SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Hacking a risk to all businesses, no matter the size
Mon, 15th Aug 2016
FYI, this story is more than a year old

Cyber security is an issue facing all businesses regardless of size, type or location.

That's the stern word according to Aura Information Security, who says the recent hacking of several New Zealand schools is a timely reminder about the importance of security.

Aura Information Security general manager Peter Bailey says that while schools may seem an unlikely target, they have resources and information that hackers find valuable. The same applies to most businesses in New Zealand.

“In the case of the schools hacking, it is possible that servers and storage may have been taken over by attackers. In addition, the personal information schools often hold may also have been used for ‘downstream' crimes,” Bailey explains.

“When resources are taken over by hackers, they can be used to store contraband such as illegal digital content or to launch further hacking attacks on the information assets of other organisations,” he says.

Personal details, such as those contained in school systems, can be used by hackers to perpetrate identity theft. This data can then be used for crimes such as opening fraudulent lines of credit.

If the email accounts of senior school staff members are hacked, those individuals can be impersonated to request payments from the finance team for bogus invoices (this is also known as the ‘CEO Fraud', where a message purportedly from the boss authorises a payment). Because the email appears quite legitimate, hackers often succeed.

Notably, Bailey says schools and small-to-medium businesses have something in common where security is concerned.

“They often have similar IT and security setups featuring weak passwords which are used for multiple services,” he says.

“This makes it relatively easy for hackers to ‘brute force' the password. Brute forcing is a technique where hackers use a computer to automatically guess a password until they gain access.

Is your business at risk?

According to Bailey, the short answer is yes. ‘

'Like schools, small-to-medium businesses tend to focus on ‘why' they might be hacked, often coming to the conclusion that they don't have anything of particular value in terms of information assets,” Bailey says.

“This leads to the inevitable conclusion that information security doesn't warrant priority.

Bailey says nothing could be further from the truth, as the school hacking has demonstrated.

Information such as customer lists, trade secrets, financial, corporate data and credit card information is valuable to them.

“Today, hackers aren't generally breaching computer systems for mischief. Instead, they are looking for things that are relevant and which give them an advantage,” Bailey explains.

“This includes information such as credit card details which enables them to directly make money, or information and resources which help them indirectly hit payday,” he adds.

Because hackers make use of automated tools to run their attacks, any organisation at any time is at risk, says Bailey.

These tools scan the internet looking for vulnerable sites, whether a school or business and, in much the same way that a burglar will seek out the unlocked house, hackers pick the easy targets.

“Generally, if they find they can hack in to one company using a certain type of malware, they will look for similar companies using the same malware. This is probably why multiple schools were hacked,” Bailey says.

Bailey says the lessons for all businesses are clear: use secure passwords backed by a strong policy.

“Use tools that securely generate passwords that don't need to be remembered. Don't use shared passwords, ever. And don't allow repeated logins: if the password isn't correct in three tries, block access (this stops ‘brute force' attacks),” he says.

Most importantly, Bailey reminds organisations that good information security is about people.

“Know the signs of an attack and educate your staff,” he explains.

“Make them aware of the scams out there and make sure they know what to look out for.