In recent months, Australia and New Zealand have seen a considerable rise in cyberattacks.
Here is a quick list of what has made the news:
- In September, the New Zealand Stock Exchange experienced a massive denial of service attack, which brought the exchange down for four days in a row. Trading was stopped and millions of dollars was lost.
- Wellington-based LMP Property Management was responsible for more than 30,000 personal records of its records being exposed, including scans of driver licenses, passports, and evidence of age documents.
- The Australian Government has been targeted by significant attacks. As international tensions grow, they have so far been unwilling to attribute the attacks to a specific nation and said only that it was a “sophisticated state-based actor.
- Lion suffered a ransomware attack that took out the production capability of the Speights brewery, causing significant supply problems.
- Fisher & Paykel was hit by hackers and ransomware, with files posted to the Dark Web after they got hacked. Some of the files were their expenditure and budget spreadsheets, as well as a China Manufacturing Review documents, all multipage and densely packed with financial data and metrics.
And many other sources continue to report that this problem is getting worse
Everyone is a target
If you think you are not in hackers’ sights, then think again. Hackers see every organisation as a potential opportunity to attack, including small businesses.
According to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, 66% of SMBs experienced a cyberattack and 63% a data breach. In 2018, these numbers were 67% and 58% respectively.
If you hold personal data on your customers, be aware you are a custodian of that data and must do your best to keep it safe. Personal information has value, and if your organisation holds this, you are a target.
Ever wondered what some of your data may be worth on the Dark Web? Here are some typical prices (in US dollars):
- $1 for a Social Security Number (US)
- $20-$200 for online payment login info
- $5-$110 for a credit or debit card
- $20 for a drivers license
- $20 for loyalty accounts
- $100-$400 for diplomas and certifications
- $1000-$2000 for a passport (US)
- $1-$1000 for medical records (depending on completeness)
On 1 December, the updated Privacy Act in New Zealand will come into effect. If you suffer a serious data breach, you must notify the affected parties and privacy commissioner.
The new Privacy Act will also enable the privacy commissioner to issue compliance notices to compel organisations to comply with privacy laws. Failure to comply can result in a $10,000 fine.
If this sounds like a hefty fine, then consider the cost of non-compliance with GDPR in Europe. Should the information of EU residents be negatively impacted, this can result in a fine up to 10 million Euros or 2% of the firms worldwide annual revenue.
Flying under the radar
There are typically two types of attacks: the extortion through denial of service attacks or ransomware, and the silent hack with the goal of stealing your intellectual property, confidential contracts, and client data.
Being hacked often does not impact your day-to-day business. You will not notice a slowdown, no strange error messages show up, and there are no outages. Organised cybercrime or nation state threat actors have more to win by being as silent in their hacking as they can, as their ongoing presence on your network allows them better access to the organisation’s crown jewels.
A common attack vector is via staff workstations, phishing emails, or infected websites with a remote access tool that installs on the asset. Once they get in one of these ways, it can spell disaster for your digital assets.
With the quick move to work-from-home, the classic IT office model of “hard on the outside and soft on the inside” does not apply. Workstations are being operated while not having the right protections in place, prompting the NSA to publish a guide on how to strengthen these type of assets.
Whether you like it or not, simply by being connected to the web, you are being continuously “pen-tested” by hackers. The only difference that sets apart the good guys from the bad is that only you get the report.
Here are eleven reasons why it’s important to do penetration test every year:
- Find out what an attacker can reach through a safe simulated attack.
- Recognise the strengths of your environment. Understand how your security controls thwart an attack, and how you are made aware that someone is feeling around your systems.
- Find the blind spots of your environment. Gain insights on where gaps exist, and where security controls should be put in place.
- Reveal poor security processes for patching, strengthening, monitoring, and security incident response.
- Tune the performance of security technologies to make them more effective. A penetration test often uncovers misconfigurations.
- Support governance and compliance efforts. A lot of regulations require an annual penetration test.
- Give your IT/security team a workout by rehearsing incident response, containment, collecting forensic evidence, and reporting.
- Test your business continuity. How does your business operate when under attack? How long did it take for someone to find your BCP and dust it off?
- Provide management and leadership insights through thorough reporting. A penetration test report contains the narrative, vulnerabilities found, exploited, and provides insights into your cyber posture from a technical perspective.
- Build confidence in security as a business enabler. Earn the trust and loyalty of your customers by demonstrating how you access and store their sensitive data.
- Gain insights in your state of readiness for mitigating cyber threats. How well are you prepared for an attack? Can you recover from one? These are excellent questions for a discussion with your senior management team.
Not sure where to start with securing your digital infrastructure and data? Our penetration testing can help you gain these insights and support your compliance efforts.