Cyber criminals reaching new levels of sophistication.

"A massive explosion" of ransomware has affected New Zealand businesses in the past 12 months, according to leading cybersecurity company Kordia.

Kordia Group CEO Scott Bartlett says ransomware (software which locks data and is freed only when a ransom is paid) has become the single greatest online security issue in terms of number of attacks.

"These criminals get into your system, find some sensitive data, encrypt it so people are locked out of their own data - and then send an email saying it will be deleted unless they are paid, say, $100,000 in bitcoins, which cannot be traced," Bartlett says.

"This is happening daily and it's happening to companies large and small - to small and medium enterprises, large financial institutions, construction companies."

Advertisement

Cybercrime costs New Zealand businesses an estimated $250 million a year - though that is only an estimate; not all such attacks are reported.

"People are afraid to say they have been hacked," says Bartlett. "They think they will lose customers - and they're right. The fear of reputation impact is real; those fears are justified.

"What's happening now is the level of sophistication is rising, attacks are escalating both in quantity and quality and organisations are finding they can't deal with these things on their own."

It's not just Kordia pointing to the cybersecurity crisis facing many New Zealand companies. PWC's 2016 Global Economic Crime Survey said, of the 40 per cent of New Zealand businesses hit by all forms of economic crime in the past two years, 29 per cent had experienced cybercrime.

There are about 500,000 companies in New Zealand (97 per cent of them small-to-medium enterprises, according to official figures), so about 58,000 enterprises have been compromised by cyber criminals in the past two years. That's over 550 companies every week - again, just those who have admitted it.

Kordia's recent market research found 30 per cent of almost 200 IT decision makers in businesses with 20 employees or more were unsure their cyber-security measures would prevent a breach; 20 per cent did not have any online security policies or training in place - indications of New Zealand's vulnerability in this area.

Internet safety group Netsafe said last year cybercrime likely costs New Zealand between $250m to $400m, with only about 4 per cent of attacks reported.

Globally, the figure is estimated at US$600 billion but Bartlett says the worldwide cybercrime industry will run into the trillions in the next 10 years.

"The bad news is that the bad guys are constantly finding new ways to do bad things," says Bartlett. "They are staying ahead of the defenders - who are usually on the back foot.

"The tools to become a cyber criminal are cheap and freely available - there are even dummies' guides on how to use them. It's not just ransomware, sophistication in all areas is growing. It has become a highly sophisticated, lucrative area of criminal activity.

"Look at phishing [the art of extracting data or money by fake communications, usually an email]. About 18 months ago, you'd need to be pretty foolish to fall for a phishing email.

There would be signs like poor grammar; they often didn't look right.

"Now, however, they are picture perfect, with very sophisticated messaging and some clever ways of manipulating people - and if you haven't been educated on what to look for, they can work well."

Bartlett believes New Zealand does not yet need to follow Australia in making it compulsory to report cyber attacks. Visibility of the totality of cybersecurity breaches could have a negative impact on perceptions of New Zealand business - and there is more work to be done on the carrot before the stick is employed.

"The fact the bad guys can develop so much so fast means there is no set and forget and no silver bullet in cybersecurity measures," he says. "Vigilance, investment and change are the constants."

There are three main ways for companies to protect themselves - advice from top specialists, protection from a series of measures ("it's more than just a firewall") to ensure a company's internet interface is protected. Finally, and most importantly, a security operations centre watching clients' operations 24/7.

"That third area is key," says Bartlett. "There are plenty of good companies around who can do the first two but we do all three. If you do not have someone looking at your network round the clock, able to see that little package of data that has just been sent off to the Ukraine is suspicious, well - you're missing a trick."