The “hush-hush” attitude of professional services firms and their IT providers when they experience a data security breach is adding force to the tidal wave of cyber-attacks continuing to devastate New Zealand businesses.
Wellington based IT firm Resolve managing director Simon Falconer says industry groups being hit with spam need to work together, alongside their IT providers or staff, to combat the growing spam problem targeting SMEs in specific industries.
“We’re seeing a substantial increase of spam targeting our customers and we’re finding that when a breach occurs it’s usually a malicious attack the industry has already seen and dealt with,” he says.
“The same mistakes keep happening because we aren’t talking to each other about it and what lessons should be learned.”
As such, Falconer is calling for “more collaboration and information sharing” on security threats and breaches between professional services firms via a private forum, but recognises some may not be willing to participate in a forum like this for fear that their reputation is at risk.
“No one talks - because when a security breach occurs the relevant business or the IT provider is embarrassed to suggest their clients’ data was at risk, and their reputation could be on the line,” he says.
“But if we were having these discussions in a respected and confidential environment we might be able to start combating the problem and provide better outcomes to our customers.”
A task force, The New Zealand Internet Task Force (NZITF), with members from some of New Zealand’s largest businesses and IT providers already exists with a focus on “improving the operational robustness, integrity, and security of the internet in New Zealand” where their regular forum allows for “collaboration on matters relating to the cyber security of New Zealand.”
Falconer believes it’s important to have a task force at a higher level established and commends the work the NZITF are doing, but believes there is still a need for more “on the ground” level of action in this space.
“We want to see industry bodies like the Law Society or the Institute of Chartered Accountants leading the way and provide a forum where breaches can be openly discussed and strategies developed within their own industry,” he adds.
“The attacks are industry targeted and groups like the Law Society already have established structures to facilitate and organise a forum like this.
“There’s also perhaps a role here for the NZITF to work more closely with industry bodies either through training, or better information sharing, and that way we can bring the two together and reach a wider audience.”
In March alone, 82 percent of email coming through Resolve’s mail server was recognised as spam and either discarded or held in ‘quarantine’.
Falconer says it has never been this high and new variants of malware invading computers and severs via spam email are emerging every day.
“The arms race between malware authors and security software developers is fraught with new and undetectable strains of malware making an appearance every day, and staying on top of it is a challenge,” he adds.
NetSafe are also seeing increases in ‘incidents’. In March this year they recorded 816 cyber safety, security and crime incidents, which cost businesses and personal users over $1.19 million.
Meanwhile, in January and February, there were 601 recorded incidents costing more than $700,000, and 595 recorded incidents costing over $580,000, respectively.
The majority of the targeted business spam email is becoming known as BEC, ‘Business Email Compromise’ whereby the spammer is sending email requests for payments with an attached invoiced from genuine suppliers, or it’s a hacked/fake email address from an executive employee requesting the accounts department to pay them funds directly.