COVID-19 has presented cybercriminals with more opportunity than has ever been on offer before. As New Zealand businesses once again stretch and redeploy IT resource to support mass remote working, we are continuing to see an unprecedented number of cyberattacks.
While very few of these attacks are ever made public, the cost to New Zealand business is significant. Below we describe what cybercriminals currently have on their agenda and what to do should your organisation become subject to an attack.
What are we seeing in the market?
We've seen multiple incidents of cybercriminals exploiting remote-access technology to successfully launch ransomware attacks, with stolen data often later turning up on the dark web. We've also seen workplace COVID-19 comms leveraged to facilitate successful phishing assaults and poorly secured portable devices facilitating unauthorised access to systems.
This activity is widespread, with Fortinet's recently released Global Threat Landscape Report confirming the "first six months of 2020 witnessed an unprecedented cyber threat landscape."1
In particular, the report notes that attackers have been capitalising on poorly protected home networks, consumer devices, VPN connections and video communication and collaboration tools.
In fact, NordVPN's latest Cyber Risk Index has named New Zealand amongst the top ten most vulnerable counties susceptible to cybercrime globally.2
However, despite the increased threat level, the recently released 2020 Unisys Security Index found that only 22% of Kiwis were concerned about the risk of a security breach while working remotely.3
With the widespread presence of COVID-19 and the IT challenges associated with it, cyber hygiene and attack prevention has become more important than ever before. Key focus areas include:
- securing collaboration platforms, networks and portable devices;
- proactively monitoring security practices of suppliers;
- investing in security tools; and
- ensuring that employees are well educated about cyber risk.
What do you need to remember when first responding to an attack?
Each attack is different and each response is bespoke, but impacted organisations all inevitably find themselves trying to swiftly identify the source of the breach and contain it, while at the same time, working to get impacted systems back online, compromised data restored and the perimeter secured – all the while keeping stakeholders appraised.
While juggling all of that, it is important to also remember to notify your insurers as early as possible and keep them informed of your response activities to ensure that those actions do not later prejudice any potential insurance claim.
Where an IT supplier is in the picture, it is also important to revisit the terms of your contract early on to ensure that your response activities are consistent with its terms and enable you to fully realise any rights of recourse that you may have negotiated into the contract.
If personal information is impacted, the Privacy Commissioner should also be notified. This will become mandatory from 1 December for 'notifiable privacy breaches' under the Privacy Act 2020 and affected individuals will also need to be notified in most cases. The newly released Privacy Regulations 2020 set out the process for public notifications where required under the Act. For further information on the key reforms in the new Privacy Act 2020, please see here.
While there is no legal obligation on victims to report cybercrime, reporting an attack to CERT NZ helps to raise awareness and assist in identifying trends to facilitate preventative measures being taken to reduce cyber risk in New Zealand.
If you would like any advice regarding the issues discussed above, assistance in getting the right legal protections in place for your business before implementing new technology in your organisation, or responding to a cyberattack, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.