National Computer Emergency Response Team (CERT) NZ director Rob Pope admits the findings of its latest report, that New Zealanders lost $14 million to cyber security attacks in 2018, is just the tip of the iceberg.
CERT's latest quarterly report shows it received the highest number of incidents reported in a single quarter since it began issuing quarterly reports in August 2017. CERT received over 1,300 cyber security issues between October and December last year from businesses and individuals around the country.
In the last quarter of 2018 New Zealanders reported losses of over $5.9 million, bringing the total financial loss reported to more than $14 million in 2018. Reports increased by more than 60% from the third quarter across every region in New Zealand, except Auckland, which saw an increase of 47%.
But CERT director Rob Pope says the true scale of the problem is no doubt much larger.
“We know that the data we have is just the tip of the iceberg, and we encourage more people to report to us so they can get the help they need to recover and we can get more information about how the cyber threat landscape is affecting New Zealand,” Pope says.
He admits it isn’t easy quantifying the true size of the problem.
“The challenge of understanding the scale of unreported incidents is a global issue. But the reports we’ve received this quarter show that these incidents are not only causing financial impact, they’re also affecting people’s confidence online. For instance, scam reports have spiked in quarter four, with a significant increase in email extortion scams,” Pope says.
“This is where attackers email a seemingly legitimate threat and demand urgent payment to revoke it – examples we’ve seen include bomb threat emails sent to businesses through to threats of sharing embarrassing images.
“Whether you’re an employee in a large company or checking your personal emails at home, receiving an extortion email can be a frightening experience. Even though it’s highly unlikely these threats would be realised, they can discourage people from participating in the online environment.”
Netsafe CEO Martin Cocker says the figures in the CERT report aren’t surprising. The organisation is an independent, non-profit group which provides New Zealanders with information and support about online safety.
“CERT NZ is only a couple of years old and as it becomes more well-known they will see their reported numbers go up and up,” Cocker says.
He says there’s always going to be a difference between the number of businesses and people who experience cyber security issues and the number who report it.
But Cocker says Netsafe, like CERT NZ, it is also seeing higher numbers of people reporting such problems.
“It’s not to say the internet is less safe,” Cocker says.
He says it just that people are now more aware of who to contact if they are the victim of a cyber security attack.
“When you see that CERT NZ has received five times the number of cases, a lot of that is just their growth,” Cocker says.
He agrees with Pope that quantifying the true cost of cyber security is difficult.
“What CERT NZ can report, and Netsafe is the same, is directly reported cases. But the actual cost of cyber security in New Zealand will be a magnitude higher than that. And I don’t think there’s any doubt that the true cost would be in the hundreds of millions.”
Cocker says the CERT report does highlight the growth in scams. He refers to the sexploitation scam which was a widespread cyber security issue last year.
People received an email that claimed their computer had been hacked and that the scammer has recorded them using a porn website. The email would demand that they send a payment (often in bitcoin) to the scammer, or they will send the recording to the victim’s personal contacts which they claim to have access to. But Cocker says despite the number of victims that were targeted it often failed.
“I don’t think it was very successful because most of the people targeted didn’t know how to pay in bitcoin.”
Also see our series on the Commission for Financial Capability's Little Black Book of Scams here.