Could New Zealanders initiate a cyber attack from within?
The threat landscape is significantly increasing worldwide, and the opportunities it presents are a growing concern in Aotearoa.
But would a Kiwi have access to the technology needed to initiate one and what is in place to prevent this?
KPMG Cyber Security Services partner Philip Whitmore says that nothing stands in the way of someone in New Zealand initiating a cyber attack, and Aotearoa-based attacks take place on a regular basis.
"A local person may however choose at times to use offshore resources to support an attack, for example to hide the origin of an attack," Whitmore says.
KnowBe4 recently released its 2022 Security Culture Report examining trends in security culture, with chief evangelist and strategy officer Perry Carpenter explaining that the term refers to "how people think about and approach a more secure environment and this report focuses on those key elements."
Conducting this research for the first time, KnowBe4 found that overall, security culture worldwide is improving.
"This was the most promising finding from our research and emphasises that security culture should be viewed as a critical asset used to reduce risk and improve security."
The report includes a Security Culture Index (SCI), which rates organisations globally based on their security culture score, calculating its results by analysing thousands of companies worldwide. It notes that "North America scored 74 (the best), with the rest of the world comparable to Europe and Asia scoring 73, and Latin America, Africa and Oceania scoring 72." However, it goes on to say that the global overview may give the inaccurate impression that all regions perform similarly and that the situation is okay, but the reality is that the situation is more nuanced and unsettling.
"Security culture in Oceania is showing that Australia (73) and New Zealand (72) are quite different from each other, and neither is doing particularly well. It is highly recommended that organisations in this region step up their investments in security awareness, behaviour and culture going forward. The other parts of the region are lagging far behind, not even measuring on the Security Culture Index."
Whitmore adds that changing technology has made it easier for threat actors to carry out attacks.
"The rapidly changing cyber security landscape has often meant there are increasing opportunities to gain unauthorised access.
"While organisations are managing a variety of cyber security risks, a threat actor only needs one way in."
One of the systems in place to keep track of this kind of activity is the National Cyber Security Centre's (NCSC's) Malware Free Networks (MFN).
A branch of the GCSB, the NCSC developed the MFN service to make Aotearoa's cyber defence capabilities more robust by detecting and disrupting threats. Through this function, the service is able to provide threat intelligence about current malicious activity targeting New Zealand organisations almost in real-time.
MFN protects against any cyber threats that could pose a risk to nationally significant companies, such as small to medium enterprises, large corporations and government organisations. It can also be integrated with other systems and platforms to defend against a broader range of malicious activity. According to the NCSC's Cyber Threat Report 2020/21, the MFN service has already disrupted more than 2000 malicious cyber events in its early phase.
Imperva also recently released research, finding that bad bots made up 25.9% of website traffic in the APAC region in 2021, with the three most common bot attacks being account takeover, content or price scraping and scalping to obtain limited-availability items. The 2022 Imperva Bad Bot Report studied five countries in the APAC region and ranked New Zealand in fourth place for bad bot traffic at 20.3%. Australia is in third place at 25.7%, China is ahead with 38.6%, and Singapore ranks highest at 39.1%.
The company says bad bots allow for "high-speed abuse, misuse and attacks on websites, mobile apps, and APIs", with successful attacks resulting in the stealing of personal information, credit card data, and loyalty points. It also notes that bad bots are usually the first indication that online fraud is taking place and pose a threat to digital businesses, as well as their customers. Bad bots pose an additional problem for organisations, as "automated abuse and online fraud contributes to non-compliance with data privacy and transaction regulations."
"Businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, and degraded online services," Imperva Office of the CTO director of technology Reinhart Hansen says.
"With automated fraud growing in intensity and complexity, APAC organisations need to urgently implement advanced bot protection to safeguard their customers' interests."
Another company that monitors cybersecurity incidents and attacks is CERT NZ, which collates a profile of New Zealand's threat landscape as part of its broader work (providing information and advice to support businesses, organisations and individuals impacted by or at risk of cyber security incidents).
CERT NZ recently released Quarter One: Cyber Security Insights 2022, which offers an overview of reports about cybersecurity incidents affecting New Zealanders.
The Q1 insights cover January 1 to March 31, 2022, and show that CERT NZ responded to 2,333 incident reports from across the country about individuals and businesses during this period. However, it notes this is a decrease of 41% compared with Q4 2021.
In addition, Q1 reported $3.7 million in direct financial loss, with 30% of incidents reporting a financial loss, a decrease of 44% compared to Q4 2021 and ransomware reports increased by 31% compared to Q4 2021. CERT NZ also recorded a 95% decrease in malware reports from Q4 2021. Further, based on the previous eight quarters, the company notes that 2,227 incidents are reported on average each quarter and that the average direct financial loss is $4 million.
"The level of risk posed to New Zealand private sector organisations is generally continuing to increase," Whitmore adds.
"We've never spent more time or money on cyber security than we are currently.
"However, often we are not applying our resources to the areas that matter the most.
"It comes down to an issue of risk management, and ensuring the effort and money is being prioritised to the areas that matter the most."