On 10 July CERT NZ published their first quarterly report for 2019.
What happened in Q1?
The key points in the Q1 report are:
- the number of reported incidents reduced from 1,333 in Q4 to 992 in Q1
- reports to CERT NZ related to scam and fraud incidents have decreased to 33%, down from 50% in Q4 2018. Though there has been a decline in the reported number of incidents, the amount of financial loss attributed to scams and fraud ($1.7 million) makes up 80% of the Q1 total. The types of scams are expected to evolve, and people should become more vigilant as tactics become more sophisticated
- unauthorised access reports rose to 96, the highest number to date. CERT NZ recommends applying two-factor authentication (2FA) on all accounts and devices to mitigate this risk
- reports of suspicious network traffic are on the rise, up 100% from 13 to 26. These include reconnaissance efforts prior to an attack (e.g. probing for vulnerabilities and weaknesses in computers, networks, and infrastructure devices).
Remember, these are only the reported incidents.
Did you know anyone can report a cyber security incident to CERT NZ, from IT professionals and security personnel to members of the public, businesses, and government agencies?
At SSS we talk to many New Zealanders and when we ask whether they have heard of CERT NZ, most tell us they haven’t. So we can safely assume these reported numbers represent only a scratch on the surface.
Please report your incidents at the CERT NZ website.
How can you protect yourself online?
With the growth in unauthorised access, up 19% this quarter and hitting a new record for reported incidents, CERT NZ (and SSS) recommend taking steps to mitigate this risk. Unauthorised access can be quite costly, with 30% of the reported Q1 incidents leading to total financial losses of $329,000. Attackers can gain unauthorised access through different ways and on a range of account types such as:
- targeted phishing campaigns (spearphishing)
- fake login pages to harvest credentials
- insecure login pages with no web SSL certificates
- web-based attacks
- insecure websites
- attacking users logging in through public WiFi (e.g. cafes and airports).
Attackers can use these types of approaches to steal information about your identity and then use it for financial gain.
To protect yourself from unauthorised access attacks you should turn on 2FA for your internet banking sites, email accounts, social media, and especially your devices. When using 2FA you require your password and another secret/factor. This combination allows for an extra layer of security to your accounts and devices.
The types of 2FA available depend on the account or device, but the broad categories are:
- something you know (e.g. a PIN or a password)
- something you have (e.g. an ID card, a security token or mobile device)
- something you are, in the form of biometrics (e.g. a fingerprint, iris scan, or voiceprint).
What can you do to mitigate the risks posed by these cyber security threats?
CERT NZ has previously published their critical controls to help organisations prevent, or better contain, the majority of attacks they see.
To make it easy for our clients, we have mapped our solutions to these critical controls. Email us at email@example.com if you would like a copy of our mapping document. Alternatively you can contact us on 04 917 6670 if you would like to chat to one of our security consultants.