The incidence of computer-attacking software has exploded in the last six years, from 2.3 million new pieces of malware in 2009 to 430.5 million last year, according to the latest Symantec Internet Security Threat Report, with New Zealand seen as a relatively soft target.
The report says cyber criminals are going corporate, establishing professional businesses with nine to five work hours and holiday pay, and their skills now match those of nation-state attackers.
"We are even seeing low-level criminal attackers create call centre operations to increase the impact of their scams," said Symantec director Kevin Haley.
New Zealand was an increasingly popular target for cyber criminals, ranking second in the southern hemisphere in 2015 behind Australia and 21st globally for ransomware attacks - where criminals put malware on someone's computer and hold their digital content hostage until they pay up.
The report estimates ransomware attacks in New Zealand averaged 108 per day, compared to 636 in Australia. They increased 35 per cent globally in 2015 and spread beyond PCs to smartphones, Mac and Linux systems, with attackers seeking any network-connected device to hold hostage for profit. The Internet of Things is predicted to connect 20.8 billion devices by 2020, including medical devices.
New Zealand ranked 21st globally for social media scams and was one of several countries targeted for tech support scams, which rose 20 per cent last year, said Mark Shaw, technology strategist for Symantec, which sells the Norton anti-virus software. Its annual report, which is commonly cited globally in the absence of more independent figures, is based on data from its own network.
New Zealanders were fairly naive when engaging on the internet, Shaw said, and the country needed legislation to force companies to report data breaches to their customers.
Replacing the current voluntary data breach reporting law with mandatory reporting forms part of proposed changes to New Zealand's privacy legislation being drafted at present.
The Privacy Commissioner received 121 voluntary notifications of data breaches last year, mostly caused by human error or carelessness, but how many go unreported is unknown.
The Symantec report says a total of 429 million identities were exposed by cyber crime, up 23 per cent on the previous year, that is estimated to rise to half a billion if unreported breaches were included. The report found an 85 per cent increase in companies choosing not to report lost records last year.
Shaw said just under half of data breaches in 2015 were the result of external hackers, often thanks to lost laptops or USB sticks and some by malicious insiders.
The Dyre financial Trojan malware stole the credentials of thousands of customers worldwide before being largely snuffed out by the end of last year, Shaw said. It targeted all of New Zealand's major banks, triggered when customers did internet banking, he said.
The number of discovered zero-day vulnerabilities - where an unknown hole in the software is exploited by hackers - more than doubled to a record 54 in 2015, a 125 per cent rise on 2014.
Spear-phishing attacks using apparently genuine email addresses rose by 55 per cent in 2015. That included a growing number of small to medium enterprises which accounted for 43 per cent of spear-phishing attacks.
The NZ Fire Service and Te Wananga O Aotearoa were two local examples of companies hit by such attacks last year, Shaw said.
- BusinessDesk