Cybersecurity is an ever-changing space. Plug a vulnerability here and criminals pivot and change their tactics. The growing number of ransomware and DDoS (distributed denial of service) attacks on high-profile NZ organisations such as Kiwibank, ANZ, NZ Post, the Waikato DHB, MetService and others have highlighted the fact that many NZ businesses are unprepared for the “new threat landscape”, hoping that legacy software and their IT team will keep them safe.
I reached out to Ian Raper, Managing Director Australia and New Zealand, of Check Point Software to find out more.
Every day it seems there’s news of a new cyber attack in NZ – what are NZ businesses doing wrong?
Many New Zealand businesses only have third-generation security deployed, but this outdated technology can be just as dangerous as not having security at all. This is largely because the architecture in previous generations (i.e. Gen III and IV) can’t protect against 5th generation attacks on today’s IT devices and networks.
This is compounded by the fact that cybercriminals are always looking for new ways to target their victims. In fact, Check Point’s Threat Intelligence data found an organisation in New Zealand is being attacked on average 580 times per week in the last six months, compared to just 415 attacks per organisation globally.
To bridge this security gap, we recommend businesses adopt a preventative mindset to improve their security posture. Preventing threats in the first place should be top of mind as it can be costly and time-intensive to remediate a cyber-attack.
Haven’t these sort of attacks been around for some time, what’s changed?
Cyberattacks are evolving every day, and cybercriminals are adopting more sophisticated methods of attacks. Today we are witnessing a growing trend of zero day, supply chain and ransomware attacks. For example, the triple extortion trend in ransomware now includes not only the original target organisation, but also its customers, partners and vendors. This multiplies the actual victims of each attack and requires a special security strategy.
Businesses are pretty digitally forward in NZ; has our cyber security kept pace? How do we compare to the Uk, Europe, North America in this regard?
Organisations in New Zealand need to adopt a preventive approach to cybersecurity rather than addressing it after the fact. This means leveraging solutions that can automatically identify and stop threats even before they can attack or infiltrate.
Take the DHB attack in NZ, for example – how does that happen from one employee clicking an email link?
While we aren’t able to comment on this specific attack, we know cybercriminals are constantly refining their techniques to increase the pressure to pay. Many of the current cyber-attacks start with a targeted phishing email that does not even contain malware, just a socially-engineered message that encourages the user to click on a malicious link, or to supply specific details.
Originally, ransomware usually encrypted data and demanded a ransom to unlock it. The attackers soon added a second phase and stole valuable information before encryption, threatening to make it public if the ransom was not paid. Approximately 40% of all new ransomware families use data theft in some way in addition to encryption. In addition, we have recently seen a third phase where the attacked companies’ partners or customers are also contacted for a ransom. This is a new technique called triple extortion.
Should companies educate their staff better around security – especially in this era of remote working?
One of the key challenges facing organisations in a hybrid work environment is the intensity of cyberattacks rather than being exposed to new vulnerabilities. Unfortunately, even with all possible cybersecurity measures and the best protection software in place, the responsibility of users is fundamental. It is essential to train employees on the best practices to ensure cybersecurity, such as not opening suspicious emails and attachments and not using unsecured networks.
Why is NZ’s critical infrastructure – i.e. IRD, NZ Post, Waikato DHB, NZ stock exchange, Reserve Bank, ANZ, KiwiBank etc – increasingly a target for offshore hackers?
State-based threats and cyberattacks are not only focusing on governments; they are targeting private enterprises too. This is exacerbated by the increase in remote workforces and online activity, and as a result, cybercriminals are becoming more brazen in their attacks.
Critical infrastructure operators such as the NZ stock exchange, Reserve Bank, and ANZ are prime targets for cybercriminals, because they are more likely to pay ransom in order to continue critical operations. What we saw in the NZX attack resulted from consecutive DDoS attacks over four days, causing severe disruption and ultimately halting trade.
You note that cybercriminals are shifting gears to target OT systems rather than traditional IT systems – can you explain…
Cybercriminals have become more advanced, with hackers shifting their approach. Instead of targeting IT systems first, then moving on to operational technology (OT) and industrial control systems (ICS), hackers are now hitting OT first. Hackers are well aware that connectivity has increased across industry control systems (ICS) and that OT systems aren’t secured by most conventional cybersecurity solutions.
While IT is charged with managing your overall security posture, in most organisations, OT devices fall through the cracks, creating a general lack of security consciousness about how to deal with them. Then, when connected to the outside world, they become the weak link in a security chain that ultimately puts your whole organisation at risk.
Therefore, it is now more critical than ever before to recognise the vulnerability of OT and protect these systems from potential threats. Especially since many do not fully understand the scope of the problem, most companies that tend to fall victim to a cyberattack are not able to share with others the root cause or the underlying issues they have faced.
Are very sophisticated targeted attacks like that of the NSO – zero click – attack that breached iPhones recently just going to be a part of the landscape now?
Cyberattacks will continue to evolve, and the iPhone breach is just an example. Organisations need to be prepared to evolve their cybersecurity strategy to reflect changes in the threat landscape.
What’s your view on businesses paying ransomware demands…
At Check Point Software, our Incident Response Team is experienced in dealing with numerous ransomware cases worldwide. If your organisation falls victim to a ransomware attack, it’s important to keep calm and not panic. Inform employees of the incident, including instructions on how to proceed in the event of any suspicious behaviour.
Check Point Software recommends you contact your security team immediately and take a photo of the ransom note for law enforcement and further investigation. Check Point Software is available around the clock via the Incident Responses hotline should you have an instant response to your security attack.
So, to pay or not to pay? While ransom amounts are sometimes in the hundreds of thousands or millions of dollars, outages of critical systems often surpass these amounts. However, organisations must remember that even if the ransom is paid, it does not mean that the data, or even part of it, will actually be decrypted. There have been cases where attackers have deliberately ensured the code provided to the organisation can’t recover data even if they wanted to.
Bottom line, don’t rush into a decision, engage the experts and consider all available options as paying the ransom should really be the last resort.