More than half (55%) of New Zealand businesses have fallen victim to ransomware attacks in the last year, according to new research.
The independent research from Aura Information Security found of the businesses that were successfully attacked, 67% were able to resolve the breach before any significant damage was done. But 33% say the attacks caused serious disruption to their businesses.
Kordia Group chief information security officer, Hilary Walton, says this highlights why businesses should ensure they can recover quickly in the event of an attack.
"Ransomware is a matter of when, not if, for New Zealand businesses. While it's not a new threat, cybercriminals have perfected how they target and breach their victim's networks," she says.
"All businesses should be prepared not just to defend themselves, but also to deal effectively with a ransomware attack. Having a robust incident response plan and safely backed up data is critical for ensuring a swift recovery."
She says whether your business chooses to pay a ransom or not, these types of attacks have the potential to be very costly. When they factor in the loss of productivity, revenue and reputation damage, companies quickly see how an attack can impact their bottom line.
"It can take weeks to get back up and running after an attack, and no business can afford to have their systems down for that length of time."
The New Zealand Privacy Commissioner doesn't recommend paying ransoms, although 64% of New Zealand businesses would be willing to pay to regain access to their data. Nearly one in 10 (8%) say they would pay more than $100,000.
The Australian Government released a Ransomware Action Plan earlier this month, introducing a specific mandatory ransomware incident reporting to the Australian Government.
"New Zealand cyber legislation often reflects that in Australia, due to similarities between our two markets, so a similar initiative could be on the horizon for our country," says Walton.
"Whether or not New Zealand decides to introduce mandatory reporting to the Government specifically for ransomware incidents, it's certainly a reminder that all businesses should have a process in place to quantify the impact of an attack - as well as ensuring there is an adequate response plan in place to mitigate damage."
Working from home amplifies risk
The researchers say remote working appears to be the new weak link. More than three quarters (78%) of respondents say ransomware attacks happened through a remote connection or while an employee was working from home.
"While this is concerning considering New Zealand's largest city has been in lockdown for the latter part of the year, the focus on security issues around remote working needs to stretch beyond just lockdowns," says Walton.
Many businesses have, or will be, implementing permanent remote working policies. Nearly half (43%) of Kiwi businesses have at least 60% of staff working from home at least one day a week.
Walton says it's great to see technical layers such as MFA and Zero Trust being implemented, but businesses also need to extend their focus beyond just the technical controls. She says the human factor is such a prominent risk for cyber-attacks – hackers know this and will continue to exploit the people in your business with more sophisticated phishing techniques.
High profile attacks a wakeup call for NZ businesses
2021 has seen high profile cyber-attacks in New Zealand, including the NZX and the Waikato DHB, and Walton says New Zealand is no longer viewed as a safe haven.
Just under half of IT decision-makers say their businesses take cybersecurity more seriously as a result of these local attacks. Forty-one percent had more discussion around cybersecurity within their organisation, while 37% expanded their cybersecurity team or agency. Only 15% say they weren't impacted on how they view cybersecurity.
"IT decision-makers realise we aren't safely hidden away at the bottom of the world, with 85% now considering New Zealand, equally or more at risk as the rest of the world when it comes to cyber-attacks, up from just 67% in 2018," says Walton.
Cybercrime is a global phenomenon, and geographical distance is irrelevant when business is conducted digitally. However, many Kiwi companies are rising to the growing challenge. More than half of companies have increased their cybersecurity/IT budget in the last 12 months, primarily due to high-profile attacks and COVID-19.
As a result, 70% of IT managers now rate their business' ability to defend against cyber-attacks as mature or very mature. Sixty-eight percent (compared to 61% in 2020) say they have policies or training in place to prevent cyber breaches, and nearly half (46%) run crisis simulation exercises to assess their ability to respond to a cyber-attack.