The bad news is there’s a good chance you’ve already been hacked, even if you don’t know it.
And if you haven’t, it may only be a matter of time until you are.
Just ask the Waikato DHB, victim of a ransomware attack that had massive ramifications for the organisation’s operations. If they can’t keep the hackers out, who can?
That breach appears to have been as simple as someone downloading something from an email that they shouldn’t – something that will be making many wince in sympathy.
The good news is most people reading this will be minnows compared to the DHB whale, and therefore of less interest to the really big sharks cruising out there.
And there are simple things you can do to minimise the risk – up to and including buying cyber liability insurance.
Take it from Bradley Whittal, a Waikato cyber security expert who manages to sound simultaneously reassuring and alarming in a matter of fact way while describing what sounds a lot like the wild west.
“The thing is, no matter who you are, or what business you have, it’s just a matter of time before you’re hacked. If somebody really wants to hack you, nothing’s going to stop them.”
Clearly, that includes the DHB and while Whittal is wary of forming a judgment (“I’ll wait for them to come out with the finding”), he thinks their use of physical servers is problematic.
The DHB hack has, not surprisingly, been good for business. Inquiries to DI Solutions, which he founded three years ago, jumped sixfold in the wake of the attack.
Whittal, who is a certified ethical hacker, provides a service ranging from cyber security education to ferreting out details that may be up for sale on the dark web. He also works with the insurance industry to check client vulnerability.
DI Solutions offers dark web monitoring, looking for any credentials that may be exposed, and pairs that with phishing training and awareness.
That could, for instance, see them sending scam emails to employees posing as their boss or trying to deposit money into the owner’s account. They then educate staff where they might have gone wrong. They also offer ongoing support, including making sure a firm’s antivirus is working correctly.
“With security, it’s not like building a wall – you know, you build the wall, and you forget about it. Because the online world is always changing, so there’s maintenance,”
Every morning, the first thing he does is run a check of each of their clients, who range from law firms to tradies and cafes. “If you’ve got a computer, you are vulnerable.”
Whittal, who started on this path after his grandfather was scammed, says the cyber security industry is picked to grow by 73 percent this year in New Zealand.
He thinks Covid-19 has amplified the growth, with “a lot more people” trying to hack information at what he describes as the beginner level. “We call them script kiddies, because they’re using somebody else’s program to try and hack somebody.”
DI Solutions’ distinctive approach is to focus on educating their clients. “Your end user, at the end of the day, is the weakest point.”
He says the US stats show 70 percent of all SME businesses have already been hacked and don’t know about it. That could mean their passwords are out there or a list of emails is up for sale on the dark web.
And so it goes. Someone signs up for an online service, with their email address and a password; the service gets hacked and the person’s password and email address are compromised.
“That list then is sold on the dark web, which your everyday user doesn’t see. And then that’s when people go, ‘I’ll buy 1000-odd passwords’. And they go through the list and try and get into somebody’s account, and then steal information from them and sell it on the dark web. And, you know, the process goes on and on.”
Whittal says an email address and a password can sell for anywhere between US$1 and US$8, depending on the size of the business.
He is able to detect if an encrypted password has been cracked, and points out it’s an easier fix if the person uses a different password for each service.
US stats also show 39 percent of people use the same or similar password, meaning a successful hacker can then log into any of their online services.
Ransom demands are one risk, but there is also potential loss if clients’ details are being shared with competitors. Even in the IT game, Whittal says, he gets contacted by people offering to sell lists of people’s information.
“If people do get emailed lists, or called about a list, they shouldn’t be buying, because they probably have been acquired illegally.”
Regulatory changes in December include the requirement for anyone who has been hacked to notify Cert NZ or face a potential $10,000 fine and also introduced requirements, called PSR, for businesses to follow around what to do with client data and how to encrypt it. Waikato Business News asked Bradley Whittal for three top tips for business owners to keep themselves safe from cyber attacks. He highly recommends getting a password manager – one password which unlocks the others. Firstly, he says, that means you only have to remember one password. “Secondly, you then have a directory of your passwords. So if something is compromised, you can then search for that compromised password.
“Second would be setting up second factor authentication, via either Google Authenticator or via text notification.” That means when logging into to your email account, you get a text with six digits as part of logging in. “If your password for your email, for example, was breached, they would then be stuck there, they don’t have access to that six digit code. Or you use Google Authenticator, where the passwords reset every 30 seconds.”
The third tip is simplicity itself. Whittal says if someone sends a request for payment, make sure it is coming from the right email address. “Just phone them. It takes two minutes; phone to make sure that It is them.”