Cyber crime occurring on a grand scale
It's a great time to buy cyber insurance because premiums don't match the risk, Tony Grasso, technology director at Wellington-based security consultancy Cyber Tao, told the NZILA conference.
In a panel session, barrister Toby Gee said cyber risks were "difficult to conceptualise" because technology and the internet were constantly evolving; hackers were developing better tools to "screw things up for us" and the law was in its infancy. There was "no fixed scope" for cyber risks.
Mr Grasso said phishing, credential harvesting and ransomware were key threats. NZ had been a victim of state-sponsored attacks and the NZ Government had acknowledged that. Data breach reporting was voluntary and many people were unaware cyber attacks were occurring within their systems. "It's grand-scale, industrialised crime," he said.
"Hackers need help to get around security systems and will identify a lever you will pull." That could include offers of romance or money.
Poor network security and inadequate IT security were often to blame for events. Mr Grasso cited a NZ medical clinic that had its data encrypted and a ransomware demand. No appointment or patient data records were available and medical equipment could not operate. The recovery cost was $25,000 and still rising and a $250,000 spend was likely for new hard and software with upgraded security.
Chinese state-sponsored malware was found in a NZ oil company's system and CAD sketches of each of its NZ petrol stations had been exfiltrated. "The malware had been there a long time," Mr Grasso said.
Stephen Kay, executive adjuster with Sedgwick, said the was "a misconception it won't happen to me". Cyber attack was like product recall because it "stops a business in its tracks". It needed quick investigation and loss mitigation to get a business back in action quickly and protect its reputation. "Companies think their systems are impenetrable, but the drawbridge is down, for example, through remote access and work from home."
Attackers hack or phish passwords by searching social media sites and using robots to try permutations of passwords. There were ethical and non-ethical hackers, "but you don't know what you're getting", Mr Kay said.
Paying ransomware was a risk because you then went on a ‘dark web' list as a payer and would be hacked again. Beyond the web there was the deep web and then the dark web where illicit materials, including stolen data, were traded. "It's organised crime; every three seconds someone's ID is stolen," Mr Kay said.
Smart crims waited until major transactions were made and intercepted them. "It's easy to get around two-factor authentication, " Mr Kay said.
When a claim was notified to Sedgwick, the adjuster triaged it, got key contacts' names, then formed a bespoke experts team, including lawyers, IT experts and forensic accountants to co-ordinate the process, mitigate the loss, adjust and settle the claim, and seek recovery against any responsible parties.
Mr Gee said NZ's 1993 Privacy Act was "hopelessly outdated" and a new Privacy Bill was "not good enough". NZ's Privacy Commissioner had made 89 recommendations to revise the Bill, but it was still out of step with international moves.
He suggested no one knew the real cost of cyber attacks but said what was reported by and to the NZ Government authority CERT NZ was "the tip of the iceberg".
Panellists agreed there was a shortage of IT specialists but Mr Grasso said Victoria University in Wellington had introduced a cyber degree and the first graduates would be available in four years.
Mr Gee said there was a global shortage of qualified people and much work was outsourced to India but there could be "jurisdiction problems when things go wrong".
He said the volume of attacks was huge and cyber could be as devastating as a fire risk. "You probably don't believe your premises will burn down, but you buy fire insurance," he said. The same applied to cyber cover.
Organisations could conduct cyber drills, in the same way they did fire drills. "Risk management can drastically reduce your risk," he said.
Too many employees "give away passwords and open dodgy emails". There were basic precautions that should be implemented and most were "quite cheap", Mr Gee said.