This quarter, CERT NZ received 2,610 incident reports about individuals and businesses from all over New Zealand. This report shares examples of the incidents and advice on how to best protect against them.
There are two parts to the report:
- A Highlights Report focusing on selected cyber security incidents and issues.
- A Data Landscape Report providing a standardised set of results and graphs for the quarter.
The average number of incident reports per quarter is 1,295 and average direct financial loss is $3.6 million.
Number of incident reports by quarter
A total of 2,610 incidents reports were received in Q3, a 33% increase from Q2.
Breakdown by incident category
Phishing and credential harvesting remains the most reported incident category.
The top three reported incident categories in Q3 2020 were:
- phishing and credential harvesting with 1,064 reports
- malware with 886 reports
- unauthorised access with 110 reports.
Focus area: Distributed Denial of Service (DDoS) attacks impact Kiwi businesses
This year a number of DDoS attacks have impacted both high profile organisations and small business around the country. These attacks are malicious attempts to overload an organisations online systems and take their operations offline
Defending your organisation against DDoS attacks
Like many cyber incidents, there isn’t a one-size fits all approach to defending against a DDoS attack. That’s why it’s important to have the right defences in place.
Protecting New Zealand from DDoS attacks
As part of CERT NZ’s role in building New Zealand’s cyber resilience, we’re working to help reduce the amount of insecure systems in the country. That’s why we’re reaching out to ISPs to alert network owners of systems that can potentially be exploited by an attacker to cause a DDoS.
In Q3, malware reports increased by 34% making it the second highest incident category.
Malware is malicious software often spread through email attachments or links with the goal of infecting the recipient’s computer systems.
Protect from Emotet
To help prevent an Emotet infection, CERT NZ recommends:
- Keeping anti-virus software up-to-date.
- If you are unsure that an attachment is legitimate, contact the sender via phone or text to confirm.
- Reporting any suspicious emails to CERT NZ
In September, CERT NZ issued an advisory about Emotet. It includes information on protections as well as steps to take if you or your organisation has been affected.
Insight: Business email compromise
New Zealanders report close to a million dollars in losses
Business email compromise is one of the most common types of unauthorised access reported to CERT NZ. Our quarter three data shows this type of attack is increasing, with 27 reports of business email compromise, up 101% from quarter two, and $944,000 in direct financial loss.
Case study: Attacker intercepts business invoice
This quarter CERT NZ received a report from a business in the wholesale trade sector after an email account had been compromised.
Update: Changes to the Privacy Act 2020 and vulnerable databases
The new Privacy Act 2020 comes into effect on 1 December 2020. These changes include the introduction of a privacy breach notification regime.
What this means for businesses and organisations
If a business or an organisation experiences a data breach where private information is lost or stolen, and believes this could result in serious harm, it is required to notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as possible.
Vulnerable databases and keeping your customer information safe
Unfortunately data breaches do happen, but the good news is there are measures you can take to help prevent an incident and keep your customers' information and data secure.