25 July 2018
On Friday, after an email to Bay of Plenty District Health Board staff was uncovered by NewsHub, it was reported that Bay of Plenty DHB was being hammered with 10 cyber attacks a second, or 864,000 a day. That sounds pretty scary. But what does it mean? It is important that when we talk about cyber security, we are careful about the language we use, and avoid amplifying FUD (Fear, Uncertainty and Doubt).
Let's unpick this story a wee bit shall we?
What do we mean when we say "cyberattack"
The DHB reported to staff in an internal email, that the DHB is being hit with 3-10 cyberattacks a second. Cyberattack is a loaded term that is probably misrepresenting what's actually happening. When we hear cyberattack, it conjures an image of a person, or group of people, choosing to target and attack us, instead of someone else.
For the majority of cybersecurity incidents or events, that's not the case. Your computer, phone or network is:
- being scanned by a botnet to see if your new router or laptop can be compromised and added to the botnet
- being scanned by non-malicious automated tools that check to understand how many internet connected devices have uncommon ports open or are still using unpatched systems that could be used for crime
- an attack that against all Windows machines or against all computers that share some other technical detail
- A denial of service attack
- email-based phishing and scams (in this case is one phishing email sent to all staff counted as a single "attack", or 3,300 "attacks"?)
- genuine attacks by people targeted at the victim organisation to copy, destroy or modify information (in this case, Bay of Plenty DHB).
So, it's highly unlikely that Bay of Plenty DHB is facing 10 actual attacks a second. What is also missing is whether this is much higher, or similar, to other DHBs?
To put this number of attacks into perspective, CERT NZ received 500 reports of cyber security incidents between January and March of this year, with businesses and individuals experiencing losses of over $3 million. This does not measure time lost trying to remedy the problem, or the loss in brand value or the information lost.
Staff awareness training will never work 100% of the time
Training your staff so they know what phishing is, how to spot it and how to report it to your security team is an important part of basic cybersecurity hygiene. But it will never work 100% of the time. It'll be 4.30pm on a Friday, or someone will be tired and make a mistake, or the phishers will just do a really good job.
Two factor authentication stops phishers in their tracks: https://internetnz.nz/2factor
When the CEO of BoP DBH says it's disappointing that 100 of her staff fell for a phishing test I'm a bit perplexed. For context, that's 3% of her staff. If 97% of your employees are not falling for phishing attacks, then I'd suggest you are doing very well. Training cannot save you from phishing attacks seeking to harvest your staff's credentials. But two factor authentication can mean that an attacker who has your staff's username and password still can't get in.
As an example of how good phishing can be, here is a great thread of tweets about how sophisticated and genuine looking the spear-phishing that targeted John Podesta (the Chair of the Democratic National Committee in the 2016 US Elections)
Read more about 2-factor authentication here:
Why healthcare is a target?
Yes personal records could be useful.
But the real reason healthcare is targeted is for ransomware. If a criminal group manages to cryptolocker your laptop and tries to extort $500 worth of bitcoin from you, that's distressing and annoying. When they lock up all of a hospital's computers, all the computer-run medical devices such as insulin pumps, MRIs, CAT scanners, and monitoring equipment it's a much more serious issue.
As pointed out in the article on Newshub - last years WannaCry and NotPetya attacks (which were genuine attacks by the North Korean and Russian governments) showed just how damaging a ransomware attack in the health sector could be.
If the Bay of Plenty DHB is being uniquely targeted by cyber attackers, this is a serious issue and the DHB should be working with CERT NZ and other cybersecurity experts on proactively defending itself and equipping its staff. A secure, protected health system is in everybody's interests.
It is good to see that the media is reporting on the nature of cybersecurity threats and vulnerabilities that New Zealand is facing. We may be a small, remote country but that does not make us immune to international cyber threats. InternetNZ wants to see the literacy around cybersecurity increase among New Zealanders so we are equipped to understand the scale and nature of what is ahead.
In a report just released by Microsoft and Frost & Sullivan, small businesses report that cybersecurity fears are holding them back.
- 36% of the New Zealand organisations surveyed had experienced a cybersecurity incident
- 43% of New Zealand respondents say they have put off digital transformation because they are worried about cyber risks
We need to help businesses develop a proportional response to cybersecurity threats, and to build confidence in digital transformation. CERT NZ has great resources about simple cybersecurity practices that businesses can easily deploy to curb many types of cyber threat.