Solving cyber security in New Zealand

Key advice to avoid being a victim of cyber fraud


Chances are, every household in New Zealand has been impacted by a scam, stolen identity, credit card fraud, password copied or knows someone that has. It's no surprise. We're 56th in the world for cyber security practices which not only impacts us, but the businesses and the communities we live in. The tell-tale signs of a scam are not always and easy to detect. You get sent an unsolicited email, texts, or requests for payment for products you didn't order – but they look legitimate and so many of us follow the steps that we're told to. 

Our panel of experts will help you reduce the chance of becoming a victim of cyber crime, and provide advice on what to do if you are affected by it. 

Being a remote pacific island doesn't matter

It's almost impossible to be part of society and live off the internet grid, as technology pervades our everyday lives. Recent events have made us even more dependent. COVID forced us to work from home, speeding up the adoption of technology and accelerated digitalisation which fostered more ordering online, remote working, and reduced business travel.

But more time online means threats are increasing in volume and the criminals are becoming more sophisticated. 'Most forms or cyber  fraud for business' says Richard Elwin, Principal Policy Analyst National Cyber Security Centre, 'are those that cost you money to fix'. Common cyber risks for businesses include:

  • Denial of service. When your computer/laptop or your network crashes, denying you access to the internet and your data, with the attack typically consuming all your hard disk space, memory or server capacity. 
  • A data breach. Someone gets access to, or uses, information such as customer records and personal information, intellectual property, or business secrets without permission.
  • Malware. Short for 'malicious software' designed to cause disruption, damage, or allow unauthorised access to your IT environment. 
  • Phishing. Correspondence generally received through email, text message or social media to trick you into opening a file that has malware or disclosing information such as names, date-of-birth, or banking details.
  • Business email compromise. When someone accesses your business email account to perform scams, such as sending fake invoices.
  • Ransomware. A form of malware that once installed, aims to deny you access to your information or IT system, unless you pay a ransom. 

If your business doesn't experience a direct attack, possibly a supplier, customer or employee will, which all impact on the smooth operation of your business.

Reducing the risk

We may be at the bottom of the world, but we're not safe. Cyber criminals build harm into their hacking to monetise their activities. They don't care about consequences. 'One of the biggest threats we are facing at the moment is being cut off from the rest of the world' says Nadia Yousef, Country Manager of CISO Lens NZ. 'If you think it's getting worse every day, you'll be right. And it's probably going to be worse when you wake up tomorrow. So the best next step is to start doing something. If I was going to give just one piece of advice', says Nadia, 'it'd be using multi-factor authentication across your applications. Add it to your phones and emails right now'. CERT NZ's data consistently reflected that having a second factor of authentication would prevent a significant amount of the incidents that were reported. It's the same with long, strong, and unique passwords.

It's also essential to understand the technology you have in your business, and how that impacts on the things that matter to you. Loss of data is one thing, but what else? Identify the events matter to you and then work out what technology and procedures will reduce any risk. 

Practical steps to prevent cyber crime include:

  • Implementing multi-factor authentication everywhere.
  • Securing your devices so they don't get stolen.
  • Keeping your software updated.
  • Backing up your information all the time.
  • Setting up an incident response plan.
  • Training your staff to not click on suspicious emails, links or attachments, share PINs.
  • Having systems in place to investigate any invoice from an email request.

Should you pay a ransom?

If your business is down from a hack and a request for money has been made to make the problem go away, you've a tricky decision to make. 'You can't absolutely say no' says Alastair MacGibbon, Chief Strategy Officer of Cyber CX. A good example is when the Waikato District Health Board couldn't access their health data. Luckily their business plans were good. The emergency room kept going because they went back to pen and paper and knew what to do.

The first question therefore, is will anyone die? If yes, pay it. If no, then the cost tends to be monetary loss, deteriorated reputation or the hassle and time to fix the issue. 

If you are faced with a ransom demand, figure out which cost is the lower from losing:

  • Your reputation, from admitting a hack and tell customers their data is compromised.
  • Losing customers who no longer trust you to be safe.
  • The deletion of all your sales records and data of past customer transactions.
  • Access to your network and files.
  • Marketing and accounting software data.
  • Any new product development files.
  • Your focus on your business and the extra stress.

The impact on the mental health of those that fall victim to cyber cime is a hidden cost, often missed. 'When I was working at CERT NZ', says Nadia, 'we would take calls from smaller businesses that were ransomwared and didn't have back-ups. It was devastating.  Owners were crying on the phone that they have lost their livelihoods and felt they had let down the people that worked for them'. 

Putting plans in place it critical to avoid an existential cyber event. Anytime you get a ransom demand, report it to the Police and CERT NZ.

Do I really need cyber insurance?

Most people don't argue about paying home, motor vehicle or even life insurance. If the worst happens, you're covered. However, a catastrophic cyber event could do more damage than burning down your business. 

Cyber insurance has a place to mitigate large scale attacks. 'It can be expensive' says David Bullock, EGM of Technology and Operations at ASB Bank,' and it will continue to stay expensive given the challenges. But think about the worst thing that could happen if you got hacked, and the cost. If cyber insurance is cheaper than cleaning up the outcome, then you should buy it'. 

If you don't want to buy insurance, at the very least, spend money and time to mitigate the event in the first place.

Still feeling unprepared?

Go to the NZ CERT business link and the first article at the top are the 11 things you can do as a business to protect yourself.  

If you have internal staff or an external IT provider that manages your cyber security then great, otherwise, we suggest go to It's the government's Computer Emergency Response Team (CERT) to improve access to information on potential or real-time cyber-attacks. They have a great summary of six common cyber threats to businesses here. Use the Two Factor Directory to check what IT services use multi-factor authentication, which is a recommended pre-requisite for accessing critical data. Finally, check out all the practical Protecting your business advice on the ASB Business Hub.

Get tips and tools to help run your business straight to your inbox.

No thanks

Get tips and tools to help run your business straight to your inbox.

No thanks