From hospitals, business, and government no target is too big for today's sophisticated cyber criminals, not even an election - and it's costing US$445 billion (NZ$647b) per year globally.

Hospitals became a major target this year raising serious concerns over patient data and privacy along with the threat of mass murder. Locally, Whanganui District Health Board's system became infected with a ransomware called "locky". They claim to have resolved the issue without losing data, which makes them very lucky.

In November three hospitals in England connected by an NHS Trust were forced to cancel thousands of operations after a cyberattack crippled their information technology (IT) infrastructure.

A Washington, D.C-area hospital chain was targeted in May shutting down all IT systems in ten hospitals in the D.C/Baltimore. The hospitals were forced to revert to paper records and patients were reportedly turned away from affected hospitals.


A month earlier, a California hospital paid $17,000 to hackers in order to have ransomware removed so they could regain access to electronic health records.

"Ransomware has continued to cause major headaches, especially for consumers and small businesses. Unfortunately this is likely to continue as I suspect criminals continue to make fairly good financial returns from extortion such as this," said Barry Brailey, chair of the New Zealand Internet Task Force.

"The most common Ransomware we have seen basically encrypts and locks all content on a persons computer and requires a payment to be unlocked or decrypted. It's a good reminder to have decent off site back ups of any important data," Brailey said.

Dr Hossein Sarrafzadeh, director of the Centre of Computational Intelligence for Cyber Security at Unitec Auckland said ransomware affected tens of thousands of people in 2016 and is estimated to have profited the criminals to the tune of US$1 billion.

"The network of criminals trading and collaborating on the Dark Web will continue to grow [in 2017]," Sarrafzadeh said.

The majority of cyber attacks in New Zealand still go unreported, though figures released by New Zealand's National Cyber Security Centre (NCSC) this year showed that attacks have more than doubled since 2011.

Dr Abdolhossein Sarrafzadeh at Unitec in Auckland. Photo / Doug Sherring
Dr Abdolhossein Sarrafzadeh at Unitec in Auckland. Photo / Doug Sherring

According to Netsafe, only around 4 per cent of all attacks in New Zealand are reported. The estimated cost to Kiwis is somewhere between $250-400 million.

Chief financial officers have been targeted this year, with one woman sending $100,000 offshore at the request of what she thought was her chief executive.


The New Zealand Fire Service got scammed out of $52,000, once again believing their boss was asking for the money.

"Business email compromise, fake invoices and CEO/CFO style phising have been big this year," Brailey said.

"The fraudsters mislead companies into making large payments to certain (often overseas) bank accounts or companies. This has been impacting businesses of all sizes and the sums of money involved, even from NZ companies, suggest this criminal activity is unlikely to stop, although the attacks and tricks used may continue to evolve."

And what have we learned this year? That hacking is easy. Techradar called 2016 "the year hacking went mainstream."

"Criminals do not need to create their own tools," said Sarrafzadeh. "They can simply hire them to carry out malicious attacks on specific targets."

Firewalls and anti-virus don't protect business from the biggest threat of all; careless and uneducated staff. Every business in New Zealand is vulnerable to attacks if they have staff who will are not rigorous about email attachments and verification of identity.

"Good accounting practices with checks and controls around payments to new suppliers, unusual payments, or bank account changes for existing suppliers help detect and prevent this fraud," said Brailey.

As businesses become more connected, the risks of cyber attacks increase - making the education of employees vital.

"An organisation is only as strong as its weakest link. If one employee clicks on a link in an email or a link in a website that contains malware, then the whole organisation is at risk," Sarrafzadeh said.

Think you're immune? Think again. John Podesta, a former White House chief of staff and chairman of Hillary Clinton's 2016 US presidential campaign was victim to a phising campaign which saw a massive data breach and thousands of highly confidential emails released to the public. The hack, which occurred in the last month of the election, was hugely damaging to Clinton's campaign.

While ransomware was the dominant trend, 2016 also saw the always trolling DDoS (distributed denial of service) attacks hitting major companies such as Sony, Twitter, and Facebook. Even more frightening was the proliferation of the "Mirai" Botnet which turned computers into remotely controlled "bots" which could be employed for massive DDoS attacks co-ordinated on single targets. Another scary feature includes the ability for criminals to use the Botnet to spy on victims through their computer, phone, or even baby monitor.

"DDoS and the Mirai Botnet have 'rounded out the year'", said Brailey. "If your website is important to you, perhaps you conduct most or all of your business through it; you should talk to your IT staff or providers about DDoS mitigations".

The good news? According to NZITF, general awareness of security issues has risen and will continue to rise in 2017. Another silver lining is the sudden shortage of cyber security skills which will open a range of new jobs to young graduates with IT and coding skills.