New Zealanders are not concerned about cyber attacks while working from home during the COVID-19 crisis, despite being well aware of the risks.
New research from Unisys in the 2020 Unisys Security Index showed that during the pandemic, only 22% of Kiwis were concerned about the risk of a security breach while working remotely, and 26% were concerned about the risk of being scammed.
This left both staff and their employers vulnerable to cyberattacks including scams, phishing and ransomware, Unisys says, and backs up concerns expressed by the New Zealand Police.
"Reporting suggests cybercriminals adapted quickly to exploit an increased pool of victims, capitalising on peoples COVID-19-related anxieties and taking advantage of the vulnerabilities brought about by teleworking. It is almost certain that cybercriminals will be quick to adapt during a global recession, targeting their victims by exploiting concerns regarding financial pressures and/or unemployment," the Police said.
In comparison, the research found that 55% of New Zealanders were concerned about the country's economic stability, 41% about their own financial security and 34% about their job security during the pandemic.
Meanwhile, New Zealanders concern for the underlying cybersecurity issues that facilitate fraud and cybercrime has decreased: 40% of New Zealanders are concerned about computer virus and hacking down from 48% in 2019, and 35% are concerned about online transactions down from 39% a year ago.
Police also noted a heightened risk of fraudulent activity in the post-COVID-19 environment:
"Economic hardship will almost certainly prompt organisations to reprioritise their resource and capability. If information technology and cybersecurity roles are negatively affected by such processes, it is possible businesses will be at a greater risk of becoming victims to cybercrime and cyberenabled crime," it said.
According to Unisys, the research suggests Kiwis were not taking responsibility for protecting their data when working from home.
New Zealanders concern about hacking and viruses has declined in the last year from 48% of the population seriously concerned about this in 2019, down to 40% in 2020.
"New Zealanders appear to be distracted by their higher concern of national infrastructure and family well-being during the pandemic," says Wellington-based Andrew Whelan, vice president, commercial and financial services sector lead, Unisys Asia Pacific.
"This is a critical issue for organisations that underwent a rapid transformation to move to work from home models as it appears employees likely assume that their employer is taking care of securing data and systems," he explains.
"Yet for many for organisations, the initial priority was to simply get people working remotely and their security measures have not yet caught up with the wider attack base this created.
"People remain one of the top points of vulnerability especially as attackers use high interest in COVID-19 to trick people into clicking on links or giving information which can launch ransomware and other malicious software. Employers need their people to remain vigilant."
Unisys says the ongoing risk is heightened by advice from Dr Ashley Bloomfield, the New Zealand Director-general of Health, that community transmission is a case of not if, but when, and that New Zealand should brace for a second wave that will push people and businesses to return to working from home.
Last year, more than 1.3 million Kiwis were affected by cybercrime and the top three incident categories were phishing, scams and unauthorised access reports, with a total value of NZ$16.7 million, according to CERT. Police expect online fraud to increase by 30 to 100 percent. CERT has yet to release data for the first two quarters of 2020, but a spokesperson confirmed that a new report, covering the first six months of the year, will be released shortly.
CERT notes that scammers and attackers are using the public interest in COVID-19 to create opportunistic online scams and attacks and identifies a range of threats including email scams (such as the WHO scam), phishing emails claiming to have updated COVID-19 information, Webcam extortion emails (ransomware), fake coronavirus maps, and text message scams.
Using a conservative downtime cost of US$10,000 a day, it is estimated that ransomware attacks have cost New Zealand organisations US$25.9m this year. New Zealand has seen an increase in scam emails related to the pandemic as confusion around rapidly changing office and home office setups opens a rich vein of confusion for exploitation.
"Organisations using cloud-based services had the greatest flexibility to move to work from home models quickly as location is irrelevant but for others it was a big change technologically and culturally. People are the weakest link in security," says Whelan.
"Shadow IT grows with every unauthorised app downloaded, even if well intentioned for remote collaboration - it might not be covered by the security rigour deployed across the rest of the organisation.
"Employers should ensure their people a) have secure direct access to applications, b) are trained to identify and avoid malicious scams and phishing attacks designed to exploit the fears and distractions created by the pandemic, and c) can quickly isolate devices or parts of the network to minimise the extent of a breach because breaches are inevitable."