Aura Information Security says more than half of New Zealand businesses have seen a ransomware attack in the last year. One in five companies say the attacks caused serious disruption.
The same number, one in five, say they are getting 16 or more ransomware attacks every quarter.
Two-thirds of companies say they would pay a ransom. One in ten say they would be willing to pay $50,000 or more.
You can read that as: “Many New Zealand companies are paying big ransoms for their data.”
This is crazy. Companies shouldn’t be in a position where they are vulnerable to ransomware. And if they are, they shouldn’t pay the ransom. Once you’ve paid once, your name and details go on a list of potential victims worthy of more attention.
One-third of businesses say they saw an increase in all kinds of online attacks during the Covid-19 lockdown. Two in five say they were targeted by Covid-related phishing attacks.
Aura runs regular local research to gauge the cyber security issues and problems facing its customers and potential customers.
General manager Peter Bailey says Aura does this because there is a wealth of international research, but that doesn’t always paint a clear picture of what happens in New Zealand. While there is local reporting from Cert, it only covers reported attacks.
Bailey says there was one surprising finding in the research: companies are doing less of the policy and training work that could protect them from attack. He says the number doing this has dropped over the years. In 2018, 73 per cent of companies had policy and security programmes, last year it was down to 61 per cent.
He says he suspects this is because more companies are relying on technology to help solve their security problems. They think that moving to the cloud and buying security tools makes them safer.
This could be a mistake. There’s little point in building a secure castle for data if staff members open the front door.
Putting up walls is easy. Changing how frontline staff think about security is harder, and in the long term, more important. Humans are the weak link.
At the same time companies don’t always know the best way to configure the security tools they use.
Less surprising, but as disturbing: half of IT decision makers say they don’t know about the Privacy Act amendment. This comes into force on December 1, that’s a couple of weeks away.
Bailey says in the last year the number who do now about the law change has gone up a mere five percent.
The new law makes reporting security breaches mandatory. Failing to do so can lead to fines of up to $10,000. Individuals or groups affected by breaches are able to take legal action against companies that don’t take adequate care to protect their data.
He says this was much the same in Australia when it introduced its mandatory breach reporting regime. And companies in the UK were equally oblivious right up until British Airways faced down a record fine for a privacy breach.
How to defend against ransomware
It may help to use back-up software. While operating systems have back-up tools, you want something that is easy to recover if an attacker strikes.
You can hear me talking about this on RNZ Nine-to-Noon with Kathryn Ryan.