Cyber security needs to move from the information technologies department to human resources, says an expert.

Phishing and social engineering through emails continues to be one of the biggest elements of cyber crime, and workers rather IT infrastructure remain the most vulnerable part of a company.

"While there has been an increased awareness of cyber-security issues in the past 24 months, we're still seeing a tendency for companies to focus and invest in technical controls, rather than human issues," Steven Macmillan from Kaon security firm.

"The human is the weakest link."

Advertisement

Kaon is advocating a cultural change in workplaces where cyber-security issues become an HR focus just like health and safety.

"It should be a fundamental training requirement in the workplace," he said.

Macmillan's firm offers companies a simulated phishing scenario where workers will be targeted with unsafe emails to demonstrate how attacks take place.

Directors and board members, says Macmillan, are greatly at risk because they have privileged access to information and funds.

Furthermore, many people in senior positions are older and have less technological experience than their younger workers, making them more liable to attacks such as spear phishing, which focuses on a specific target.

"It goes right to the top," said Macmillan. "Senior staffers need to be leading this culture change because social engineering will not stop."

Macmillan said a common type of attack involves criminals accessing a worker's emails to obtain invoices.

They then doctor the invoice to change the recipient's bank account number and will send it through to the department responsible for paying accounts.

The criminals will often call the department to let them know there has been a change in the bank account to seem more credible and avoid suspicion.

New Zealand presents a particular challenge for cyber security because we have no mandatory disclosure law for companies which have been attacked.

Macmillan says most cyber attacks go unreported in order for businesses to save face, and the government is not doing enough to tackle the problem.

The UK and Australia have mandatory disclosure laws in place, which not only punish and fine business which do not comply, but disclosure provides an insight to the types of attacks occurring and helps other businesses protect themselves.

Kaon recently conducted a blind poll of 100 people across a range of organisations which found 79 per cent had been affected by IT security issues in the past 12 months.

The most common attacks were ransomware and phishing, representing 67 per cent of all attacks.

More than half of the respondents said they had been affected three or more times in the past 12 months. Eight per cent of those polled said they had been attacked more than seven times.

The cost of the breaches ranged from $5000 to $500,000.

Most cyber attacks in New Zealand are impossible to resolve through prosecution due to the fact they are happening offshore, mainly from Eastern Europe.

Macmillan had a few basic tips for Kiwis who are concerned they might be targeted:

1. Check the grammar. With most attacks coming from offshore, check the spelling for mistakes a native speaker wouldn't usually make.

2. Do not click links. "You haven't won the lotto," said Macmillan. "If you get some 'great news' in your inbox, it's probably to good to be true and you should not click the link."

3. PDF invoices need to be double-checked. If an invoice appears changed or the bank account number has been altered, call the company involved to be certain.

4. Ask your boss. If you get a strange email from your boss requesting an immediate transfer of money, it's possible his email account has been compromised. Contact your boss, or check with someone else, before processing out-of-the-ordinary requests.

Glossary:

Phishing:

Just like the outdoor activity (fishing), phishing involves a broad-based attack putting out "bait" (for example, a PDF loaded with malicious code) in order to catch someone.

Social engineering: In this case, the manipulation of target through various means, such as bogus emails which appear to be from a trusted source.

Spear phishing or whaling: Similar to phishing but focuses on a specific target. Whaling refers to catching the "big fish", for instance, a chief financial officer or board member.