Be prepared if cybercrime hits your firm

This article was current at the time of publication.

“Cybercrime is a potentially existential threat,” warns New Zealand-based forensic and cyber security firm Incident Response Director, Campbell Mackenzie.

“It could knock you out of business. You might get an insurance payout if you have cyber insurance. 

“Otherwise, given the volume of cybercrime, it’s extremely difficult to get a reaction from the banks or law enforcement to freeze funds – they’re transferred off very quickly.”

A pensioner found this out recently when cybercriminals hacked into his online banking and wired NZ$100,000 overseas.

Westpac was able to stop two transactions worth NZ$49,000, but it was too late for an unauthorised NZ$48,839 withdrawal.

Cyber attacks: Plan for the worst

Incident Response helps businesses prepare for, respond to, and recover from cyber attacks.

McKenzie says planning for the worst is essential because the sheer number of different scams and frauds means businesses can’t predict the impact of a successful attack.

Of course, many businesses do have in place continuity planning and disaster recovery strategies to mitigate events such as an earthquake or power outages.

“But with cyber, it’s much harder to work out how it’s going to affect you,” McKenzie says. 

“It could be reputational issues, regulatory issues, insurance requirements, or client contractual obligations to keep their data secure.

“I’ve worked on cases where I’ve seen confidential company and client information on the dark web.”

Financial sector at risk from cybercriminals

New Zealand’s Financial Markets Authority warned earlier this year that in 2021 financial sector firms, including accountants, were the focus of most attacks by cybercriminals.

PwC estimates that financial entities are 30 per cent more likely to be targeted than other companies.

"Financial institutions remain at a higher likelihood of being targeted by a cyber attack as they often hold large volumes of client data, financial IP, and have access to [frequently] large sources of funds,” says PwC Cyber Consulting Partner, Robyn Campbell.

“All these have value in themselves and as datasets that fetch a high price on the dark web.”

Common cyber threats

Of the 2001 incidents recorded in CERT NZ’s June quarter Data Landscape Report, the most common category was phishing and credential harvesting, with 1116 reported attacks.

These were followed by scams and frauds (526) and unauthorised access (230). Malware was a distant fourth, at 62 incidents.

CERT NZ Senior Threat Analyst Sam Leggett says phishing and credential harvesting is easier than hacking into a company’s computer system. 

Entry points can be via open-source intelligence – accessing email accounts through information found on social media, business registers, and so on – or large hacks of email addresses.

“Be aware of the information you have online and be careful who you’re [it] sharing with,” Leggett says, adding that the key to prevention is verification.

“Look at the email address, check the physical address, and check the bank account number.”

Businesses should also have an alternative method of verification – perhaps double-checking a phone call to a number used previously.

“A history of trust between two organisations is where things might slip through the cracks,” Leggett says.

Notably, scams and frauds usually result from “fake flag” emails.

Again, verification is critical. Businesses should check the sender’s address is genuine, not a “throwaway” (disposable email addressing, also known as dark mail, involves a unique email address being used for every contact).

“Organisations now rarely ask you to click on a link,” Leggett explains. 

“If an email does, look at the address and be aware of the language they’re using, as they try to create a sense of urgency.”

In contrast, unauthorised access is achieved mainly through compromised passwords – a vulnerability typically caused by employees using the same password across accounts.

Passwords compromised through phishing or credential harvesting can be used to deliver ransomware, which is a type of malware that prevents or limits users from accessing their system either by locking the system’s screen or locking users’ files until a ransom is paid.

Hone your cyber security defences

The easiest ways to improve cyber security are to implement strong passwords and two-factor authentication (2FA).

“A more technical approach is [very] solid network segmentation, so a hacker will be able to access only one segment,” Leggett says.

“Similarly, employees should have access only to what they require, so any compromised credentials will work only for those things an employee can access.”

According to McKenzie, a solid incident response plan should have three elements:

1. Governance – own the risk. Have a suitable set of cyber controls in place; at the very least, strong passwords and 2FA.

2. Documentation – develop a suitable incident response plan and playbook. The plan should be executive-level and detail what actions, including external communication, need to be undertaken by whom and when. 

The playbook will break this down into actions for different types of incidents; for example, a ransomware attack or compromised email.

3. Simulations – regularly stress-test your ability to respond and review your governance documents, plans and playbook.

“For example,” says McKenzie, “a small firm could call their IT provider only to find they don’t answer the phone for three hours or, over a holiday weekend, for three days. Do they have a 24/7 contact?”

He says even organisations with strong internal defences can become “collateral damage” if cybercriminals successfully attack their IT provider.

Protect yourself and your business with CPA Australia’s cyber security resources. To help you set up your cyber defences, use the cyber security checklist