On September 8, 2021 cyber attackers took down multiple New Zealand websites and services in what appeared to be a co-ordinated hit.
Kiwi bank and ANZ along with New Zealand Post, Inland Revenue and Metservice all experienced blacks-out due to a cyber-attack, and customers were locked out of their accounts for several hours.
This was not a single event, as in fact over the past few months several (if smaller) attacks have happened across New Zealand.
AUT professor of computer science Dave Parry said in this article on RNZ that these attacks were similiar to those that hit businesses earlier this year.
"It's very similar to the attacks that happened previously this year, effectively what's happening is that attackers presumably criminal gangs are effectively setting up lots of bots as they're called which are computers they are controlling by inserting a virus into them and those are all over the world."
With many people around the globe working from home due to the Covid-19 pandemic, Parry says cyber-security measures are more likely to slip and this can allow attackers to hijack more computers.
Parry further said a lot of cyber-attacks are coming from the US-based computers with gangs orchestrating attacks from overseas to target places like New Zealand.
In 2020 New Zealand introduced mandatory reporting of privacy breaches under the Privacy Act 2020 (which replaced the Privacy Act 1993). This requires organisations to report to the Privacy Commissioner and affected individuals when there has been a harmful (or potentially harmful) privacy breach. It is an offence for an organisation, without reasonable excuse, to fail to notify the Commissioner (with fines of up to $10,000). It is essential that organisations have policies and processes in place to deal with and respond to cyber and privacy issues. Boards should be kept informed about breaches and the potential impact for their organisation.
For more information, see The new Privacy Act – key resources for directors on the IoD website.
The changes to the Privacy Act does not only affect large corporations, but ALL businesses, big and small.
Therefore it is crucial to educate yourself about the "new" law, and its implications.
Watch this video below with the key takeaways below:
CERT NZ Q2 report released in September highlights New Zealand-related cyber security trends between 1 April to June 30. It showed there were more than 1,350 cyber security incidents responded to by CERT NZ, with almost $4 million in direct financial loss.
Of the reports received, ransomware showed a significant spike (from 12 in Q1 to 30 reports in Q2), followed by unauthorised access. The number of phishing and credential harvesting reports dropped by 5% from the previous quarter, however remains the most reported incident category type.
Ransomware is a type of malicious software that attackers use to usually target business and organisations. The aim is to access the computers and systems to encrypt files, and then demand a ransom to have them recovered.
“These types of attacks can result in data loss and significantly impacted operations as the affected organisation often has to go offline to recover systems and files,” says CERT NZ Director Rob Pope in this article.
According to the IoD (Institute of Directors) Cyber Risk Practice Guide, businesses need to work to the five core principles for oversight of cyber risk. They are:
A director or not, it is your company's duty to keep updated with new legislation, and comply with it.
The resource section below gives a few places to start:
RESOURCES
➢ The CERT NZ website has lots of useful information and tools. It is your first port of call when you need to report a cyber security problem. Supporting businesses, organisations and individuals affected by cyber security incidents, it is a government website providing trusted and authoritative information and advice.
➢ For more information about the Privacy Act 2000 and your obligations, visit this link. If you suspect a privacy breach, you are legally required to report it to the Privacy Commissioner.
➢ NotifyUs is an online tool that can help you work out if a breach is notifiable and to report it. Under the new Act, if your organisation has a privacy breach that is likely to cause anyone serious harm, it is legally required to notify the Privacy Commissioner and any affected persons as soon as practicable. Click here to learn more.