Cyber Security - PKF Hamilton

PKF Hamilton Team
April 8, 2019
Newsletters

We talked to Director Jonathan Prentice regarding what Cecuri, one of our PKF business partners, was coming across regarding cyber security issues in NZ, this was what he said:-

2018 was a very interesting and at times frightening year for technology security in New Zealand. Several global organisations being breached has seen New Zealander’s privacy affected by way of data loss from large scale, long term sophisticated hacks. The attack against the Starwood group saw 500 million customers affected, Ticketmaster and Orbitz were also substantial, not to mention the local issues with Inland Revenue, Z Energy and Vector. When 67 million Facebook users had their data stolen in just one single event we know the data was taken but what this data was taken for is still unclear. What is clear is that this was a sophisticated and targeted attack and the real ramifications of this event are either hidden from public view or are yet to be revealed. We just know they happened.

All these breaches were the actions of malicious groups of hackers targeting companies and usually taking advantage of human error but often resulting in substantial brand damage and loss of confidence in the market.

The concerning factor for Cecuri is how few businesses are taking the appropriate action to decrease their exposure and protect their data. While these examples are extreme in their size and scope, what most people don’t hear about are the numerous small businesses we see almost daily, dealing with the same data loss incidents. Unfortunately, these events are rarely made public which we feel sets an ill-advised opinion for local small business owners that these types of things only happen to large multinationals. This could not be further from the truth.

What we often don’t hear about are when the same type of breach affects 500 customers of a small business. While these attacks can still be very targeted they are often random, opportunistic and can come from almost anywhere. What is not different between these types of incidents is the target – data. Whether in the form of customer contact details, tax information, medical records or some other personally identifiable data, in the right setting the value of this data can vary exponentially. While most people think credit card data is the only data an intruder would want there is a lot of seemingly innocuous information that when paired with other data has instant value. Credit cards are of course still a very popular target but, they are hard to offload and come with all sorts of issues for the person trading the information. A full set of contact records though can be used for an almost endless number of possibilities.

It is likely these instances occur daily with the business not knowing the data is gone and the customer is completely unaware they have their personally identifiable data out there on the Internet somewhere. However, like in previous examples, at some point when the data does come to light the last thing any business owner wants is to be associated with a breach that caused harm to the most valued asset, their customers.

Many organisations we talk to either think they are safe because they have necessary precautions or are simply too small for someone to bother and therefore enough has been done. The reality is we are seeing a dramatic increase in this space and are being contacted with more and more regularity to respond to an event retrospectively. The challenge for our industry is articulating the regularity with which these breaches occur and the serious harm they can have should a breach be successful. If you were building a business from the ground up today a big part of that strategy would be how this business takes advantage of the digital space which always leads to considerations of employing the correct security for that presence. What we find however is a more relaxed approach for established businesses believing the longer they have been operating without issue the less likely they are to have an issue. Considering a hacker’s target is data, a new business has very little whereas an established business is a much higher value target, simply because it will have more data. Maybe things historically had no encryption, credit cards were faxed, PDF’d and stored electronically and while things may have improved now, chances are there is still data hanging around that is easy to get, easy to extract and easy to sell.

Cecuri has had an extremely high success rate when it comes to auditing and identifying vulnerabilities. In 2018 alone, we were able to capture over 250,000 active credit card numbers, breach and gain full administrative control over countless networks including everything from employee timesheet and payroll systems, building management, financial records and unencrypted medical information. We even identified systems being used as the base for attack on other local companies by hackers based offshore. All this from a mistake in a firewall rule, one forgotten active test account, one unpatched server or workstation.

Our success rate means we have a strong understanding on the techniques and methods hackers use to enter your network or target your data and can assist you in reducing the risk by showing you how to close holes. The key is not to implement military grade security, after all, military grade security requires a military grade budget. Instead, we identify the issues, work with you to understand them and identify ways to educate staff and incorporate a data security mantra into your business. If there’s anything we’ve come to truly appreciate it is that there is no such thing as a secure system when people are involved but the more the people looking after your data are included in its protection, the likelihood of a breach reduces significantly.

It is critical every business, big or small ensures they engage with a known and trusted specialist cyber security company to identify and remediate any issues found within their network or cloud systems and regularly re-test systems to ensure continued protection. In the same way a great accountant helps you navigate the intricacies of taxation, balance sheets, risk and compliance, it is now just as important that the data they are working with has the same trusted advisers overseeing how it is securely handled.

Is your Organisation Safe?

Do you have an IT governance program?
Is your governance program up-to-date and supportive of your business objectives?
Are you in compliance with government security and privacy laws?
Which staff might fall prey to phishing?
Have you tested your network’s internal and external vulnerabilities?
Are your remote and wireless networks fully secured?
Are physical servers and equipment protected from sabotage?
Can your system withstand a malicious hacker or trusted insider’s attach?
Do you employ encryption to sensitive information assets?
Do all employee passwords eet industry and firm standards?
Will your back-up system protect your data in a disaster?
Have you done all you can to ensure that your cyber insurance policy will cover financial loss?
Do you have the ability to detect a data breach?
Are your systems patched and anti-virus comprehensively installed, up-to-date and monitored?