The relatively low risks associated with online crime and the rise of international cybercrime syndicates mean that New Zealanders must brace for more attacks such as that carried out on the Waikato District Health Board.
Author of the book ‘She’ll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert Daniel Watson, said it’s past time for Kiwis from boardroom level down to get serious about their cybersecurity.
“It is not acceptable that the Waikato DHB’s network was breached, nor that the attack impacted the whole system as it did. Not only do such attacks disrupt and cost the victims, but they also give criminals the ability to hide malicious software that can be activated later on or sold as exploits to other criminal elements.”
Watson said there is never enough funding for healthcare. It is bad enough that additional resources were diverted to deal with the attack and its fallout, but now more money will be needed to help prevent such attacks in the future.
“The perpetrators are most likely to be an organised crime syndicate because it is cheaper, easier and less risky to commit crime online – they can automate their attacks and carry them out in almost complete anonymity without the need for a getaway car.
“It’s a handsfree crime.”
Watson said even small Kiwi companies should not be complacent because the ability to automate the attacks makes cybercrime a numbers game – whether it’s $100 or $5 million – it’s all quicky, easy, contactless and profitable.
“Excellent backups will have enabled the DHB to avoid paying the ransom. During the recent hack of the Colonial Pipeline in the United States, the management there chose to pay the ransom but found it was easier to restore the system from backups.
“The damage these attacks do is not necessarily just the ransomware aspect. It also results in lost productivity and downtime in services and systems. What if healthcare workers had been dealing with a crisis, like a multiple car crash scenario, when the attack happened?”
1. Backups are not optional
Watson said no New Zealand company could get away without making backups.
“How often you backup depends on how much loss of data you can afford to live without. If you backup once a day, you will lose at least a day’s data. Near-instant recovery systems which backup every 15 minutes are affordable and achievable for most businesses.”
2. Keep networks segregated
“I recommend that you also segregate your systems into different compartments so that if one network is attacked, the others are protected. The construction of a modern ship divides the volume of its hull into watertight compartments to mitigate the whole vessel taking on water. You can do the same with your IT network.
“Segregating your networks also prevents criminals from moving laterally through your systems,” Watson said.
3. Provide better training
Watson said that while an organisation could have top-down pro-active management of IT security and investment in measures such as a security operations centre to monitor all activity 24 hours a day, it only takes one person to click on the wrong email.
“Poorly informed and trained staff, which is prevalent in New Zealand’s business environment, are the weakest link.
“All it takes is one click on a bad hyperlink, or for somebody to insert a USB drive in a laptop, and criminals will bypass all protective measures. In that context, investing in proper training for your people is cheap.”
Watson said the recent ‘take down’ of the Darkside Crime Syndicate by law enforcement in the United States highlights the cybercrime is like the age-old cheetah and gazelle duel – whoever runs faster wins.
