New Zealanders lose $200m to scams in a year, but that figure may be extremely under-reported. File photo. Photo: 123RF
A cyber attack is a "matter of when, not if", with a global average of between 100 and 250 attacks per second, a new report says.
Kordia's annual Cyber Security Report indicated New Zealand businesses were often unprepared to adequately respond to a cyber attack, with many under-reporting incidents, as well as ransom payments made to recover stolen data.
While 10 percent of NZ businesses said they had paid a ransom demand over the past year, the statistic was out of line with the global average of between 50 and 60 percent, which indicated the rate of company ransom payouts was much higher than one in 10.
"Data from Payments NZ suggests almost $200 million was lost by New Zealanders to scams in the 12 months to September 2024 - a number some industry figures have suggested may be much higher due to under reporting," the report said.
Kordia incident response and digital forensics practice lead Conan Bradley said businesses needed to plan and practice their response to an inevitable cyberattack, with a focus on training and practice drills.
"It's going to happen. Be prepared and prepare now. Don't wait. It's a matter of when. It's not a matter of if," Bradley said.
Small and medium-sized businesses were found to be more vulnerable than big organisations when it came to a cyber crime, given their limited resources.
But Bradley said there was still an opportunity to manage the risk.
"Don't prepare tomorrow," Bradley said, adding that a good defence could be achieved with simple training, such as table topic exercises to help speed-up the response to an attack, when time was critical.
"No matter what you do... there is always a degree of risk involved.
"(With) eyes and ears on what that particular risk could be... we can manage and mitigate something when it comes up."
The report pointed to identity theft as the most common type of cyber crime, as it was often the easiest to crack.
"The vast majority of security incidents involve an adversary accessing a legitimate account, where credentials have been exposed through a data breach or phishing attack," the report says, adding these type of attacks were likely to increase alongside advances in AI.
"Where possible, companies should prefer the zero trust principle of 'never trust, always verify' and require every user access-request to be explicitly authenticated and given least privilege."
Advances in quantum computers were also an increasing risk with the ability to break through the encryption currently used to protect electronic communications, which were forecast to be possible by 2030.
"While this may seem like tomorrow's problem, some researchers and experts are already assessing what impacts this step change in technology might have on current cyber security and data protection measures," the report said, adding businesses should get ready and put a three-year response plan in place.
"New Zealand organisations, particularly those in industries such as critical infrastructure, finance and health should be formulating a risk-based approach to prepare for the advent of quantum," it said.
In the meantime, Bradley said firms can not rely on AI-generated cyber protection to keep critical data and systems safe.
"We still need the human-deciding factor."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
