Where can I study cybersecurity in New Zealand?

With corporate data breaches making the news most weeks, cyber security skills are increasingly being seen as a hot commodity for workers in the IT sector and for business owners and managers too.

As New Zealanders rely more and more on digital technology and online services around the globe, understanding emerging cyber risks and best practices for improving information security at all levels of the New Zealand economy is essential.

The American National Initiative for Cybersecurity Education publishes a map showing US education options – we thought it would be handy to publish a Kiwi version and so the map below lists a range of tertiary level course options for increasing your knowledge of cyber/information security in New Zealand.

We plan on updating this map with further study options including short courses, executive level training and professional certifications from bodies like ISACA, ISC2 and SANS.

If your course isn’t listed below please do get in touch with Chris Hails at NetSafe.

Buying super cheap trainers online? Just don’t do it

buying cheap nikes onlineThere’s no doubt the internet has revolutionised shopping in New Zealand: more choice and cheaper prices. The Dom Post believes that “the internet has brought the markets of the world into New Zealand houses.

According to Statistics NZ data, the value of goods and services purchased online has been rising at more than 20% a year for some years and the internet’s growing slice of the retail pie has now got the government interested in taxing online sales with GST.

BNZ’s Online Retail Sales Index showed total online retail spending in June 2015 was up 19% compared to June 2014 levels and that’s despite the weakening dollar.


Nearly 2 million New Zealanders now shop online with 40% looking for a bargain. But our obsession with cheap prices can often end in a digital disaster.

In 2014, NetSafe recorded almost $8m lost to online scams and frauds (PDF) with more than 800 reports of online trades going bad and almost $400,000 lost when buying on websites, buy and sell pages and online auctions.

Yes, that’s a tiny percentage of online spending, but with the average sum lost standing at $801, bargain hunting can sometimes catch you out.


A growing trend in 2015 is the non delivery of bargain priced footwear, often well known brand running shoes purchased through .nz websites that present themselves as Kiwi businesses but are actually located in China or Russia.

Nike buyers have been hit particularly hard in recent months with ecommerce sites shipping fake goods or failing to deliver on the orders made. And the concern is that some of these sites are simply harvesting credit card accounts or personal data – including home addresses and emails – for future scams.

So what can bargain conscious Kiwis do to shop safely online?

  • Buy online using a credit card
    Buying with a credit card gives shoppers better protection than a debit card – if a deal goes bad you can try to get a bank chargeback.

    You can also investigate other payment options such as a Prezzy card which expires and offers an extra level of anonymity.If you think your credit card has been compromised, report it to your bank immediately.

  • Do some due diligence before you press buy
    First off, check how much of a bargain you’re being offered – compare the price of the item in an NZ store and see just how cheap the deal is. There’s a reason the old proverb “if it seems too good to be true, it probably is” still applies in the 21st century.

    Still keen for that bargain? If you’re shopping on an online site that you haven’t used previously, Google the name of the site with the word “scam” or “review” after it. If a website has tricked other shoppers before, there’s a good chance that disgruntled customers will have posted warnings online.

    If you’ve been ripped off then report to NetSafe so we can keep track of the dodgy dealers and work with Consumers Affairs who issue Scam Alerts online.

  • Dig deeper: who really runs that online store?
    Well known Kiwis brands often operate ecommerce sites and will prominently list a contact phone number, address and policies about returning goods.

    If you’re thinking of buying from a less well known website, check if the company lists a telephone number and try calling it. Many of the scam sites reported to NetSafe can only be reached through an online feedback form and this can often be a red flag.

    To check the provenance of a company selling online, search the domain ownership information and the registration date. The ‘whois’ record – easily searched at  whois.domaintools.com or dnc.org.nz for .nz domains – will show you contact information and how long the website has been operating. If the site was set-up very recently or is hidden behind a private domain registration, be very cautious about placing an order.

    A final check to consider is locating where the site is hosted. www.infosniper.net is a great way to check where the computer powering the website is based. If a .nz website is based offshore – or in a high fraud risk country like Russia – this should make you think twice about buying.

Picture credit: Flickr user Don Hankins, used under Creative Commons licensing.

How to assess the cyber security of your business #ConnectSmart

Operating a small business is hard work. You pour blood, sweat and tears into making it a success so surely you want to do everything to protect it?

With the average computer security incident reported to NetSafe in 2014 costing $10,700, taking care of your hardware, software and information security is a must for every small business owner or manager.

$8m was reported lost to NetSafe in 2014 from a range of digital challenges – 520 out of the 8121 reports involved a variety of computer security threats

Solo or micro Kiwi companies with less than 5 staff make up a large part of the New Zealand economy and as the owner or operator of a small company you can often find yourself wearing many hats on a daily basis covering sales, marketing, accounts, customer service and  actually delivering the product or service that keeps the business going.

Ensuring the security of your business assets is also a very important part of keeping your company operating, whether it be the vehicles you use to deliver goods, the property you operate from, the customer database you work with and the IT systems you use to communicate with suppliers.

With IT playing an central role in so many companies these days, it’s essential that you undertake a cyber security assessment to keep track of your important information assets and protect them.

What is information or cyber security?

The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

When we think about information and information systems we’re covering people, processes and technology.

This can include email, invoices, payroll, employee and client data, intellectual property and the computer systems that staff use to collect, store, process and deliver information.

Using the Connect Smart SME Toolkit can help you uncover precisely what business information and systems could be a target for cyber criminals. And assessing your cyber security risks can help identify what are the critical financial and information assets in your own business that need to be protected.

Conducting a simple risk assessment

By not protecting your small business information and systems you risk:

  • Decreased productivity
  • Legal liability
  • Loss of confidence
  • Loss of reputation
  • Loss of business

An assessment or audit of your business can identify:

  • Threats
  • Vulnerabilities
  • Risks

Here’s how these interact:

A THREAT acting on a VULNERABILITY produces a RISK and probable bad consequences

A simple, real world example for a small NZ business would be:

Threat: Spam email with malicious attachment delivering ransomware

Vulnerability: Employees not trained to identify or delete spam emails

Risk: Network is compromised and hardware infected

Consequences -> Business data encrypted, records lost

Conducting a risk assessment can highlight these kinds of weaknesses in your business.

Ideally, for the example above, you’d have several protective measures in place to tackle the malicious email risk that could include anti-virus software that automatically updates on all computers and a data backup regime that keeps regular, incremental copies of essential business data that can be easily accessed to recover from an infection.

Taking the time to review your company’s critical information and systems can help kick start the process of protecting it.

Step One

12 Questions that can help identify risks

Step one of the Connect Smart toolkit poses the following questions:

  1. Do you have an overall security policy?
  2. Do you and / or your employees access business emails on mobile devices (including phones and tablets)?
  3. Do you train your staff about using mobile, the internet and email securely?
  4. Do you back up your critical business data regularly?
  5. Do you have a firewall installed on the computer(s)/servers used for your business?
  6. Do you use security software (such as anti-virus and anti spyware) and up-to-date operating software?
  7. Do you connect any of the computers or mobile devices in your business to the internet using a wireless network?
  8. Do you know how to prevent data theft?
  9. Do you know how to reduce and manage spam?
  10. Do you store business critical information on mobile devices?
  11. Do you educate your staff not to give out confidential information that could compromise your company’s cyber security, either over the phone or online?
  12. Do you delete or disable your staff’s IT accounts when they leave the company?

Answering these questions gives you the ability to score your business on how prepared you are to face the kinds of cybersecurity threats that NZ SMEs are experiencing everyday.

Spot some gaps? Then it’s a good opportunity to address these risks and talk with your own IT staff or your IT contractors on what to do next. Perhaps you need to upgrade those old Windows XP computers? Maybe staff all use one shared password to login? Or you may suddenly realise that the information you need every day to keep your company going has never been backed up and one virus infection could put you out of business for good.

Keep it simple

Drawing up an information asset register is one simple step to help you record exactly what information your business uses and relies on to keep bringing cash through the door.

We’ve listed some other useful guides below that may assist you:

Richard Kissel from the American National Institute of Science and Technology’s Computer Security Division offers some great exercise templates for identifying and prioritising information types and ways to estimate the costs involved should bad things happen to your business data.

  • Cloud computing guidance for NZ

The Office of the Privacy Commissioner has several useful guides for SMEs around moving IT and information to the cloud, good data practices and dealing with security breaches:

Using the Cloud

Cloud Computing Checklist for Small Business

Data Safety Toolkit

What can Samsung’s ‘Safety Truck’ teach internet users?

There’s been a lot of coverage this week of Samsung’s efforts to keep Argentinian road users safe when overtaking:

head-on collisions caused by people trying to overtake slow-moving vehicles is one of the biggest causes of road deaths.

The Korean manufacturer has come up with a simple tech solution to an age old problem – looking before you leap – and created a way for drivers to see ‘through’ a lumbering lorry with a front facing video camera displaying the road ahead on screens fitted to the back of their large delivery trucks.

Drivers no longer have to risk a blind overtaking manoeuvre, swinging out into traffic to check the road ahead before hitting the gas to pass the truck that’s slowing their journey.

An age old proverb is just as relevant today

Looking before you leap taken literally means it’s wise to check the path ahead before making a decision that you may regret or before you take an action that you cannot go back on.

The proverb is believed to date from 1546 and was originally a warning about marrying the wrong partner:

In wedding and all things to looke ere ye leaped

Almost 500 years on, it’s still a useful part of any safety campaign and NetSafe regularly speaks with internet users who wished – with the benefit of hindsight – that they’d better researched an online offer or virus scanned an email attachment before finding themselves out of pocket or paying out for a computer clean-up.

Ways to look before you leap online

“Knowledge is power” is another old proverb worth remembering. When it comes to internet scams and frauds and computer security best practice, there are several ways to look before you leap into disaster:

1. Spend 5 minutes Googling

Seen a bargain offer online? Received a promising email about a work from home job? Thinking of sending your savings to an offshore broker? Do your due diligence before parting with cash or personal information.

It’s highly likely that another internet user has already fallen victim to the website you’ve spotted selling bargain electronics or offering a rate of return that’s too good to be true.

The internet has enabled scam victims and folks with a grievance to publish their own horror stories from anywhere in the world and doing a quick Google search with the URL of the site or name of the company plus the word scam afterwards can often uncover stories that may save you from a nasty mistake.


-> Looking to invest? Check the FMA’s lists of alerts, warning and firms to be wary of.

-> Think it’s a scam? Check Consumer Affairs’s Scam Alerts for the latest advisories

2. Check if a website is dodgy

A company may claim to have been in business for 20 years but has it really? A quick ‘whois’ search of the website address can often highlight some oddities worth thinking about.

The whois record shows information about the domain name’s owner, their place of business and when the website name was established.

Scammers often register new website names just days before starting up a new scam so looking at the ‘Creation Date’ on file to see if the company has really been trading for as long as they claim on their website.

If the ‘Registrant’ details are hidden behind a domain privacy service operated out of Arizona or Panama then that’s a huge red flag – legitimate companies have few reasons to hide where they’re really based or want to stop people from finding out the real ownership details.


-> Worried the URL might infect your computer? Use the website urlquery.net to scan a website before you go there on your own computer and risk a drive by download.

The site returns intrusion detection system alerts and popular blacklisting records to provide a visual warning even if you’re not familiar with the technical specifics as this example shows below with red and yellow warning flags:

urlquery.net warnings

3. Check with NetSafe

NetSafe staff handle 5-600 enquiries each month from people across New Zealand who are concerned about an array of ‘digital challenges’ that includes the safety of young people, online scams and cyber security threats.

Our experienced staff can help with anything from identifying scam operators to assisting with ransomware infections and website defacements. We can also connect you to a network of partner organisations that specialise in online issues involving child exploitation, objectionable content and extortion.

Want to look before you leap online? Contact NetSafe for advice.

The top 3 cyber security threats for NZ small businesses: #ConnectSmart

Three days after I stepped off a plane in January 2009 I bought my first car to explore New Zealand – a sporty, silver Subaru Legacy. Three months later the car was stolen and I discovered to my surprise that I’d unwittingly bought one of the most frequently stolen cars in NZ.

What I’d been lacking when choosing which vehicle to buy was data –  not the kind of stats you find on Top Trumps cards such as top speed, fuel efficiency or braking distance, but information on car crime and vehicle security. Just how hard was it steal a Subaru Legacy and how many were taken each month around the country?

Understanding your information security risks

In my case, had I known that Subarus were the car thief’s favourite target, I might have changed my buying behaviour and picked another model – one with better locks and a little less attractive to the bad guys. Simple risk avoidance or mitigation in action.

There’s no doubt that data can help shape the way we act – just look at the increasing popularity of wearable fitness devices that record our step count, calorie burning efforts and heart rate to guide us to better lifestyles.

In New Zealand, there are several good sources of cyber incident data. There are plenty of global studies too but identifying ‘local’ issues for a small country like NZ can also shine a spotlight on the peculiarities of a country with a total population smaller than many international cities and with a workforce that is concentrated in far smaller organisations.

  1. The New Zealand Computer Crime and Security Surveys

These surveys are limited to New Zealand organisations employing an IT Manager and were run in 2005, 2006, 2007 and 2010.

As a smaller yet distinct economy physically and regulatorily distant from its western neighbour, New Zealand might be considered to require separate study to investigate how far similarities extend in the domain of computer crime and security.

2. PwC’s Global Economic Crime Survey

PwC is a huge organisation that spans the globe and helps larger businesses tackle business issues including fraud and economic crime. Their regular report provides a snapshot of NZ companies under the strap line “what you don’t know can hurt you.”

The 2014 report (PDF) states that cybercrime often goes unreported and  that “respondents expect cybercrime to be double from current reported levels to 22%, over the next two years.”

3. The New Zealand National Cyber Security Centre (NCSC) Incident Report Summary

NCSC focuses on “the protection of core government networks, the systems that support our critical national infrastructure, and engagement with industry and business to protect our intellectual property and economic assets.” They publishe a report annually.

In 2013, the number of incidents recorded by NCSC increased by more than 60% and their data covers a whole host of threats:


4. NetSafe’s ‘Digital Challenge’ data

NetSafe has recorded information on cyber safety, security and crime issues since August 2010 and publishes anonymised incident data to help people understand the NZ threat landscape.

The number of reports has steadily risen over the years when you review data from 2011, 2012 and 2013. In 2014, NetSafe published data for the full calendar year, recording 8121 reports and $8m of associated losses (PDF) caused by online scams and fraud and computer security incidents.

Identifying the Top 3 Threats for SMEs

Running a ruler over the 2014 data, we can highlight 3 key issues that NZ small businesses need to be aware of:

  • Ransomware
  • Intercepted emails
  • Hacked websites

> Ransomware

Ransomware has emerged over the last two years as the most problematic form of malware – or malicious software – to target owners of internet capable devices.

File-encrypting ransomware like Cryptolocker or CryptoWall can infect your computers and scramble data stored on your machine or any networked storage backups.

Owners of Android smartphones and tablets are now also being targeted with viruses through social media links or websites that encourage you to install a ‘video player’ app to watch content.

How to tackle it?

Installing, updating and using anti-virus software is one simple step. So too is making regular routine backups in case your computer cannot be cleaned and you need to undertake a system restore or rebuild to recover encrypted files.

Updating software and systems to ensure they are fully patched against known vulnerabilities is also key. Finally, train staff to recognise spam and phishing emails with malicious attachments and let them know how to report their concerns to.

> Intercepted emails

Email as a mechanism is inherently insecure and whilst many companies now do a large chunk of their business via email communications, it’s very easy for systems to be compromised, logins phished or stolen and access gained to email accounts.

For small NZ firms trading with companies offshore, trust in your suppliers is key and we’ve taken many reports of overseas companies finding their email systems have been hacked and invoices sent out with new bank account details for payment for goods.

How to tackle it?

Train staff to check all email correspondence carefully – especially the sending address – and take steps to question why bank details have changed via a trusted phone number, not the one listed on the suspicious invoice.

The two-man rule is another control mechanism to consider, ideally having two staff check all payment details before paying invoices.

> Hacked websites

An example of a website defacement
An example of a website defacement

A business website can act as your company’s global ‘brochure’ or take orders 24/7 whilst you sleep.

Websites are a popular target for all kinds of reasons. Automated attacks can search out known vulnerabilities – often referred to as Google Dorks – with simple defacements harming your business reputation or more complex attacks serving up malware to visitors or bulk spam campaigns using your hosting platform.

How to tackle it?

Patch and keep up to date any Content Management System or E-commerce platform the website runs on. Talk with your website developers and hosting companies about security standards and ways to monitor and defeat attacks on your website.

Build security into every stage of your online development process by reviewing the OWASP Top 10. If you’re taking and storing financial or personal information online consider consulting a security company about penetration testing options too.

How to protect yourself online

The concept of risk management is not new and there’s no doubt that every Kiwi business should assess and measure possible risks – including those identified above – and take steps to assign what resources they can afford to address those they find within their company.

In a follow up blog we’ll look at using the Connect Smart Toolkit to do just this, identifying priority information assets and systems and developing policies and processes to help deal with incidents. Plus how best to constantly review the security of your company and stay tuned to emerging issues.

Stay up to date with NetSafe news on other emerging small business risks including employment scams, spear phishing, insider threats and more.

Advice and guidance for dealing with digital challenges