As the COVID-19 pandemic intensifies New Zealand’s reliance on digital technology, businesses are likewise being increasingly exposed to the risk of cyberattacks.
The latest quarterly report from the government’s Computer Emergency Response Team (CERT NZ) shows how cybersecurity threats remain a huge challenge for businesses and other organisations across the country.
In the first three months of 2021, the agency said it had responded to 1,431 cybersecurity incidents, which resulted in $3 million in financial losses. Though the number of incidents dropped 32% from the previous quarter, the figure represented a 25% rise year-on-year. Monetary losses, meanwhile, jumped 7% from Q4 2020 but hit more than a third of last year’s total.
“Our data shows that year-on-year cybersecurity incidents are on the rise, and they can be costly to recover from,” said Rob Pope, director at CERT NZ. “As we increasingly spend more of our lives online, attackers are constantly developing new and more sophisticated campaigns.”
According to CERT NZ’s first quarter report, phishing and credential harvesting remained the most common incident category, followed by scams and fraud, unauthorised access, and malware.
The agency, however, noted fluctuations across each category, with reports of credential harvesting decreasing by 24%, scams and fraud increasing by 13%, and unauthorised access rising by 18% compared to Q4 2020 numbers. Malware reports also registered a remarkable 94% drop, which CERT NZ attributed to the conclusion of the third-party Emotet malware detection campaign.
Here’s a breakdown of the top cybersecurity incident categories based on CERT NZ’s latest data landscape report:
Phishing and credential harvesting accounted for almost half, or 46%, of all incident reports CERT NZ responded to in the first three months of 2021. While the figures dropped from 862 to 652 over the quarter, the frequency of these incidents shot up 76% from 2019 to 2020 as the COVID-19 pandemic raged on.
According to the agency, attackers use a variety of phishing techniques to trick recipients into sharing private information, making financial transactions, or opening malicious attachments or files. Phishing emails is one of the most common tactics cyber gangs employ as these enable them to target large contact lists, allowing them to reach as many people as possible, the agency added.
One of the challenges in spotting phishing emails is that these often look like they are coming from well-known organisations, the report said, adding that these emails typically replicate a business’s branding, language, and URLs, and spoof email addresses to appear legitimate. Attackers also often adjust campaigns in response to current events and trends in global behaviours such as COVID-19, according to the report.
Scams and fraud took up almost a third, or 32%, of all cybersecurity incidents reported to the agency in the first quarter of the year. The majority of these incidents involved buying, selling, and donating goods. Dating and romance scams were the next biggest category, which saw a 44% increase from the previous quarter. Tech scams involving phone calls, extortion or blackmail, and unauthorised money transfer rounded up the top five categories.
CERT NZ also warned that cyber attackers were constantly evolving their campaigns to trick people into sharing personal and financial information as reflected in the emergence of COVID-19-related scams.
The agency said it has responded to about 10 coronavirus-related scams from January to March but anticipates the figure to rise in the coming months, especially with cybercriminals increasingly varying the look and messaging of their scams.
Rising almost a fifth from Q4 2020, unauthorised access resulted in close to $1 million in direct financial losses for business and individuals in the first quarter of the year. The agency said businesses were often the targets of this malicious activity as more financial transactions were carried out online. CERT NZ’s data showed the number of businesses and organisations that reported unauthorised access jumped 100% during the period.
The agency grouped such incidents into three “impact categories,” namely:
Malware incidents dropped significantly in the first three months of the year after accounting for 30% of all cybersecurity incidents in the previous quarter, according to CERT NZ’s data.
It was also in Q4 2020 that the agency became aware of about 2,000 New Zealand devices infected by QSnatch6, a malware variant that targets a widely used brand of network attached storage (NAS) devices called QNAP.
According to CERT NZ, the malware accesses the QNAP device from the internet by exploiting vulnerabilities to bypass the device’s password protection. Once the malware has access to the device, it establishes backdoor capabilities to allow attackers to take control of the device. It then steals passwords and credentials using keylogging and credential scraping, and stops some software from updating, preventing the infections from being fully removed.
A recent survey of small businesses conducted by the agency found that more than half, or 54%, of respondents were concerned about cybersecurity, with 46% saying they were trying to learn more about keeping their businesses safe online.
However, only 38% of those surveyed thought their business was adequately investing in cybersecurity, and just 34% believe their business has put a lot of thought and planning into being secure. Most concerning, according to CERT NZ, was that less than half, or 45%, have processes in place to prevent a cyberattack.
“Cybersecurity is a hot topic following a number of high-profile attacks hitting the headlines recently, and they demonstrate no-one is immune from being targeted,” Pope said. “The silver lining is that these events have put online security at the front of businesses’ minds and are generating more open conversations. It’s encouraging that businesses are gaining greater awareness of the mitigations they need to put in place to minimise cyber security threats.”
However, one of the main challenges, according to Pope, is that many businesses just do not know where to start boosting their cyber resilience.
“Time and money may be a barrier, but prevention is the best and least costly form of defence,” he said. “A large percentage of incidents reported to CERT NZ could have been prevented simply with a long, strong password and the use of two-factor authentication, which provides an extra layer of security for logins.”
Pope added that businesses could take several simple measures to prevent cybersecurity incidents from happening, including:
Pope also advised individuals and businesses to visit the CERT NZ website for more practical advice and information on how they can stay safe online.