Beating cybercrime complacency

By Glenn Baker

There’s no denying that cybercrime is a serious concern for New Zealand’s small and medium enterprises (SMEs). In the past large corporates have made the headlines whenever there’s been a high-profile incident, but the evidence suggests SMEs are now being targeted by cyber criminals – weapons of choice include ransomware, closely-targeted phishing (or ‘whaling’ when targeting senior-level staff) and, more recently, malware embedded in free mobile apps.

Leon Fouche, cyber-security leader at BDO, says SMEs make easy targets due to weak IT security controls and a lack of disaster recovery processes. He says the 2015 NetDiligence Cyber Claims Study revealed that almost 54 percent of claims are in the SME market – mostly in healthcare, online retail and professional services such as accountancy practices and legal firms (think Panama Papers), all of which are known to hold sensitive information on clients.

“These organisations carry a lot of Personal Identifiable Information (PII) and rely heavily on data to run their businesses,” explains Fouche. “Surprisingly, many of them still don’t have proper cyber-security processes in place.”

Some of the myths surrounding cybercrime aren’t helping the situation either. A major one, according to Fouche, is the perception that if a business doesn’t hold credit card or banking information, or have deep pockets, then it’s not a target.

But today it’s not just about the money. “Cyber criminals are starting to target secondary (personal) information for extortion purposes,” he says. “The rules of the game have changed where criminals are now using extortion tactics for financial gain from SMEs.

“If some of your information sits with an external organisation and they are compromised, then it means you are compromised too.”

“These people either on-sell that information, or use ransomware to directly extort money from a business or organisation.” Often, for the criminals, it’s simply a matter of renting or buying a ‘ransomware kit’ on the Darkweb, he says.

Fouche’s advice to business owners is to take a step back and consider what information they possess – on customers, suppliers and business partners – and what the implications would be if that information got in the wrong hands. Businesses are more interconnected than ever, he says. 

Also, consider who is responsible for managing and protecting this data, either internally or externally? 

Although larger cloud service providers are generally a safer option, don’t assume that they’ll give you a more secure service, until it’s validated, he says. And check where the cloud provider is based; “ensure it is governed by the same sovereign legislation and rules as New Zealand’s.”

Business owners make the mistake of thinking that if they outsource their IT, then they are outsourcing the risk. That’s a wrong assumption, and another symptom of complacency, Fouche believes. “They need to take responsibility for customer information as if it was their own.”

Staff should be aware that information security is everyone’s responsibility. Have a cyber-security response plan, and test it often, so staff know what to do if they experience a cyber-attack or data breach.

“It’s imperative that staff are educated on cyber-risk, and what they should do if they see anything suspicious,” says Fouche. “Because it’s not a case of if your business will be targeted, but when.

“There’s a common saying in the cyber-security industry, that there are only two types of organisations: those that know they have been compromised, and those that don’t know they’ve been compromised.

“And even if you might be secure, if some of your information sits with an external organisation and they are compromised, then it means you are compromised too.”

How bad can it get?

Fouche can’t see much improvement in the fight against cybercrime in the short term.

He believes the human component (“the biggest problem in cyber-security sits between the chair and the keyboard”) and the use of personal devices (“individuals using social media, their mobile phones or personal computers”) are major compromise concerns going forward, and governments must get involved in raising awareness to cybercrime.

“Government should take leadership in defining cyber-security guidelines and cyber-security health check tool kits, so organisations can assess their cyber risks and the actions they need to take to make them more prepared – especially in the SME market,” he says.

“The government and industry need to create platforms to collaborate and share cyber-threat information, and to educate computer and Internet users,” he adds, noting that organisations are now losing the capability to detect cyber-security incidents as more than 80 percent of incidents are reported by external parties.  

There’s also the issue of a skills shortage in this space. Universities and schools must be encouraged to develop programmes to address the cyber-security skills shortages, and help build capacity to defend against increasing cyber risk in the market, says Fouche. 

A recent Forbes report found that the demand for cyber-security skills in the Australian and New Zealand regional market will grow 21 percent over the next five years, with an expected shortage of some 10,000 people per year. 

Globally, the cybersecurity job market is tipped to grow to six million by 2019, with a shortage of two million jobs.

With the world becoming increasingly more cyber-connected, geographical distance is no longer a barrier to cyber-criminals, and so Australia and New Zealand are now seen as soft targets, says Fouche. “Activity in the past 18 months has increased exponentially,” he says.

For business organisations of all sizes, this is indeed no time for complacency.