Time to test your business’s defences

Almost every Kiwi business now has an online presence. Nilesh Kapoor talks you through exactly how harm can come to your business over the Internet, what those threats look like, and make a plan to shore up your online defences.

SMBs with less than 50 employees make up 95 to 97 percent of our economy. While we have plenty of billion-dollar organisations in this country, it could come as a surprise that often victims of damage delivered over the Internet might be an SMB such as your humble daycare centre, flower shop or Subway franchise. This occurs more frequently than the well-publicised attacks on Waikato DHB, NZX, NZ Post, Metservice and DOC.

We’re getting a few things wrong in our assumptions about Internet-based harm to businesses.

• There isn’t always a human coordinating every attack. Some malware viruses have lived online for decades.
• Penetration of your software doesn’t always mean money is stolen. Data of any kind can be copied, because hackers know you’ll give them around USD$150,000 to get it back.

Which companies are targeted for cyber attacks can seem quite random, though what all victims have in common is not investing in penetration testing to identify vulnerabilities.

We’re wrong to think it’s just big earners at risk of cyber attack. Even kindergartens can suffer.

Whānau Manaaki, the Free Kindergarten Association, were users of an IT management tool called VSA, provided by Kaseya. An attack on Kaseya in June 2021 harmed users worldwide and meant over 100 member kindergartens in New Zealand had to shut down their computers for a week. Penetration testing might have shown that VSA was making these kindergartens vulnerable, and the kindergartens could have chosen a better software provider.

Phishing causes more harm to Kiwi businesses than viruses. 

The most-reported incidents of cyber harm in New Zealand in 2021 were:

• Phishing and credential harvesting – 50% of attacks.
• Scams and fraud – 25% of attacks.
• Unauthorised access – 13%.

Phishing often leads to ransomware. You’ll know ransomware when it invades because often you get a message saying your computer is now locked, and the message may give you a digital wallet to pay your ransom into. This happened to the small Auckland financial management business Staircase last Christmas.

This sort of attack often begins with an email urging you to open it. You open, and an exploit bursts into life within your computer meaning the hacker can now see inside your network. This happened to Waikato DHB in May 2021. Hackers copied then locked up data and when the DHB didn’t pay a ransom, confidential medical information was dumped on the dark web – inviting others to copy and exploit the data.

Password dumps are a feature of the Dark Web, too: one hacker will collect a tranche of passwords from businesses like yours, publish the passwords, and invite others to log in to the vulnerable business and wreak havoc. 

Cyber security advice for SMBs:

• Remember that phishing (encouraging staff to open damaging emails) is the main way hackers victimise us – and it all starts with opening emails against our better judgement.  
• Keep backups of all your data and records.
• Consider having distributed network architecture.
• If you receive a ransomware notification, disconnect, isolate, unplug and call an IT doctor.
• Don’t pay any ransom. Payment doesn’t guarantee your data will be decrypted, and you’ll still likely need IT professional help. It may also open you up to future blackmail.
• Keep your operating system and apps up-to-date.
• Make sure you back up your files regularly to an external hard drive or cloud service.
• Create an incident response plan including a plan for who to call for help, an action plan and a plan for communicating to colleagues and customers

Nilesh Kapoor is award-nominated cybersecurity expert and founder of Wellington-based of penetration testing service Blacklock.io and Security Simplified. He has worked to combat hacking threats to many New Zealand businesses.