Now has never been a better time to be a cyber criminal says a former GCSB security specialist.
Speaking during one of the September Bounce conferences organised by Financial Advice NZ, and ahead of the 1 December update of the Privacy Act, Marc Barlow, a Consulting Partner at InPhySec told a Wellington and online audience there has been a shift by organised criminals during the past 10 years to use the internet to commit crime.
“Now more than ever it is a great time to be a [cyber] criminal,” he said. “It is really lucrative, high value, low barrier to entry and relatively safe because it doesn’t matter where you are in the world if you want to extort companies or steal some money.
“They can access your computers and try to pinch your data and then make money out of it. Data is worth money.”
He said some of the computer programs hackers use are not only sophisticated but are made by professionals and sold by companies that provide support staff to help their clients in their criminal acts.
The tools that the criminals buy to attack computer networks have full support agreements with help desks…
“The tools that the criminals buy to attack computer networks have full support agreements with help desks,” he said. “They buy the Malware and get training on how to run it, there is a whole industry behind it – it is amazing.”
Email hacking
Addressing the issue of email hacking Petra Luicoli, Group Claims Manager at Delta Insurance said half of all the claims her firm handles are related to compromised email accounts.
“Office 365 compromises are the number one,” she said. “Office 365 is so widely used by the business community it has become the default platform for everybody, so that’s why it is being attacked.”
However, she says all email compromises could be prevented if companies adopted two-factor authentication.
“Literally 100 per cent of them would be stopped,” she said. “If you look at a physical burglary…if you leave your front door open then you are an easy target.
“If you lock your front door then it might not prevent a burglary but the burglar will probably go next door for an easier target.
“But if you put two-factor authentication on then you are stopping yourself from being an easy target. Any computer system you are using should have two-factor authentication.”
On the subject of ransomware; where a criminal demands money (such as Bitcoin) to unlock a company’s computer network, Luicoli warns that these are becoming more targetted with criminals carefully researching the companies they attack.
The edge of your company network and the start of the home network is becoming much less clear…
She also says cyber insurance will be a focus for the domestic market in the future, particularly as working from home creates a grey area as staff use home WiFi networks to log in to work systems.
“The edge of your company network and the start of the home network is becoming much less clear. What we will see in the future is a greater move toward personal cyber protection insurance as much as corporate cyber protection. That is not an area insurers have tended to focus on, until now.”
See our stories: Privacy Act Might Catch You Out and Privacy Act Law Change Ahead.
Key Changes Under The Revised Privacy Act That Starts 1 December
-
Requirements to report privacy breaches: If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Privacy Commissioner
-
Compliance notices: The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something
-
Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal
-
Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws
-
Class actions: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings
-
New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000
-
Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000
Source / Ministry of Justice