Cyber-attacks – a very real threat

Cyber-attacks are arguably one of the most misunderstood risks facing businesses today. Yet as digital operations become the norm, our little geographic corner of the world has increasingly come under fire from opportunistic cybercriminals.

The Kordia Business Cyber Security Report 2024* surveyed business leaders from some of New Zealand’s largest businesses and found 80% of them had suffered some form of cyber-attack or incident in the past 12 months. Of those businesses, over a third (36%) said their operations were disrupted and a further 29% reported personal data was stolen or accessed. And it’s not only big businesses being targeted. Figures from a recent study by MasterCard found that up to 132,000 small businesses in New Zealand have faced cybersecurity issues.

One of the most common types of attacks we see leveraged against businesses of all sizes is phishing. This is where a cybercriminal will attempt to gain access to your network by sending you an email loaded with a malicious link, or an attachment concealing malware. If you or one of your employees clicks on these emails, you may compromise your entire business. Phishing emails are a long-standing tactic, but scammers are getting better at making these more convincing. The use of AI is making it even harder for the security-conscious end user. They’ll pose as legitimate senders – government organisations, customers or even your bank – and they’ll elicit a sense of urgency, fear, or greed to encourage you to react quickly without thinking too much. Similarly, ‘smishing’ (using SMS instead of email as the phishing channel) is on the rise, trying to catch you unaware while on your phone.

The other critical area of concern is legacy systems. Often, we see eyecare professionals using outdated software or older systems that are fraught with security flaws and vulnerabilities. Cybercriminals are very adept at poking around your IT infrastructure to find gaps and use AI constantly to scan the boundary of your organisation, searching for known weaknesses. Once they get a foothold through an incongruous backdoor, it doesn’t take long to wreak havoc.

Eyecare industry a target

Cybercriminals are generally motivated by one thing – money. If they can breach your business, they’ll be immediately looking to see what they can leverage to blackmail you into paying them.

Personal data can be sold on the dark web, which makes it an attractive asset to steal. We saw this recently in a breach involving a group of ophthalmology practices in the US. The 12 practices shared an IT management system which was hacked, compromising the personal details of more than 2.35 million individuals. Operational disruption is also being used by hackers to extort businesses, as seen in a recent case involving a Singaporean optometry clinic. A cybercriminal installed ransomware on the clinic's server, encrypting it and refusing to unlock systems unless a ransom demand was paid. Fortunately, the clinic was able to continue to operate as many key systems and data were stored in a separate, unaffected location. However, they would have had to spend considerable time and money restoring their systems securely, using an IT provider to conduct a thorough check of the clinic's system, reformatting servers and running scans on all computer terminals to ensure the malware was completely expelled.

Attackers have even taken to threatening individuals whose data was stolen directly. The 2020 Vastaamo incident demonstrates this willingness. After the Finnish psychotherapy centre suffered a data breach, the hackers blackmailed patients directly, threatening to release sensitive personal and medical information unless they paid up.

Mitigating the risk

What should business leaders in the eyecare sector be doing to address cyber-attacks? Here are four fundamental ways to improve cyber security:

1. Begin a risk-based assessment

Cyber security is no longer an IT or operational issue – it requires good governance to ensure it’s aligned with the overall business strategy and initiatives have the right level of focus and resources. Taking a risk-based approach is a good way to address this and will allow you to factor in the operational, reputation and financial implications of a major cyber incident.

2. Get to grips with where your data is stored

Health businesses, including those in the eyecare sector, collect a lot of personal data on patients. But often when we work with these types of business on cyber security initiatives, it becomes clear that this data is often stored in multiple systems and locations and is rarely updated or reviewed. The first step to protecting your data is ensuring you have a good understanding of what it encompasses and where it is stored.

3. Train your people

People can be your strongest defence, or your weakest link. Many cyber incidents begin in a staff member’s inbox with phishing emails. Empowering your people to spot and appropriately manage these types of opportunistic attempts to breach your business will help you immensely.

4. Scrutinise your legacy systems, or call in a professional

Is your IT system out of date or harbouring a security vulnerability? Taking a proper review of your systems and ensuring it is secure enough to prevent any unauthorised access is a good idea before a cybercriminal takes advantage. While regular patching of software is important, a lot of bespoke or legacy systems aren’t easily upgraded. Minimising access to the wider network from these vulnerable machines, by segmenting them in their own special zone, restricts the reach of attackers who can compromise them.

As principal consultant for Kordia’s specialist cyber security division Aura Information Security, Alastair Miller’s experience spans more than two decades in information security across enterprise and government. Contact Alastair on [email protected]