Small businesses are not exempt from cyber-attacks, internet watchdog says.
Photo: 123RF
An internet watchdog has reminded small businesses they are not exempt from cyber-attacks, after a law firm in Napier was hit in January.
Langley Twigg Law said it was hit by a cyber attack affecting internal information about the firm as well as client documents on 11 January.
The firm said it was working with digital forensics and cyber specialists over the attack.
Netsafe’s chief online safety officer Sean Lyons said the attacks were not always targeted and could be random.
“It can happen in two ways, it can absolutely be targeted, somebody could decide that a particular entity is holding information that they want.”
Lyons said many of the attacks occured when a hacker found out a method or a mechanism they could breach and then took a scatter-gun approach to try and find places that were vulnerable.
“That might be sending out emails with fake invoices or attachments, it might be sending other messages, it might be getting them to click on pages on compromised websites.”
Lyons said once a hacker was in, their criminal intent took over.
“Once they are in they will be trying to find out just about everything about that organisation and see what’s of value in there, that they can take to either sell or exploit the original owners of that information to blackmail them into giving them money.”
He said it was often harder for small business to keep protected, as bigger organisations often had their own cyber-security departments.
“For smaller businesses, it is being aware that these things can happen, that the data they store is of value to other people.
“Some people might think what could be the value, why could I be a target, but like I said, people aren’t always initially a target, but the information that is in there could be of value to somebody, and blackmailing organisations might be a good way for a criminal to make money,” he said.
Netsafe chief online safety officer Sean Lyons.
Photo: RNZ
The attack came not long after the Law Society sent out advice to its members on how to best manage them, and how to keep safe.
Chief executive Katie Rusbatch said attacks among the sector were becoming more common.
“We’ve seen this on the rise recently and we have identified a need for some guidance and training in this particular area and that’s been a focus for us.
“So really in terms of the guidance that we’ve shared, it’s focusing on how these things like cyber attacks can happen, what those common threats to law firms are, whether that’s things like e-mail compromise or phishing and things like that.
“And then some also some guidance that law firms and lawyers can take to minimise the risk and create an environment for stronger security.
“So providing some really practical guidance in that space so that lawyers can be prepared and also create a culture where they have an awareness of what those risks are.”
Practical steps available
Rusbatch said there were simple things firms could do to keep safe.
“So things like secure access and authentication, there is a lot talked about now about multi-factor authentication for things like emails, trust account systems that law firms might have, keeping systems up to date, so regularly applying software and security updates.
“Training, testing your people, so really making sure that staff have an awareness of phishing and safe e-mail practices and running through some tests in that regard so that people are able to see how they respond if there might be a phishing e-mail.
“So really creating awareness with your staff and then planning for incidents as well, if something does happen, making sure that you have an incident response plan that you know who to contact that who the cyber specialists are that you might need to contact.
“And then other things that backup and recover systems, making sure you have backups offline and the secure cloud and that sort of thing as well,” she said.
The Office of the Privacy Commissioner confirmed Langley Twigg Law had been in touch about the incident.
“We will continue to work with them as they further investigate this incident, including ensuring they are aware of their legal obligations in relation to a privacy breach that either has caused or is likely to cause anyone serious harm.
”We would expect Langley Twigg to provide any further detail they would want to share in relation to this,” a statement said.
The police said they were also investigating.
The attack came about a month after a major breach of patient health information portal ManageMyHealth.
The service connected patients with clinicians and allowed people to access their medical records.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
