Kiwis lost at least $730k to cybercrime in June quarter: Cert

Things are pretty quiet on the cyber-crime front, according to the first quarterly report from the government’s new Computer Emergency Response Team (or CERT), headed by former deputy police commissioner Rob Pope.

Mr Pope concedes the update, which records that CERT responded to 364 reports of cyber incidents, is probably not very indicative of the landscape.

Quite simply, most Kiwis are yet to learn that CERT exists. It was set up with $22 million to cover its first four years and, once fully staffed, will have a complement of 20, plus access to a call centre operation.

Its aim is to be part triage provider and part co-ordinator. When you or your company are hit by a cyber-threat, Cert (cert.govt.nz) won’t offer you hands-on assistance but it will give you a backgrounder on the threat you’re facing, and point you to the right government agency, such as the police, or to Netsafe or an IT provider.

Unlike similar outfits overseas, which tend to be focused on large organisations, Cert is specifically aimed at small businesses too.

Mr Pope says it had a deliberately low-profile launch but will start to raise awareness over the coming months, starting with its first report.

Of those 364 incidents reported during Cert’s first three months, 70 were cybercrime and referred to police.

Eight involved cyberbullying and were referred to Netsafe, the government-approved agency under the Harmful Digital Communications Act (the agency that will lobby Facebook, Twitter or another social media network on your behalf).

There were reports of $730,000 in losses to cybercrime.

Mr Pope says ransomware and phishing attacks (fake emails) were the main sources of financial loss.

The figure probably underplays losses considerably. Beyond Cert being so new many would not know to contact it, many organisations don’t report cyber-breaches for fear of bad publicity.

Would Cert like to see mandatory reporting, as proposed by Privacy Commissioner John Edwards (and likely to form a much-delayed legislative update)?

Mr Pope says that would be useful for Cert and other agencies but he says he won’t be wading into such policy debates directly.

Likewise, although Cert offers the standard security advice to keep all versions of software as up-to-date as possible – not just security software – he is wary of wading into the controversy of some servers in Parliament, and some desktop computers with the Police, running the creaky Windows XP, for which Microsoft no longer offers security updates.

The Cert boss says that’s a matter for the government’s chief information officer (Colin MacDonald, who sits within Internal Affairs).

He is happy to offer day-to-day advice, however.

Cert’s desired soft-launch was upset somewhat by the onslaught of the WannaCry ransomware attack.

Lawyer Michael Wigley told NBR readers they should consider paying up if their data were held to ransom. He noted data was often returned when a ransom was paid, that the ransom (usually around $US500) was so small it was worth a shot, and that in the real world, businesses just needed to get on with things.

Mr Pope shudders at this advice. He says: Never pay up. There is almost no chance businesses will see their money back, and it encourages more offending.

He adds that, happily, it wasn’t an issue for New Zealand and WannaCry. In the final analysis, Cert only received six reports of WannaCry attacks, and none could be verified.

But, like others, he sees attacks escalating over the coming months and years.

And the Cert boss and the renegade Mr Wigley are able to agree on one thing: The best approach is to assume that you will be hit at some point, and to make sure you have working backups in place.

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.