Originally published by Transparency International New Zealand (TINZ)
The Waikato DHB is just another event in the rise of cybercrime. If you have not heard enough cybercrime 'wake-up' calls by now, you must be asleep
Cybercrime affects all of us. Anyone can become a victim, and it can seriously harm an organisation. It is a challenge to our open and connected world. Its scope is global and its threat is significant. Virtually everyone needs to be aware of it and take steps to protect themselves.
So, let us invest a few minutes contemplating cybercrime and touching on its relevance to transparency.
Cybercrime attacks are increasing not just in number and scale, but also in complexity and effectiveness.
We have been warned. It has been widely predicted for years that cybercrime would increase dramatically and become a key organisational risk. The numbers are truly staggering, with security professionals go-to website Dark Reading quoting a 2018 study predicting “that cybercrime will cost companies across the world $6 trillion annually by 2021, increasing from $3 trillion in 2015”.
Here in Aotearoa New Zealand, we can see this coming to pass. Government body CERT NZ received 7089 incident reports in 2020, an increase of 65% from 2019 and following a similar percentage increase over the last five years.
It’s About Crime, Isn’t It?
Criminal activity for profit is a large driver behind the increase in attacks. Cybercrime shares similarities with other fraud-based crimes, but it is done through a device and less likely to be by someone you know personally.
Organised crime has been moving into this lucrative activity. This is not so much the ‘mob’ in your local town diversifying, as it is transnational crime, often operating with relative impunity from countries with poor legal systems and law enforcement. It is a serious threat to our society.
You are only one click away from organized crime, and a brush with an incident can be quite unnerving.
We need to move away from thinking of the hoodie-wearing youth in a dimly-lit clothing-strewn bedroom. The ‘hacker nerds’ might still be out there, but the industry is maturing and often they are being hired by organised crime.
This 4 minute YouTube video (using a fictional situation) provides a good description of the sophistication of the cybercrime industry.
There is a more insidious element to cybercrime besides individual hackers, and organised crime: it is also being practised to undermine trust in our open and democratic societies by causing damage and harm. The role of State Actors has been well established.
The Dark Web
The Dark Web is a part of the Internet that requires special software to access. It is not reached and mapped by everyday search engines, and it permits anonymity. It is therefore ideal for criminal and other nefarious activities.
Most of us sign up to numerous websites, and if one of these is hacked, the username and password you used may end up on the Dark Web where it can be purchased as a part of a database. At GTB we have had many instances of clients receiving threatening emails quoting their actual user passwords. The days of being able to use the same password for everything are over.
In the same way that you can sign-up to software-as-a-service where you pay monthly to use it, anyone can buy ransomware-as-a-service. The kit contains everything they need to launch ransomware attacks on the world. The price? As low as NZ$50 a month or thereabouts. Punchline: being a cybercriminal is a viable career choice requiring modest skill and a low cost of entry.
How Does Transparency Fit in?
The Dark Web is an antithesis of transparency. It creates a safe space for those not wanting their activities to be noticed. Together, cybercrime and the Dark Web are encouraging people to be more distrustful of others.
Organisations debate over whether to be open about cybersecurity incidents. On the one hand, the incident is best dealt with in-house and disclosing it risks damaging their reputation. On the other hand, being more open can build confidence internally and externally that the organisation is owning the issues and taking steps. Openness also helps society understand the scope of the problem and collectively build effective counters.
How Should We React?
Broadly, live our values by continuing to practice and reward fact, truth and the transparency needed for these things to flourish.
In our professional lives, take notice of the need for security and awareness of the possibility of cyber-attack. Keep in mind that some 80% of successful attacks are because ‘someone clicked on something’. Support your people and help them to be aware and on guard.
Be prepared so that you are better protected and able to recover if an attack is successful. If you would like more non-technical information, download our short e-book ‘Reduce Your Risk – The Cybersecurity Guide for Kiwi Healthcare Professionals’. While aimed at medical centres, the security principles apply to most organisations.
Don’t feed the criminals. Having precautions in place makes their job harder and lowers their profits. Don’t pay ransoms. About 18 months ago we had a medical centre client where ‘someone clicked on something’ and it encrypted their data. The owners did not even consider paying the ransom. We had a practised plan in place and had them running again in 24 hours.
In our personal and civic lives, support the people who may be vulnerable to cybercrime.
As a society, we need to move beyond reacting to proactivity. The recent attack on the US pipeline may be a part of prompting more Governmental action, in NZ and globally. Let’s hope so. The Internet and information sharing offer us far too much for it to be ruined by criminals.
About the author:
Mark had a naval career specialising in logistics, becoming more involved in organisational improvement and business excellence as he reached senior rank. Self-employed for the last 19 years, he has worked with many businesses helping them to improve, before settling into his current IT business as a co-owner. GTB IT Solutions provides full-service IT to businesses and organisations mainly around the Wellington region, but also further afield.
Mark is not a cybersecurity specialist.