Technology

Time to get serious about cybersecurity

In the wake of the crippling Waikato DHB cyber-attack, NZBusiness sat down with cybersecurity expert Daniel Watson to help businesses understand the threats they face and arm themselves against the […]

NZBusiness Editorial Team
NZBusiness Editorial Team
July 15, 2021 5 Mins Read
269

In the wake of the crippling Waikato DHB cyber-attack, NZBusiness sat down with cybersecurity expert Daniel Watson to help businesses understand the threats they face and arm themselves against the cybercriminals.

Daniel Watson has literally written the book on cybersecurity and how it effects Kiwi business owners. His book She’ll Be Right (Not!) is billed as an easy-to-understand guide to cybersecurity – designed to help business owners get their head around the subject and protect themselves against cyber-attacks.

As managing director of Vertech IT Services, Watson has witnessed first-hand how the hard work and valuable assets of businesses can be decimated in an instant. He’s also seen an increase in the number of organisations now waking up to the risk.

“A new understanding is dawning about the changes to the Privacy Act, which means cybersecurity can no longer be swept under the rug anymore,” he says. “The barrier to entry is now very low.”

Today the relatively small risks associated with online “hands-free” crime and the rise of international cybercrime syndicates mean that Kiwis must be prepared for more attacks like the one carried out on the Waikato District Health Board in May.

“Not only do such attacks disrupt and cost the victims, they also give criminals the ability to hide malicious software that can be activated later or sold as exploits to other criminal elements,” says Watson.

According to CERT NZ, the government agency which supports organisations and people affected by cybersecurity incidents, there were 7809 reports of such incidents affecting New Zealanders in 2020 – a jump from the 4740 reports registered in 2019.

Watson has seen a lot more cyber-attacks successfully causing damage to organisations over the past five years. “The amount of damage caused by cybercrime now far exceeds what’s happening through theft, fire or flood.”

Organisations are being targeted, he says, and if they haven’t taken any major steps to improve their IT system protection in recent years, then it’s only a matter of time before they take a hit.

Don’t think you won’t be a target just because you’re a small business either – there’s still value there for criminals.

“If they want to launch a DDoS (distributed denial-of-service) attack against a large corporate, they may need to harness tens of thousands of computers to fire junk traffic at its e-commerce site until it coughs up the cash. Criminals love that extra layer of separation provided by your system.”

The most common modus operandi for cyber-criminals is the BEC (business email compromise) explains Watson. “This can simply be someone logging into your mailbox who is not authorised to do so.”

Email is a completely insecure platform, he says, and it’s not helped by employees using the same work email address and standard password on multiple sites – perhaps on their home computers, as Covid has resulted in more employees working from home.

He explains how a ‘dictionary attack’ can often be used to find an account login. “An exposed known password can be combined with common substitutions (for example I = 1) to see if someone only slightly changes their password. Those substitutions and other very common passwords like ‘qwertyuiop’ go into a dictionary attack.”

“People use their email work address for the likes of LinkedIn, Office365, the comments page on Reddit, and loads of other websites, and if one of those services gets breached, then all the email addresses and passwords go into the Dark Web and can be scooped up by somebody purchasing a database of, say 500 million,” says Watson. “Then the race is on to see what the criminals can log into. It simply becomes a numbers game.”

Watson says a good first step to avoid becoming a victim is to utilise a company-wide password management tool. “If you’re a business, I recommend incorporating such a tool into your overall security strategy. That includes your employee off-boarding or exiting procedures. Remember a disgruntled ex-employee is just as dangerous as anybody else.”

Web ‘drive-bys’ are happening with increasing frequency too. “This is where criminals set up a company front to purchase advertising on popular websites and create an ad-script that takes advantage of vulnerable web browsers in order to gain a footprint on their PC. Businesses with ageing computer systems are particularly vulnerable.”

Problems arise when business managers don’t see their IT vulnerability as a governance or risk management issue, continues Watson. Having an ‘IT guy’ on staff can lead to complacency too. He or she may not have the depth of capability to cover all facets of the business. It’s not just enough to have anti-virus and spam filtering software, and a firewall.

“Business managers need to ask ‘what are the controls we need in place to make sure minimum cyber-hygiene is in place?’”

Watson encourages employers to encourage the reporting of any hacking ‘near misses’, so others can be on the lookout and IT can take steps to stop the hackers infiltrating further.

He says business owners must realise that ‘security through obscurity’ is no longer valid in these dangerous times for cyber-security.

“There is still that mindset of ‘I have nothing of value so why would anyone attack me?’ That’s wrong. The Internet is all connected; we’re all zero distance from every hacker on the planet.”

It’s time to ask for help, time to conduct a risk assessment on your business and then instigate an annual system review – before you too become a victim. 

6 RULES TO  KEEP YOUR DATA SAFE

• Know where your data lives. Then you can put the right protections in place.

• Backups are not optional. Near-instant recovery systems which backup all critical data every 15 minutes are affordable and achievable. Don’t forget cloud-to-cloud backup.

• Protect your data. Think before providing any details online. “Make sure you’re satisfied with the credibility of whomever you are providing your information to. And be more selfish with your personal information.”

• Beware of legacy software. If your software is out of date, get it reviewed by a cybersecurity specialist or get rid of it. Out-of-date systems have vulnerabilities.”

• Keep networks segregated into different compartments. Then if one network is attacked, others are protected. It also prevents criminals from moving laterally through your systems.

• Provide better training. It takes just one click on a bad hyperlink, or for somebody to insert a USB drive in a laptop, to let criminals bypass all protective measures. “In that context, investing in proper training is cheap.”
Source: Daniel Watson, Vertech IT Services

 

NZBusiness has three copies of She’ll Be Right (Not!) – A Cybersecurity Guide for Kiwi Business Owners to give away to NZBusiness readers. Learn the ‘Eight layers of IT protection’ – from comprehensive backups and password management to staff education, operating system management, anti-virus and endpoint protection, web filtering, firewalls and spam filtering. To go in the draw email your entry to [email protected] before August 27th.

Share Article

NZBusiness Editorial Team
Follow Me Written By

NZBusiness Editorial Team

NZBusiness is a team effort, with article submissions curated by a small team of professionals under the guidance of Editor David Nothling-Demmer.

Other Articles

Related Posts