Q3 of 2019 saw the largest number of cyber criminal incidents reported by NZ businesses ever, and the largest since the WannaCry outbreak in Q4 of 2018. These statistics were recorded by CERTNZ, a specialist cyber security unit and part of the Ministry of Business, Innovation and Employment (MBIE) constructed to help New Zealanders better understand and stay resilient about cyber security threats. Without mandatory reporting required by law, it leaves one to wonder the true number of cyber security incidents in NZ.

At the end of Q3 2019, the reported incidents also cited $12 million of losses in the year to date – almost as much as the whole of 2018, during which $14.1 million of losses were reported. It is interesting to note that only 15% of incidents resulted in direct financial loss, which means that the average cyber incident in NZ that did incur financial loss reported about $20,000 – a combination of money fraud, response costs, and investments required after the incident.

How would your business be affected by such a potential financial hit? What about the interruption to business, or the loss in confidence to the whole organisation? I’ll provide some tips to help minimise your chances of becoming a statistic in 2020. Also, keep an eye out for my articles covering specific cyber security threats to be aware of in 2020 and how to take appropriate security measures to combat them.

One thing we can say for sure is that our local trend follows global trends, with reported incidents, and losses due to incidents on a steady rise over time. In fact, researches at Harvard have determined that, although the percentage of cyber crime that is prevented is increasing, the real number of incidents still occurring is still the same (Source: Insights you need from Harvard Business Review: Cybersecurity, 2019). The same report indicates that the average cost of incidents is rising.

This is shocking news, and shows how difficult the position is for businesses and enterprises. For the cyber criminal it’s a perpetual game of offense – they have unlimited opportunities to try and exploit weaknesses, but for businesses it’s a perpetual game of defense – and one breach could mean a catastrophe for their entire organisation.

What is your best response as a business? Here are 4 important tips to take into the rest of 2020.

1. Acknowledge the threat

If you are reading this, you can be assured that your business or organisation is an attractive target for cyber criminals. I have heard it a thousand times, “no-one is interested in hacking our business.” 10 years ago that was possibly true, but the reality now is that small-medium enterprises are the number one target of cyber criminals. Hackers are far more organised, prepared, and strategic than ever before, and they know that small-medium enterprises are far less likely to be able to defend themselves adequately. In fact, 62% of all cyber breach victims are small and midsize enterprises (Source: Cyber InFocus, 1st Quarter 2019). The best thing you can do for your business is acknowledge that you need to make a response and adapt your business to the threats accordingly.

2. Train your users

Turn your greatest weakness into your most robust defense. The overwhelming majority of cyber incidents in NZ are targeted at untrained users. If your business gets breached, it will almost certainly be a mistake by one of your staff or computer users.

Lack of awareness of users is a fundamental assumption of hackers. Cyber criminals are increasingly using social engineering and malicious software to gain unauthorized access to business networks. These malicious actors are always drawn to opportunistic cyber attacks, but there is a trend towards more organised efforts. The rise of ransomware is the ultimate indicator that attacks are becoming more complex and being executed to affect a larger surface area.

Cyber security awareness training must be an intentional undertaking in 2020, and an ongoing campaign of internal vigilance. There are several ways to do this in a constructive way, and we will cover these in future blogs, but the overarching objective must be to develop a culture in your organisation that knows how serious cyber security risks are, and to work and act accordingly.

3. Adopt a zero-trust posture

I was talking to a recent migrant to New Zealand about how trusting they found New Zealanders. To their credit, they said it was refreshing (compared to their home country), but it was a comment en route to criticising the gullibility of kiwis online. I don't want to sound apocalyptic, but NZ businesses now need to adopt a ‘zero trust’ approach with their network security in response to the continuous cyber threats. The industry standard has always been, ‘trust, but verify.’ To stay safe and minimise the chances of becoming a cyber crime statistic, trust is something that not even your known contacts can be afforded any more.

The best way to think of zero-trust is to make the default rule for all computer system activity to be disallowed, and then make exceptions for known business requirements as needed. It may seem a bit old-fashioned, and possibly take a little more management, but that’s better than having to deal with a security breach that got in through a poorly secured system.

4. Invest in visibility

Lastly, visibility of your systems is crucial. How can you be aware of data breaches if you don’t have a clear understanding of your network and systems? Visibility, I have found, is the key to being aware of your business cyber security posture. It starts with understanding what cyber criminals see when they consider your business - is there any low hanging fruit that they are tempted to attack? Is there any sensitive data or personal information disclosed online that can assist with social engineering? If you can get ahead of the cyber criminals and resolve any of these temptations, you're one step ahead.

How about internally? Do you know all your devices? Do you know all your users with elevated privileges? If you don't, it will be impossible to spot shadow IT. Do you review firewall traffic logs and security event logs? There's a lot of valuable data that you are probably already producing that can bring you better visibility.

Developing the habits and processes to gain visibility can be tedious, but there are a number of great technologies to help, and the outcomes are worth the effort. The better equipped you are to notice suspicious activity on your business network, the greater your chances of thwarting breaches before they happen.

At Unify Digital we know that the key to the safety of our clients' business networks is in gaining awareness of the cyber threat landscape and visibility of their cyber risk profiles. Doing so keeps them well postured for the tricks and tactics of cyber criminals.

Don't be complacent, there is no doubt that small and medium enterprises are a top target for cyber criminals. It is the reality of the connected world that we are in today.

To protect your business in 2020 we’ve created a FREE cyber risk checkup that will take you no longer than 5 minutes to fill out. This assessment will give you a FREE report of the cyber threats and risks to your business right now.

Cyber Security is one of our specialist services where we can assess the cyber risks and threats to your business, helping you to put in a system that is safe and protected, and ensuring that your business can always run effectively and efficiently, and without any cyber risks and threats.

Take our FREE cyber risk check up now