One Question Quiz
Image: Archi Banal / Dylan Reeve
Image: Archi Banal / Dylan Reeve

InternetDecember 14, 2021

Did half of New Zealand businesses really get hit by ransomware this year?

Image: Archi Banal / Dylan Reeve
Image: Archi Banal / Dylan Reeve

Research by a cyber security firm suggests 55% of New Zealand businesses had been subject to a ransomware attack in 2021. Dylan Reeve was suspicious, so he looked into the claim for IRL.

More than half of Kiwi businesses fell victim to cyber-attacks this year – that was the dramatic title of a press release announcing a new report into cybersecurity in New Zealand.

It’s a huge claim given New Zealand is home to more than 500,000 businesses, and therefore immediately seems questionable. The conclusion was drawn from research conducted on behalf of Aura Information Security, an Australasian IT security consultancy owned by state-owned technology and communications company Kordia.

The headline snippet comes from a detailed report prepared for Aura by customer insights company Perceptive. In a survey of 362 “business IT decision makers” from New Zealand companies with at least 20 staff, 55% answered in the affirmative to the question, “Has your business or organisation been successfully targeted by a ransomware attack in the past 12 months?”

Two thirds of that 55% said they were able to resolve the attack before significant damage was done. 

Puzzlingly, the very same report has 62% of those surveyed saying their business had not “been subject to a cyber attack in the past 12 months”, and only 44% reporting that they’d been subject to an attempted cyber attack – responses that seem distinctly at odds with the 55% who reported a successful ransomware attack. 

Graph excerpts from Aura information security’s 2021 cyber security market report.

It’s obviously not realistic to extrapolate that 55% response to all businesses in Aotearoa, as that would equate to more than quarter of a million ransomware attacks locally in the past year, and the inconsistent answers probably reflect uncertainty, even among business leaders, about how to categorise and communicate about these threats.

The fact is that no one really knows how many businesses have suffered at the hands of cyber attacks, or to what extent. And that highlights the significant challenges faced by businesses, cybersecurity professionals and government in coming to terms with the impact of cybercrime on the country. 

Cert NZ, the government agency charged with understanding and responding to cybersecurity threats faced by New Zealanders, released their most recent quarterly report last week. The report looks at 2,072 incidents reported to Cert between July and September this year and identifies 18 that are categorised as ransomware. The previous two quarterly reports included 30 and 22 ransomware reports, respectively, for a total of 70 incidents across both business and home users in the first nine months of 2022. 

“No one is mandated to report to us,” says Nadia Yousef, incident response manager at Cert NZ, about the nature of their insights. “All of our incident reporting is just from incident reports that come in from the public. It is people reaching out to get advice, or to let us know so they can contribute to our understanding of the landscape.”

Cert NZ incident response manager Nadia Yousef says no one is mandated to report ransomware attacks. (Photo: supplied)

The very nature of cyber attacks, especially ransomware, means that it’s difficult to get a clear idea of the prevalence locally or internationally, because victims are often reluctant to disclose the attack. But it seems apparent by most measures that the risk to businesses continues to increase as businesses become more connected.

A point made in the Aura report, and echoed internationally, is that remote working has significantly increased risk to many businesses. Home computers connected to business networks via VPNs, and other remote working solutions, have dramatically increased the number of ways that attackers can get into corporate networks.

“Almost two years of playing ‘go home, stay home’ and we’ve moved much of our lives online during lockdowns. It’s become a much better attack surface for attackers,” Yousef confirms. 

Neither Aura’s report nor Cert can offer any magic solutions for New Zealand businesses. Instead, they have only warnings about increasing risk and the need for vigilance in the face of a trillion dollar international criminal ecosystem.

“Even though it can sound really scary, and of course the incident volumes that we see are going up, the financial loss numbers are going up, and it can seem very ‘doom and gloom’ — there are some pretty tangible steps we can take to stay in front of [the risks],” says Yousef, of the advice Cert offers to New Zealand businesses and consumers. Long and unique passwords, two factor authentication and keeping software updated are the most useful. 

For some (possibly unknowable) number a businesses the internet will bring pain and frustration at the hands of cybercriminals, but for most it will deliver opportunity, productivity and growth. Thankfully. 

Keep going!