise all New Zealand businesses is to get their developer, or network administrator, to follow the The Open Web Application Security Project’s (OWASP) top ten recommendations.”