CERT NZ Q3 Report

  • SSS GRC Team
  • Feb 10, 2020

Did you know anyone can report a cyber security incident to CERT NZ, from IT professionals and security personnel to members of the public, businesses, and government agencies? At SSS we talk with many New Zealanders and when we ask whether they have heard of CERT NZ, most tell us they haven’t. So we can safely assume these reported numbers represent only a scratch on the surface. Please report your incidents at the CERT NZ website.  

This page on the CERT NZ website shares some useful information about responding to incidents and what you can do to help protect your systems.

We can help with your incident management

If you need help, we have a team of experts who can work with you to assess your risks and gaps, develop your security roadmap, improve your security posture, and help you implement solutions to manage your cybersecurity vulnerabilities, risks and threats. You can contact us on 04 917 6670 or email us on sales@sss.co.nz.

Q3 CERT NZ report

The highest number of reported incidents on record

In the period from July 1 to September 30, CERT NZ received reports of 1,354 cyber incidents, a 13% increase on the previous quarter and a record high since CERT NZ was founded in 2017. Increasingly these incidents are being forwarded to CERT NZ after having been initially reported to the New Zealand Police, who received 212 reports relating to cyber crime in this quarter. By the region, Aucklanders were by far the most prolific with 533 reports, followed by Wellingtonians (196) and Cantabrians (114).

Scams and fraud incidents are skyrocketing

The number of extortion and or blackmail reports rose by 16% in Q3 with a dramatic spike in reports of scams that stemmed from consumers engaging in eCommerce. As the silly season is upon us and people are busily doing their Christmas shopping, CERT NZ advises that consumers should exercise caution when attempting to buy, sell or donate online. People were also heavily impacted by scammers masquerading as tech support staff in this quarter. By far the worst hit demographic was the 55 to 64 age bracket, which saw $1,452,900 in direct financial losses. Sadly, this age bracket lost more money to cyber crime than all other age brackets combined.

Organisations are increasingly targeted

Attacks on organisations intensified in Q3 with the number of reported incidents involving organisations rising by 16%. Denial of Service attacks affecting organisations were up by 133% since Q2 with a total number of 35 being reported in Q3. On the flip-side, there was a decline in reports of suspicious network activity, which saw 56% fewer cases when compared with the previous quarter. Along with an increase in reported cyber incidents, more organisations are also suffering direct financial losses of a significant amount, with nine incidents involving losses in excess of $100,000. For organisations looking for areas to strengthen their processes, it is useful to note that six of the incidents involving significant financial impact involved transfer of money scams .

Vulnerability disclosures

CERT NZ has two broad policies relating to the disclosure of vulnerabilities: the first is a standard approach but they also employ what they have called the Coordinated Vulnerability Disclosure (CVD) policy for situations where the person reporting the vulnerability would prefer that CERT NZ carried out the critical step of contacting the vendor of the vulnerable system themselves. This is part of ethical vulnerability disclosure as it ensures vendors have an opportunity to create and disseminate patches for their systems before they are disclosed to the public, at which point cyber criminals are likely to attempt to exploit the vulnerable systems to commit their crimes. The proportion of reported vulnerabilities that involved a CVD increased noticeably to 44% in Q3 from 33% in Q2. If you discover vulnerabilities in any computer systems, remember to contact CERT NZ and ask about the CVD policy if you would like their support with the vendor notification process.

Read the report