10 minute read
Time to get cyber secure
from ASSET NOVEMBER 2020
by ASSET
Cyber security presents a real threat to all businesses. Don’t be fooled into thinking it’s only the big fish that are targeted, writes Daniel Smith.
"This is an existential event. There are very few events out there that can kill your business. This is one of them."
John Bolton, founder and director of Squirrel, has a fear that keeps him awake at night. This fear is a data security breach, a situation which Bolton believes would mean nothing less than the total annihilation of his business.
But he’s also aware that it’s not a concern that all advisers are addressing. And this, for him, is highly problematic.
“Look, I come from a corporate environment, where we are always asking, ‘What are the big risks in your ‘‘ business?’. And then you get into adviser-land and might think that the main risk is that you stuff up some investment or insurance advice. But the biggest risk in the industry is a company assuming they are too small to be attacked.”
Issues of privacy and data security are under a spotlight due to the new Privacy Act coming into force on December 1.
Under the existing Privacy Act, the onus of responsibility is on the individual. If there was a breach, the person affected would have to contact the Privacy Commissioner.
The new act will shift the responsibility from the individual to the businesses that hold their data. Every business that collects and stores client data will be subject to the new act, and those not adhering may be breaching privacy laws, and be subject to a fine.
But while the new act will allow the Privacy Commissioner to bare some teeth to those companies who fail to comply with the new regulations, Bolton believes that the “existential threat” of a data breach is not being taken seriously enough.
He says that the high-profile cyberattacks that brought down the NZX in August have only strengthened the false belief that cyber-criminals only go for big prey.
This is patently untrue, says Bolton. “You have to remember that when you are plugged into the world wide web, the whole world can access you. Yes, there are plenty of other fish in the sea, but it could just so happen that one day the shark wants to eat you.”
He takes the metaphor further. “Imagine you are that little fish who one day gets bitten by the shark. The next day your client’s data is for sale on the dark web. At that point your entire business went up in smoke in less than 24 hours and you didn’t think you did anything wrong. But what you did do wrong is you didn’t look after security.”
Marc Barlow, consulting partner at specialist cyber security company, InPhySec, is one of those trying to stop this threat in its tracks. Barlow (and other senior staff at InPhySec) started the company after years working at the GCSB, predominately in the National Cyber Security Centre.
Barlow says that financial services have a particular reason to prepare to be targeted. “The criminal’s motivation is financial gain, to achieve that they are going to go where they can get the biggest bang for their buck. The financial sector is the obvious choice.”
But targets within the industry are not distributed equally across different sized companies. “Bigger companies are able to put a lot of emphasis on cyber-security. But when you get down to smaller companies between 10-100 people, they don’t have a whole lot of money to invest in security. Cybercriminals realise that compromising a smaller, trusted adviser can be a path to direct criminal gain or a springboard toward a larger target.”
When the call comes from a company facing a cyberattack there are a couple of components to InPhySec’s response. Barlow explains that, “firstly we look at how to prevent further data loss, or help them to restore some sort of business functionality. Secondly we investigate what data may have been lost, and figure out what enabled the breach. And lastly to look at what can be done to prevent a recurrence.”
This process is relatively simple with a larger company who already has cyber defences in place, but when a smaller company without protection finds themselves the victim of a cyberattack it can have devastating consequences.
Barlow said that, “we recently worked on an instant response job where a professional services company had their Office 365 compromised. What happened was, another organisation had been previously compromised and an email was sent from that organisation to the organisation we dealt with. They then opened the email and said, ‘Ah, we know this person so we will follow that link’. They were phished and lost all the data that had been hosted on Office 365.
“When they advised their customers of what had happened there was a massive loss of confidence. This was a successful New Zealand company who were facing serious questions about their ongoing viability.”
Another person who sees the aftermath of data security breaches is Petra Lucioli, claims manager at Delta Insurance. Lucioli says that her perspective from a claims side gives her the opportunity to collect interesting data on what sort of claims are most impacting financial services.
The data speaks volumes. Lucioli says that “literally 50% of my claims are invoice frauds that have been caused by email breaches”.
“Somebody gets a phishing email with a dodgy link, the link leads them to a website where the fraudster is able to get access to their email credentials. The fraudster then gets access to the email account, sits in it for a few weeks, watches what is going on and then they start manipulating the emails, eventually committing an invoice fraud.”
Though email breaches are by and large the number one cyberattack, a close second is ransomware which is responsible for over 25% of claims.
Lucioli points out that ransomware has grown far more sophisticated over the years. Whereas it used to hold files hostage until ransom was paid, Lucioli is now seeing ransomware “not just encrypting the files, but also slowing down servers or altering the way in which digital services function”.
But development in cyber-crime technology also comes with the development of intel reconnaissance on behalf of the criminals. Lucioli says that “equally important is that the fraudsters are carrying out investigations into their victims, finding out their weaknesses and creating ransomware that focuses on that. Even the amount of money that they are claiming as ransom is specifically targeted at the organisation.”
The fact that the actions of cybercriminals are growing more complex by the day is starting to hit home in the wider New Zealand community. A study by CERT NZ, the government agency which supports organisations and individuals affected by cyber security incidents, has released a report that shows how the volume and sophistication of financially-motivated cyberattacks has increased over the last six months.
“CERT NZ’s incident data tells us that cyberattacks have become more sophisticated, persistent and harder to detect than ever before.” says director Rob Pope.
“Your personal information is highly valuable to attackers regardless of who you are, so it’s important that more Kiwis get serious about protecting themselves online.”
The study found that almost a third (32%) of Kiwis don’t frequently check the privacy settings on their accounts.
This information is crucial for advisers. If a third of your clients may be compromised, then that client could unknowingly provide a conduit, through a phishing email or a malicious ransomware for a cyber-criminal to attack your business.
While the criminal enterprises are growing in complexity so does the security that defends your data. But the best methods of data protection may not be the most high-tech.
Lucioli says that, “The first and most important point is multi-factor authentication. Of the invoice fraud claims that I have seen, multi-factor authentication would have stopped all of them. Every single one.”
“Dealing with ransomware is a little bit harder because the access is created by your employees clicking on a dodgy link. The best thing you can do for that is training.”
This focus on multi-factor and training is echoed by both Bolton and Barlow.
Bolton also believes that businesses need to have measures against human error. “One of the key examples of human error is just dumb passwords. One of the things that we recommend is for businesses to use a password manager to give really complex passwords. I think everybody should be using them.”
Barlow believes that a key point for companies looking to protect themselves is to remember that “you don’t have to do it all yourself. The growing sophistication of cyberattacks means that you need really good advice. Every business, particularly in financial services needs a good cyber partner.”
He says that the upcoming changes to the Privacy Act, while a step in the right direction are not enough by themselves to encourage the industry to make the needed changes. “The ability for the privacy commissioner to fine companies for breaches is still really limited. Yes, there are changes coming that put more emphasis on data protection and that’s a good thing, but the regulator doesn’t have big nasty teeth.”
A $10,000 fine from the regulator is not much compared to the financial fall out of a cyberattack. Lucioli says that of the claims she has seen the typical fraud amount is between $50,000 and $100,000, but that fraud can be paid out two to three times before the company realises what has happened.
Though this impact may be huge especially in the SME space, it is nothing compared to what can happen when an organisation needs to send an email informing their clients that their personal data is for sale on the dark web.
With the upcoming Privacy Act highlighting data security, Barlow wants the messaging to be clear. “This is a genuine threat. If it comes to pass the impact on an organisation is incredibly hard hitting. Reputation is everything in this sector. If your reputation around protecting data gets compromised, then that could see the loss of your business.
“It is really easy to peddle fear in the security area, but people do need to understand that if it goes wrong it can go wrong big time.”
New privacy law changes explained
A new Privacy Act will come into effect on December 1, 2020.
The key changes include:
• Requirements to report privacy breaches: If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Commissioner.
• Compliance notices: The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
• Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
• Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
• Class actions: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
• New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.
• Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000.
