5 top mistakes Kiwi companies make.

Cybercrime costs New Zealand businesses about $250m-$400m a year - though that is only an estimate as a vast number of cyber attacks are not reported.

According to leading cybersecurity company Kordia and Peter Bailey, general manager of Aura Information Security (Kordia's specialist arm), New Zealand is particularly vulnerable.

Recent Kordia research found 30 per cent of almost 200 IT decision makers in business with 20 employees or more were unsure their existing cybersecurity measures would prevent a breach; another 20 per cent had no online security policies or training in place.

Some companies don't even know they have been hacked.

The research also showed medium enterprises (60-99 staff) had a "she'll be right" approach that left them "wide open" to attack, says Bailey.


So what are the most common mistakes companies make in addressing - or not addressing - the need for cybersecurity? Bailey says there are five:

1. People believe it won't happen to them
"People still think we are geographically isolated, a small country at the end of the world that doesn't have anything worth stealing," says Bailey. "So they leave themselves unguarded, overseas organisations hack in and use their server as a bot to run illegal activity, among other things."

2. Internal/personal security laxness
"It's remarkable but even though our industry has gone on and on about it to boring levels, many people still believe password protection is a minor issue. Some think their company has a firewall so they can get away with passwords like "password" or "admin".

Bailey says the widespread habit of using the same or similar passwords for work and personal accounts is also a hacker's dream: "If they can get your password from home, that often allows them into your work systems."

The massive 2015 cyber attack on US health insurance giant Anthem (78 million customer records exposed) came when an employee opened a "phishing" email - a pretend official communication but which some unprepared staff still fall victim to, giving hackers access to the system once opened. Educate your staff, says Bailey.

Peter Bailey, general manager of Aura Information Security .
Peter Bailey, general manager of Aura Information Security .

3. General lack of "security hygiene"

Many people and businesses ignore running Windows or anti-virus updates, preferring to address other, more convenient matters. But those updates are a built-in line of defence for software and apps to patch any discovered vulnerabilities or potential backdoors into the system.

Bailey says: "Mossack Fonseca, the law firm at the heart of the Panama Papers scandal, had not updated their software, making them vulnerable to an attack that accessed their documents - exactly what happened. Update systems and back up files - so you can deal with attacks like ransomware that enters your system, encrypts files so you can't access them and asks for money to release them.


"If you are backed up, you have a ready-made solution. It's so easy to do that - but so many people and companies do not do it."

4. Not all cyber attacks come from computers
The vulnerability of staff can be a great source of wealth for hackers, Bailey says: "We run what we call a Red Team exercise where we test a client company's cybersecurity defences. Among the things we do is use social media and sites like LinkedIn to identify people who might help us.

"Then we pretend to be an IT repair company and ask for information over the phone or call someone and pretend to be an executive and shot at them until they give us the passwords we need. It often works."

5. Business partners need to be part of your network
Third parties - business partners or suppliers - can also be a way in for unscrupulous hackers. The infamous hack of 40 million customers' credit and debit card details from the US Target chain of stores came about when hackers compromised a contractor to gain entry and then acquired advanced rights.

Bailey says: "Companies are realising they are also vulnerable to third parties who may not wish them ill but who provide a pathway for those who do. Many are doing a cybersecurity audit these days - especially UK and US companies who want to use New Zealand companies.

"But even if your company can't do that, at least agree some minimum security measures with suppliers and contractors so you don't end up with egg on your face."

A year or two back, Bailey says there would have been a sixth big mistake - boards and chief executives passing off cybersecurity as an IT issue: "Thankfully, we are now seeing top table recognition this is a problem that could affect an entire business."

When electing a cybersecurity advisor, Bailey says companies should look for credentials and track records; the boom in cyber attacks has created fertile ground for the birth of many small and largely untried cybersecurity companies.

# Cyber Security by Kordia brings together a wide range of industry-leading security services and solutions, providing New Zealand's most comprehensive security suite. A key element of this is delivered by specialist cybersecurity consultancy, Aura Information Security. Kordia and Aura say companies can protect themselves by getting advice from seasoned specialists, installing a series of measures against hackers and breaches, educating staff and their speciality - 24/7 monitoring and analysis of clients' operations.