How to assess the cyber security of your business #ConnectSmart

Operating a small business is hard work. You pour blood, sweat and tears into making it a success so surely you want to do everything to protect it?

With the average computer security incident reported to NetSafe in 2014 costing $10,700, taking care of your hardware, software and information security is a must for every small business owner or manager.

security-2
$8m was reported lost to NetSafe in 2014 from a range of digital challenges – 520 out of the 8121 reports involved a variety of computer security threats

Solo or micro Kiwi companies with less than 5 staff make up a large part of the New Zealand economy and as the owner or operator of a small company you can often find yourself wearing many hats on a daily basis covering sales, marketing, accounts, customer service and  actually delivering the product or service that keeps the business going.

Ensuring the security of your business assets is also a very important part of keeping your company operating, whether it be the vehicles you use to deliver goods, the property you operate from, the customer database you work with and the IT systems you use to communicate with suppliers.

With IT playing an central role in so many companies these days, it’s essential that you undertake a cyber security assessment to keep track of your important information assets and protect them.

What is information or cyber security?

The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

When we think about information and information systems we’re covering people, processes and technology.

This can include email, invoices, payroll, employee and client data, intellectual property and the computer systems that staff use to collect, store, process and deliver information.

Using the Connect Smart SME Toolkit can help you uncover precisely what business information and systems could be a target for cyber criminals. And assessing your cyber security risks can help identify what are the critical financial and information assets in your own business that need to be protected.

Conducting a simple risk assessment


By not protecting your small business information and systems you risk:

  • Decreased productivity
  • Legal liability
  • Loss of confidence
  • Loss of reputation
  • Loss of business

An assessment or audit of your business can identify:

  • Threats
  • Vulnerabilities
  • Risks

Here’s how these interact:

A THREAT acting on a VULNERABILITY produces a RISK and probable bad consequences

A simple, real world example for a small NZ business would be:

Threat: Spam email with malicious attachment delivering ransomware

Vulnerability: Employees not trained to identify or delete spam emails

Risk: Network is compromised and hardware infected

Consequences -> Business data encrypted, records lost

Conducting a risk assessment can highlight these kinds of weaknesses in your business.

Ideally, for the example above, you’d have several protective measures in place to tackle the malicious email risk that could include anti-virus software that automatically updates on all computers and a data backup regime that keeps regular, incremental copies of essential business data that can be easily accessed to recover from an infection.

Taking the time to review your company’s critical information and systems can help kick start the process of protecting it.

Step One

12 Questions that can help identify risks

Step one of the Connect Smart toolkit poses the following questions:

  1. Do you have an overall security policy?
  2. Do you and / or your employees access business emails on mobile devices (including phones and tablets)?
  3. Do you train your staff about using mobile, the internet and email securely?
  4. Do you back up your critical business data regularly?
  5. Do you have a firewall installed on the computer(s)/servers used for your business?
  6. Do you use security software (such as anti-virus and anti spyware) and up-to-date operating software?
  7. Do you connect any of the computers or mobile devices in your business to the internet using a wireless network?
  8. Do you know how to prevent data theft?
  9. Do you know how to reduce and manage spam?
  10. Do you store business critical information on mobile devices?
  11. Do you educate your staff not to give out confidential information that could compromise your company’s cyber security, either over the phone or online?
  12. Do you delete or disable your staff’s IT accounts when they leave the company?

Answering these questions gives you the ability to score your business on how prepared you are to face the kinds of cybersecurity threats that NZ SMEs are experiencing everyday.

Spot some gaps? Then it’s a good opportunity to address these risks and talk with your own IT staff or your IT contractors on what to do next. Perhaps you need to upgrade those old Windows XP computers? Maybe staff all use one shared password to login? Or you may suddenly realise that the information you need every day to keep your company going has never been backed up and one virus infection could put you out of business for good.

Keep it simple

Drawing up an information asset register is one simple step to help you record exactly what information your business uses and relies on to keep bringing cash through the door.

We’ve listed some other useful guides below that may assist you:

Richard Kissel from the American National Institute of Science and Technology’s Computer Security Division offers some great exercise templates for identifying and prioritising information types and ways to estimate the costs involved should bad things happen to your business data.

  • Cloud computing guidance for NZ

The Office of the Privacy Commissioner has several useful guides for SMEs around moving IT and information to the cloud, good data practices and dealing with security breaches:

Using the Cloud

Cloud Computing Checklist for Small Business

Data Safety Toolkit

What can Samsung’s ‘Safety Truck’ teach internet users?

There’s been a lot of coverage this week of Samsung’s efforts to keep Argentinian road users safe when overtaking:

head-on collisions caused by people trying to overtake slow-moving vehicles is one of the biggest causes of road deaths.

The Korean manufacturer has come up with a simple tech solution to an age old problem – looking before you leap – and created a way for drivers to see ‘through’ a lumbering lorry with a front facing video camera displaying the road ahead on screens fitted to the back of their large delivery trucks.

Drivers no longer have to risk a blind overtaking manoeuvre, swinging out into traffic to check the road ahead before hitting the gas to pass the truck that’s slowing their journey.

An age old proverb is just as relevant today

Looking before you leap taken literally means it’s wise to check the path ahead before making a decision that you may regret or before you take an action that you cannot go back on.

The proverb is believed to date from 1546 and was originally a warning about marrying the wrong partner:

In wedding and all things to looke ere ye leaped

Almost 500 years on, it’s still a useful part of any safety campaign and NetSafe regularly speaks with internet users who wished – with the benefit of hindsight – that they’d better researched an online offer or virus scanned an email attachment before finding themselves out of pocket or paying out for a computer clean-up.

Ways to look before you leap online

“Knowledge is power” is another old proverb worth remembering. When it comes to internet scams and frauds and computer security best practice, there are several ways to look before you leap into disaster:

1. Spend 5 minutes Googling

Seen a bargain offer online? Received a promising email about a work from home job? Thinking of sending your savings to an offshore broker? Do your due diligence before parting with cash or personal information.

It’s highly likely that another internet user has already fallen victim to the website you’ve spotted selling bargain electronics or offering a rate of return that’s too good to be true.

The internet has enabled scam victims and folks with a grievance to publish their own horror stories from anywhere in the world and doing a quick Google search with the URL of the site or name of the company plus the word scam afterwards can often uncover stories that may save you from a nasty mistake.

PLUS:

-> Looking to invest? Check the FMA’s lists of alerts, warning and firms to be wary of.

-> Think it’s a scam? Check Consumer Affairs’s Scam Alerts for the latest advisories

2. Check if a website is dodgy

A company may claim to have been in business for 20 years but has it really? A quick ‘whois’ search of the website address can often highlight some oddities worth thinking about.

The whois record shows information about the domain name’s owner, their place of business and when the website name was established.

Scammers often register new website names just days before starting up a new scam so looking at the ‘Creation Date’ on file to see if the company has really been trading for as long as they claim on their website.

If the ‘Registrant’ details are hidden behind a domain privacy service operated out of Arizona or Panama then that’s a huge red flag – legitimate companies have few reasons to hide where they’re really based or want to stop people from finding out the real ownership details.

PLUS:

-> Worried the URL might infect your computer? Use the website urlquery.net to scan a website before you go there on your own computer and risk a drive by download.

The site returns intrusion detection system alerts and popular blacklisting records to provide a visual warning even if you’re not familiar with the technical specifics as this example shows below with red and yellow warning flags:

urlquery.net warnings

3. Check with NetSafe

NetSafe staff handle 5-600 enquiries each month from people across New Zealand who are concerned about an array of ‘digital challenges’ that includes the safety of young people, online scams and cyber security threats.

Our experienced staff can help with anything from identifying scam operators to assisting with ransomware infections and website defacements. We can also connect you to a network of partner organisations that specialise in online issues involving child exploitation, objectionable content and extortion.

Want to look before you leap online? Contact NetSafe for advice.

The top 3 cyber security threats for NZ small businesses: #ConnectSmart

Three days after I stepped off a plane in January 2009 I bought my first car to explore New Zealand – a sporty, silver Subaru Legacy. Three months later the car was stolen and I discovered to my surprise that I’d unwittingly bought one of the most frequently stolen cars in NZ.

What I’d been lacking when choosing which vehicle to buy was data –  not the kind of stats you find on Top Trumps cards such as top speed, fuel efficiency or braking distance, but information on car crime and vehicle security. Just how hard was it steal a Subaru Legacy and how many were taken each month around the country?

Understanding your information security risks

In my case, had I known that Subarus were the car thief’s favourite target, I might have changed my buying behaviour and picked another model – one with better locks and a little less attractive to the bad guys. Simple risk avoidance or mitigation in action.

There’s no doubt that data can help shape the way we act – just look at the increasing popularity of wearable fitness devices that record our step count, calorie burning efforts and heart rate to guide us to better lifestyles.

In New Zealand, there are several good sources of cyber incident data. There are plenty of global studies too but identifying ‘local’ issues for a small country like NZ can also shine a spotlight on the peculiarities of a country with a total population smaller than many international cities and with a workforce that is concentrated in far smaller organisations.

  1. The New Zealand Computer Crime and Security Surveys

These surveys are limited to New Zealand organisations employing an IT Manager and were run in 2005, 2006, 2007 and 2010.

As a smaller yet distinct economy physically and regulatorily distant from its western neighbour, New Zealand might be considered to require separate study to investigate how far similarities extend in the domain of computer crime and security.

2. PwC’s Global Economic Crime Survey

PwC is a huge organisation that spans the globe and helps larger businesses tackle business issues including fraud and economic crime. Their regular report provides a snapshot of NZ companies under the strap line “what you don’t know can hurt you.”

The 2014 report (PDF) states that cybercrime often goes unreported and  that “respondents expect cybercrime to be double from current reported levels to 22%, over the next two years.”

3. The New Zealand National Cyber Security Centre (NCSC) Incident Report Summary

NCSC focuses on “the protection of core government networks, the systems that support our critical national infrastructure, and engagement with industry and business to protect our intellectual property and economic assets.” They publishe a report annually.

In 2013, the number of incidents recorded by NCSC increased by more than 60% and their data covers a whole host of threats:

http://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-incident-statistics-for-year-to-December-2013-final.pdf
http://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-incident-statistics-for-year-to-December-2013-final.pdf

4. NetSafe’s ‘Digital Challenge’ data

NetSafe has recorded information on cyber safety, security and crime issues since August 2010 and publishes anonymised incident data to help people understand the NZ threat landscape.

The number of reports has steadily risen over the years when you review data from 2011, 2012 and 2013. In 2014, NetSafe published data for the full calendar year, recording 8121 reports and $8m of associated losses (PDF) caused by online scams and fraud and computer security incidents.

Identifying the Top 3 Threats for SMEs

Running a ruler over the 2014 data, we can highlight 3 key issues that NZ small businesses need to be aware of:

  • Ransomware
  • Intercepted emails
  • Hacked websites

> Ransomware

Ransomware has emerged over the last two years as the most problematic form of malware – or malicious software – to target owners of internet capable devices.

File-encrypting ransomware like Cryptolocker or CryptoWall can infect your computers and scramble data stored on your machine or any networked storage backups.

Owners of Android smartphones and tablets are now also being targeted with viruses through social media links or websites that encourage you to install a ‘video player’ app to watch content.

How to tackle it?

Installing, updating and using anti-virus software is one simple step. So too is making regular routine backups in case your computer cannot be cleaned and you need to undertake a system restore or rebuild to recover encrypted files.

Updating software and systems to ensure they are fully patched against known vulnerabilities is also key. Finally, train staff to recognise spam and phishing emails with malicious attachments and let them know how to report their concerns to.

> Intercepted emails

Email as a mechanism is inherently insecure and whilst many companies now do a large chunk of their business via email communications, it’s very easy for systems to be compromised, logins phished or stolen and access gained to email accounts.

For small NZ firms trading with companies offshore, trust in your suppliers is key and we’ve taken many reports of overseas companies finding their email systems have been hacked and invoices sent out with new bank account details for payment for goods.

How to tackle it?

Train staff to check all email correspondence carefully – especially the sending address – and take steps to question why bank details have changed via a trusted phone number, not the one listed on the suspicious invoice.

The two-man rule is another control mechanism to consider, ideally having two staff check all payment details before paying invoices.

> Hacked websites

An example of a website defacement
An example of a website defacement

A business website can act as your company’s global ‘brochure’ or take orders 24/7 whilst you sleep.

Websites are a popular target for all kinds of reasons. Automated attacks can search out known vulnerabilities – often referred to as Google Dorks – with simple defacements harming your business reputation or more complex attacks serving up malware to visitors or bulk spam campaigns using your hosting platform.

How to tackle it?

Patch and keep up to date any Content Management System or E-commerce platform the website runs on. Talk with your website developers and hosting companies about security standards and ways to monitor and defeat attacks on your website.

Build security into every stage of your online development process by reviewing the OWASP Top 10. If you’re taking and storing financial or personal information online consider consulting a security company about penetration testing options too.

How to protect yourself online

The concept of risk management is not new and there’s no doubt that every Kiwi business should assess and measure possible risks – including those identified above – and take steps to assign what resources they can afford to address those they find within their company.

In a follow up blog we’ll look at using the Connect Smart Toolkit to do just this, identifying priority information assets and systems and developing policies and processes to help deal with incidents. Plus how best to constantly review the security of your company and stay tuned to emerging issues.

Stay up to date with NetSafe news on other emerging small business risks including employment scams, spear phishing, insider threats and more.

Cyber security for small New Zealand businesses: #ConnectSmart

Communications Minister Amy Adams launched Connect Smart Week today with this year’s campaign focusing very much on educating small business owners about simple steps to improve their cyber security.

The Minister suggested “If we could get all SMEs online it could add up to $34 billion in productivity gains to New Zealand.”

Small businesses are very much the lifeblood of our economy and – according to data from MBIE (PDF) – make up an essential part of the country’s engine for growth:

Some 97 per cent of enterprises in New Zealand are small businesses. These 459,300 enterprises include those with no employees, micro (1-5 employees), and small (6-19 employees) enterprises. Small businesses make a significant contribution to the New Zealand labour market, with more than 584,000 people employed in enterprises with fewer than 20 people, making up 30 per cent of the workforce.

With half of NZ SMEs having no website, there are still plenty of opportunities for many small Kiwi businesses to embrace the opportunities that the online world can offer with the possibility of attracting new customers and increasing domestic and international sales revenues.

What are the risks for NZ businesses?

There’s an old saying “there’s no reward without risk” and this certainly applies to many areas of owning and operating your own business: a period of poor health can see customers calling competitors; bad debtors can ruin your cash flow and even the weather can cause scheduling chaos.
security-2
2014 Digital Challenges: 520 Computer security incidents in NZ with an average cost of $10,700
In 2014, New Zealanders made over 8000 reports to NetSafe about a wide array of digital challenges (PDF) covering the realms of cyber safety, security and crime – over 500 of these being classified as computer security incidents that involved phishing attacks, compromised email accounts and ransomware infections that encrypted essential business data.

Have you assessed your cyber security risk?

For a company with less than 20 employees, the prospect of providing mobile devices for all staff, moving business systems and processes to the cloud or establishing an ecommerce website can often seem daunting, especially in light of regular media coverage of hacking incidents and cybercrime. The defacement of NZ retailer I Love Ugly’s website is just the latest example to make headlines.

Being aware of the most common risks that small businesses can face helps owners and managers to be better prepared and find ways to prepare appropriately. Managing your computer security risks should be just as important as deterring shoplifters from ransacking your retail store or protecting your staff from workplace injuries.

Connect Smart’s Small Business Toolkit is designed to help business owners review their cyber security practices, working with a WOF style checklist that has 4 simple steps:

Cyber Security Warrant of Fitness – Four steps to better online security:

  1. Assess the cyber security of your business
  2. Develop a cyber-security policy for your business
  3. Establish an incident management plan
  4. Regularly review and update your network security systems

NetSafe worked with the North Harbour Business Association last year to put the toolkit into practice and work through the WOF process with a group of business owners.

In a series of blog posts to come, I’ll detail ways that you can use the toolkit and other online resources to improve your company’s security posture. And we’ll look at the six most common threats affecting NZ SMEs and how you can protect your business online.

With the average NZ computer security incident reported to NetSafe in 2014 costing $10,700, Connect Smart Week is a great opportunity to take stock of your business’s approach to cyber threats.

Gameplay.net – internet scam and a case of mistaken identity?

gameplay.net ripoffreports scamRecently downloaded a ‘free’ game or app? Entered your card details to activate a ‘trial’ service? Are you now seeing strange charges on your credit card or bank account with the reference ‘WWW.GAMEPLAY.NET’?

Then you’re sadly not alone!

NetSafe has been receiving reports of strange transaction charges from internet users around the world since the start of this year all connected to the  WWW.GAMEPLAY.NET merchant account details.

We’ve taken gameplay.net scam reports from people from as far afield as Australia, Denmark, Sweden, the UK and France about credit card charges of up to $60 a month all with odd bank charges connected to a website that seems to have disappeared.

A quick check of the website whois record reveals it was registered all the way back on 1 November 1996, almost 20 years ago, but now lives behind a shady hidden registration service in San Francisco that masks the true identity of the gameplay.net owners.

UNAUTHORISED CREDIT CARD CHARGES:

15 Feb, ref 86817195 WWW.GAMEPLAY.NET T 18777173330GBR £11.95

05 Mar 99456579 WWW.GAMEPLAY.NET T18777173330GBR £11.95

These examples above are just two of the charges reported by a British internet user who found MasterCard transactions linked to gameplay.net and with no clear understanding of what they’d signed up for. If you’re seeing similar charges on your accounts please leave a comment below.

NetSafe is working with an unfortunate New Zealand based firm with a similar sounding name but absolutely no connection to this internet scam operation. Gameplay NZ has been flooded by reports of free accounts being set up by people around the world who then see strange charges on their accounts. We even issued a media release warning of the danger of using a credit card to activate a free app trial. NOTE: This genuine company sells gaming machines and has nothing to do with the charges on your account.

If you’re seeing WWW.GAMEPLAY.NET T 18777173330GBR on your UK accounts or other variations of this charge elsewhere in the world, leave us a comment below.

We intend to aggregate reports of this free app scam charge and pass the information on to merchant providers Visa and Mastercard to get this operation stopped. Leave your name, country and details of the amount you have been charged and the transaction name below. Funkplay seems to be another name connected to this operation.

What we know so far:

  • Users sign up for a free online service or app that requires a credit card to activate the trial. This may be for a game or ebook unlocker. Others have reported charges after signing up for a free movie streaming service.
  • In France, gameplay.net is charging 38,50€
  • In Denmark, people affected are being charged USD 53.95
  • In New Zealand, people have been charged $49.66 a month for a so called FREE service
  • In the UK the amount is £11.95 monthly

What you need to do now:

  1. If your credit card has been charged after installing a free app, speak with your bank about a chargeback.
  2. If your bank will not refund the charges on the basis that you agreed to the terms and conditions, we advise you close the account ASAP to stop further charges being made.
  3. You can also review and query transactions made on your account in the Google Play and Apple iTunes stores.
  4. Leave us a comment on this post with information about the charges so we can pass this information on to Visa and Mastercard.
  5. Do not contact the New Zealand company Gameplay, they are not scamming you!

We will read every comment left below so please let us know how you ended up with gameplay.net charges on your credit card account.

Advice and guidance for dealing with digital challenges