Cybercrime: Hard lessons learned in 2022 as we keep making the same mistakes

The 2022 Pinnacle Health cyber-attack saw half a million Kiwi's personal data stolen. This is a jarring reminder to all of us that we willingly share a large amount of information with organisations, but do we really understand how well they look after it?

If we are going to reduce the enormous impact of these types of cyber-attacks in 2023, New Zealand must take online security seriously – and directors need to support their organisations to keep this high on the agenda.

The first question people have is why does anyone even want my company’s data?

Over the past few years, the value of personal data has increased massively. There is a thriving online market for personal information, where data can make an attacker hundreds of dollars, depending on the information.

Attackers use this data for a number of different things, including adding people to new phishing and smishing (text phishing) campaigns, trying to reuse credentials across different accounts, impersonating victims to set up lines of credit, or reselling the information they have to other scammers. The name of the game is money – the more they can profit, the more interesting your data becomes.

This year has seen a reduction in certain attacks, as some attackers have been busy elsewhere. Analysts suspect that a drop in global ransomware attacks this year may be due to the Russian invasion of Ukraine. The rise of the cyber soldier has meant many hackers focused on the war effort, rather than stealing from businesses around the world. However, we should be preparing ourselves. The tools and techniques they develop during this war will find their way back into the criminal market, and we will see more sophisticated and devastating cyber-attacks when they do.

So, what can you do to reduce your organisation’s risk of an attack?

Cyber security is ever-changing and complex, but most hacks come down to someone neglecting the small things that hold it all together. That’s why it’s important to focus not just on risk, but resilience – and there are things that directors can support from a governance perspective to make sure the business remains on track.

Ensure that cyber security items form part of your risk plan and are reviewed regularly

It’s important that organisations think about cyber security as a risk area, rather than a function of IT. Consider all the parts of your business, and all your processes that touch the internet – and you’ll start to see that cyber security should be woven in as a risk factor across almost all parts of your operations.

The first step for directors is to understand your organisation’s top risks, and what the impacts and mitigations are. For example, if there is a critical platform that is used to store and manage customer transactions, that may very well be the first item the organisation should prioritise securing.

Practice your response

What looks good on paper may not translate well into practical terms – and that’s why your organisation needs to rehearse your incident response plans. This can be useful exercise for boards to understand the role they’ll need to play during a major cyber incident, as well as helping the organisation refine its decision making ahead of a real incident.

Reporting to the board

Directors should encourage regular reporting from your executive on the current state of the organisation’s security, and the threat landscape. Again, understanding progress made from a risk perspective is key here – and a good way for directors to get up to speed with what support the organisation needs to improve cyber security across the board.

Ask for help

Not all directors need to be experts in all fields, but you should have some understanding of cyber security concepts and threats. Don’t be afraid to ask for help – if there is something you don’t understand then get an expert in. This is a complex area and having a good grasp of what is happening both in your organisation and in the cyber security landscape in general is important.

Let’s make 2023 the year New Zealand changes its online security culture, from the board down.