The rise of the COVID-19 cybercriminal – is NZ ready?
Cybersecurity Awareness Month
The cybersecurity spend of New Zealand government agencies and top organisations is far below international levels. That could leave them wide open to attack, as cybercriminal activity increases in the wake of COVID-19 – but hope is on the horizon.
Over the past 18 months, things have got riskier. COVID-19 hasn’t just threatened our health, livelihoods and economies, it’s also created the perfect environment for cybercriminals. In June this year, FBI Director Christopher Wray said the scale of cyberattacks had been unprecedented. “And it's going to get much worse,” he added.
It’s something our vendors are seeing too – since the beginning of the pandemic in March last year, they saw as many 2000 COVID-related domains registered per day. That’s malware developers setting themselves up to leverage increased anxiety, lowered defences and less critical thought.
That data isn’t intended to scare you – it’s merely a chance to take a clear-eyed look at the new normal in the world of cybersecurity. Only then can we determine if New Zealand is as ready for the cyber threats as we were for dealing with the pandemic itself.
The NZ situation – high-risk profile, low security spend
Small and isolated though we may be, New Zealand has a surprisingly high level of cybersecurity risk. With our small population, sophisticated tech and developed economy, we often bear the brunt of cyberattack innovations as criminals test their new approaches before rolling them out in a larger market.
It means we deal with more and more sophisticated attacks disproportionate to our size. Yet, compared to average spend on cybersecurity internationally, it’s hard to imagine that even the largest Kiwi corporates would come close. According to the CB Insights Research report on Cyber Defenders 2021, US corporates spent an average of USD 2.9 million on cybersecurity in 2019.
The good news: we know where most attacks come from
Over 90% of cyberattacks come through just one door – email. That’s good news. It means that plugging just that one gap can dramatically improve the cybersecurity of Kiwi businesses.
One easy win would be to properly implement domain-based message authentication reporting and compliance, or DMARC. This powerful solution defends against email spoofing, impersonation or business email compromise attacks. Think of this as a basic layer of security – locking your car doors or shutting your windows at night. It won’t stop all attacks, but it’s a very important first step – and one that very few Australasian organisations are taking.
The more recent DMARC survey we conducted in 2021 showed 33.44% uptake and 22% with a policy in place among selected Australian & NZ organisations. However almost two third of the NZ Government Agencies have no DMARC in place at all.
Tackle email security, get ahead of cyberthreats
With cyberattacks on the rise since the pandemic, it’s true that foolproof cybersecurity takes an ongoing and many-pronged effect. But the reality is that cybersecurity spend at Kiwi organisations isn’t coming close to international averages – and most aren’t even achieving the basics. That might sound dire, but it’s actually good news. Small changes, like properly implementing DMARC for example, can dramatically improve an organisation’s email – and therefore overall – security profile.
Photo by Mediamodifier on Unsplash