With corporate data breaches making the news most weeks, cyber security skills are increasingly being seen as a hot commodity for workers in the IT sector and for business owners and managers too.
As New Zealanders rely more and more on digital technology and online services around the globe, understanding emerging cyber risks and best practices for improving information security at all levels of the New Zealand economy is essential.
The American National Initiative for Cybersecurity Education publishes a map showing US education options – we thought it would be handy to publish a Kiwi version and so the map below lists a range of tertiary level course options for increasing your knowledge of cyber/information security in New Zealand.
We plan on updating this map with further study options including short courses, executive level training and professional certifications from bodies like ISACA, ISC2 and SANS.
Yes, that’s a tiny percentage of online spending, but with the average sum lost standing at $801, bargain hunting can sometimes catch you out.
SUSPICIOUS SNEAKER SELLERS
A growing trend in 2015 is the non delivery of bargain priced footwear, often well known brand running shoes purchased through .nz websites that present themselves as Kiwi businesses but are actually located in China or Russia.
Nike buyers have been hit particularly hard in recent months with ecommerce sites shipping fake goods or failing to deliver on the orders made. And the concern is that some of these sites are simply harvesting credit card accounts or personal data – including home addresses and emails – for future scams.
So what can bargain conscious Kiwis do to shop safely online?
Buy online using a credit card Buying with a credit card gives shoppers better protection than a debit card – if a deal goes bad you can try to get a bank chargeback.
Do some due diligence before you press buy
First off, check how much of a bargain you’re being offered – compare the price of the item in an NZ store and see just how cheap the deal is. There’s a reason the old proverb “if it seems too good to be true, it probably is” still applies in the 21st century.
Still keen for that bargain? If you’re shopping on an online site that you haven’t used previously, Google the name of the site with the word “scam” or “review” after it. If a website has tricked other shoppers before, there’s a good chance that disgruntled customers will have posted warnings online.
Dig deeper: who really runs that online store? Well known Kiwis brands often operate ecommerce sites and will prominently list a contact phone number, address and policies about returning goods.
If you’re thinking of buying from a less well known website, check if the company lists a telephone number and try calling it. Many of the scam sites reported to NetSafe can only be reached through an online feedback form and this can often be a red flag.
To check the provenance of a company selling online, search the domain ownership information and the registration date. The ‘whois’ record – easily searched at whois.domaintools.com or dnc.org.nz for .nz domains – will show you contact information and how long the website has been operating. If the site was set-up very recently or is hidden behind a private domain registration, be very cautious about placing an order.
A final check to consider is locating where the site is hosted. www.infosniper.net is a great way to check where the computer powering the website is based. If a .nz website is based offshore – or in a high fraud risk country like Russia – this should make you think twice about buying.
Picture credit: Flickr user Don Hankins, used under Creative Commons licensing.
Operating a small business is hard work. You pour blood, sweat and tears into making it a success so surely you want to do everything to protect it?
With the average computer security incident reported to NetSafe in 2014 costing $10,700, taking care of your hardware, software and information security is a must for every small business owner or manager.
Solo or micro Kiwi companies with less than 5 staff make up a large part of the New Zealand economy and as the owner or operator of a small company you can often find yourself wearing many hats on a daily basis covering sales, marketing, accounts, customer service and actually delivering the product or service that keeps the business going.
Ensuring the security of your business assets is also a very important part of keeping your company operating, whether it be the vehicles you use to deliver goods, the property you operate from, the customer database you work with and the IT systems you use to communicate with suppliers.
With IT playing an central role in so many companies these days, it’s essential that you undertake a cyber security assessment to keep track of your important information assets and protect them.
What is information or cyber security?
The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
When we think about information and information systems we’re covering people, processes and technology.
This can include email, invoices, payroll, employee and client data, intellectual property and the computer systems that staff use to collect, store, process and deliver information.
Using the Connect Smart SME Toolkit can help you uncover precisely what business information and systems could be a target for cyber criminals. And assessing your cyber security risks can help identify what are the critical financial and information assets in your own business that need to be protected.
Conducting a simple risk assessment
By not protecting your small business information and systems you risk:
Loss of confidence
Loss of reputation
Loss of business
An assessment or audit of your business can identify:
Here’s how these interact:
A THREAT acting on a VULNERABILITY produces a RISK and probable bad consequences
A simple, real world example for a small NZ business would be:
Threat: Spam email with malicious attachment delivering ransomware
Vulnerability: Employees not trained to identify or delete spam emails
Risk: Network is compromised and hardware infected
Consequences-> Business data encrypted, records lost
Conducting a risk assessment can highlight these kinds of weaknesses in your business.
Ideally, for the example above, you’d have several protective measures in place to tackle the malicious email risk that could include anti-virus software that automatically updates on all computers and a data backup regime that keeps regular, incremental copies of essential business data that can be easily accessed to recover from an infection.
Taking the time to review your company’s critical information and systems can help kick start the process of protecting it.
12 Questions that can help identify risks
Step one of the Connect Smart toolkit poses the following questions:
Do you have an overall security policy?
Do you and / or your employees access business emails on mobile devices (including phones and tablets)?
Do you train your staff about using mobile, the internet and email securely?
Do you back up your critical business data regularly?
Do you have a firewall installed on the computer(s)/servers used for your business?
Do you use security software (such as anti-virus and anti spyware) and up-to-date operating software?
Do you connect any of the computers or mobile devices in your business to the internet using a wireless network?
Do you know how to prevent data theft?
Do you know how to reduce and manage spam?
Do you store business critical information on mobile devices?
Do you educate your staff not to give out confidential information that could compromise your company’s cyber security, either over the phone or online?
Do you delete or disable your staff’s IT accounts when they leave the company?
Spot some gaps? Then it’s a good opportunity to address these risks and talk with your own IT staff or your IT contractors on what to do next. Perhaps you need to upgrade those old Windows XP computers? Maybe staff all use one shared password to login? Or you may suddenly realise that the information you need every day to keep your company going has never been backed up and one virus infection could put you out of business for good.
Keep it simple
Drawing up an information asset register is one simple step to help you record exactly what information your business uses and relies on to keep bringing cash through the door.
We’ve listed some other useful guides below that may assist you:
Richard Kissel from the American National Institute of Science and Technology’s Computer Security Division offers some great exercise templates for identifying and prioritising information types and ways to estimate the costs involved should bad things happen to your business data.
Cloud computing guidance for NZ
The Office of the Privacy Commissioner has several useful guides for SMEs around moving IT and information to the cloud, good data practices and dealing with security breaches:
head-on collisions caused by people trying to overtake slow-moving vehicles is one of the biggest causes of road deaths.
The Korean manufacturer has come up with a simple tech solution to an age old problem – looking before you leap – and created a way for drivers to see ‘through’ a lumbering lorry with a front facing video camera displaying the road ahead on screens fitted to the back of their large delivery trucks.
Drivers no longer have to risk a blind overtaking manoeuvre, swinging out into traffic to check the road ahead before hitting the gas to pass the truck that’s slowing their journey.
An age old proverb is just as relevant today
Looking before you leap taken literally means it’s wise to check the path ahead before making a decision that you may regret or before you take an action that you cannot go back on.
Almost 500 years on, it’s still a useful part of any safety campaign and NetSafe regularly speaks with internet users who wished – with the benefit of hindsight – that they’d better researched an online offer or virus scanned an email attachment before finding themselves out of pocket or paying out for a computer clean-up.
Ways to look before you leap online
“Knowledge is power” is another old proverb worth remembering. When it comes to internet scams and frauds and computer security best practice, there are several ways to look before you leap into disaster:
1. Spend 5 minutes Googling
Seen a bargain offer online? Received a promising email about a work from home job? Thinking of sending your savings to an offshore broker? Do your due diligence before parting with cash or personal information.
It’s highly likely that another internet user has already fallen victim to the website you’ve spotted selling bargain electronics or offering a rate of return that’s too good to be true.
The internet has enabled scam victims and folks with a grievance to publish their own horror stories from anywhere in the world and doing a quick Google search with the URL of the site or name of the company plus the word scam afterwards can often uncover stories that may save you from a nasty mistake.
A company may claim to have been in business for 20 years but has it really? A quick ‘whois’ search of the website address can often highlight some oddities worth thinking about.
The whois record shows information about the domain name’s owner, their place of business and when the website name was established.
Scammers often register new website names just days before starting up a new scam so looking at the ‘Creation Date’ on file to see if the company has really been trading for as long as they claim on their website.
If the ‘Registrant’ details are hidden behind a domain privacy service operated out of Arizona or Panama then that’s a huge red flag – legitimate companies have few reasons to hide where they’re really based or want to stop people from finding out the real ownership details.
The site returns intrusion detection system alerts and popular blacklisting records to provide a visual warning even if you’re not familiar with the technical specifics as this example shows below with red and yellow warning flags:
3. Check with NetSafe
NetSafe staff handle 5-600 enquiries each month from people across New Zealand who are concerned about an array of ‘digital challenges’ that includes the safety of young people, online scams and cyber security threats.
Our experienced staff can help with anything from identifying scam operators to assisting with ransomware infections and website defacements. We can also connect you to a network of partner organisations that specialise in online issues involving child exploitation, objectionable content and extortion.
Three days after I stepped off a plane in January 2009 I bought my first car to explore New Zealand – a sporty, silver Subaru Legacy. Three months later the car was stolen and I discovered to my surprise that I’d unwittingly bought one of the most frequently stolen cars in NZ.
What I’d been lacking when choosing which vehicle to buy was data – not the kind of stats you find on Top Trumps cards such as top speed, fuel efficiency or braking distance, but information on car crime and vehicle security. Just how hard was it steal a Subaru Legacy and how many were taken each month around the country?
Understanding your information security risks
In my case, had I known that Subarus were the car thief’s favourite target, I might have changed my buying behaviour and picked another model – one with better locks and a little less attractive to the bad guys. Simple risk avoidance or mitigation in action.
There’s no doubt that data can help shape the way we act – just look at the increasing popularity of wearable fitness devices that record our step count, calorie burning efforts and heart rate to guide us to better lifestyles.
In New Zealand, there are several good sources of cyber incident data. There are plenty of global studies too but identifying ‘local’ issues for a small country like NZ can also shine a spotlight on the peculiarities of a country with a total population smaller than many international cities and with a workforce that is concentrated in far smaller organisations.
The New Zealand Computer Crime and Security Surveys
These surveys are limited to New Zealand organisations employing an IT Manager and were run in 2005, 2006, 2007 and 2010.
As a smaller yet distinct economy physically and regulatorily distant from its western neighbour, New Zealand might be considered to require separate study to investigate how far similarities extend in the domain of computer crime and security.
2. PwC’s Global Economic Crime Survey
PwC is a huge organisation that spans the globe and helps larger businesses tackle business issues including fraud and economic crime. Their regular report provides a snapshot of NZ companies under the strap line “what you don’t know can hurt you.”
3. The New Zealand National Cyber Security Centre (NCSC) Incident Report Summary
NCSC focuses on “the protection of core government networks, the systems that support our critical national infrastructure, and engagement with industry and business to protect our intellectual property and economic assets.” They publishe a report annually.
Email as a mechanism is inherently insecure and whilst many companies now do a large chunk of their business via email communications, it’s very easy for systems to be compromised, logins phished or stolen and access gained to email accounts.
For small NZ firms trading with companies offshore, trust in your suppliers is key and we’ve taken many reports of overseas companies finding their email systems have been hacked and invoices sent out with new bank account details for payment for goods.
How to tackle it?
Train staff to check all email correspondence carefully – especially the sending address – and take steps to question why bank details have changed via a trusted phone number, not the one listed on the suspicious invoice.
The two-man rule is another control mechanism to consider, ideally having two staff check all payment details before paying invoices.
> Hacked websites
A business website can act as your company’s global ‘brochure’ or take orders 24/7 whilst you sleep.
Websites are a popular target for all kinds of reasons. Automated attacks can search out known vulnerabilities – often referred to as Google Dorks – with simple defacements harming your business reputation or more complex attacks serving up malware to visitors or bulk spam campaigns using your hosting platform.
How to tackle it?
Patch and keep up to date any Content Management System or E-commerce platform the website runs on. Talk with your website developers and hosting companies about security standards and ways to monitor and defeat attacks on your website.
Build security into every stage of your online development process by reviewing the OWASP Top 10. If you’re taking and storing financial or personal information online consider consulting a security company about penetration testing options too.
How to protect yourself online
The concept of risk management is not new and there’s no doubt that every Kiwi business should assess and measure possible risks – including those identified above – and take steps to assign what resources they can afford to address those they find within their company.
In a follow up blog we’ll look at using the Connect Smart Toolkit to do just this, identifying priority information assets and systems and developing policies and processes to help deal with incidents. Plus how best to constantly review the security of your company and stay tuned to emerging issues.