03 443 5499

In today’s digital landscape, cybersecurity threats continue to evolve. They pose
significant risks to individuals and organizations alike. One such threat gaining
prominence is zero-click malware. This insidious form of malware requires no user
interaction. It can silently compromise devices and networks.

One example of this type of attack happened due to a missed call. That’s right, the victim
didn’t even have to answer. This infamous WhatsApp breach occurred in 2019, and a
zero-day exploit enabled it. The missed call triggered a spyware injection into a resource
in the device’s software.

A more recent threat is a new zero-click hack targeting iOS users. This attack initiates
when the user receives a message via iMessage. They don’t even need to interact with
the message of the malicious code to execute. That code allows a total device takeover.
Below, we will delve into what zero-click malware is. We’ll also explore effective strategies
to combat this growing menace.

Understanding Zero-Click Malware

Zero-click malware refers to malicious software that can do a specific thing. It can exploit
vulnerabilities in an app or system with no interaction from the user. It is unlike traditional
malware that requires users to click on a link or download a file.

Zero-click malware operates in the background, often unbeknownst to the victim. It can
infiltrate devices through various attack vectors. These include malicious websites,
compromised networks, or even legitimate applications with security loopholes.

The Dangers of Zero-Click Malware

Zero-click malware presents a significant threat. This is due to its stealthy nature and
ability to bypass security measures. Once it infects a device, it can execute a range of
malicious activities.
These include:
 Data theft
 Remote control
 Cryptocurrency mining
 Spyware
 Ransomware
 Turning devices into botnets for launching attacks
This type of malware can affect individuals, businesses, and even critical infrastructure.
Attacks can lead to financial losses, data breaches, and reputational damage.

Fighting Zero-Click Malware

To protect against zero-click malware, it is crucial to adopt two things. A proactive and
multi-layered approach to cybersecurity. Here are some essential strategies to consider:

Keep Software Up to Date:

Regularly update software, including operating systems, applications, and security
patches. This is vital in preventing zero-click malware attacks. Software updates often
contain bug fixes and security enhancements. These things address vulnerabilities
targeted by malware developers. Enabling automatic updates can streamline this process
and ensure devices remain protected.

Put in Place Robust Endpoint Protection

Deploying comprehensive endpoint protection solutions can help detect and block zero-
click malware. Use advanced antivirus software, firewalls, and intrusion detection
systems. They establish many layers of defense. These solutions should be regularly
updated. This ensures the latest threat intelligence to stay ahead of emerging malware
variants.

Educate Users

Human error remains a significant factor in successful malware attacks. A full 88% of data
breaches are the result of human error.
Educate users about the risks of zero-click malware and promote good cybersecurity
practices. This is crucial. Encourage strong password management. As well as caution
when opening email attachments or clicking on unfamiliar links. Support regular training
on identifying phishing attempts.

Conduct Regular Vulnerability Assessments

Perform routine vulnerability assessments and security reviews. This
can help identify weaknesses in systems and applications. Weaknesses that enable an
exploit by zero-click malware. Address these vulnerabilities promptly through patching or
other remediation measures. These actions can significantly reduce the attack surface.

Uninstall Unneeded Applications

The more applications on a device, the more vulnerabilities it has. Many users download
apps then rarely use them. Yet they remain on their device, vulnerable to an attack. They
are also more likely to lack updates.
Have employees or your IT team remove unneeded apps on all company devices. This
will reduce the potential vulnerabilities to your network.

Only Download Apps from Official App Stores

Be careful where you download apps. You should only download from official app stores.
Even when you do, check the reviews and comments. Malicious apps can sometimes slip
through the security controls before they’re discovered.

Get the Technology Facts from a Trusted Pro

Zero-click malware continues to evolve and pose severe threats to individuals and
organizations. It is crucial to remain vigilant and take proactive steps to combat this
menace. Need help with a layered security solution?
Contact our team at IT Centre here to discuss your cybersecurity needs.


Article used with permission from The Technology Press.

The start of the year is a great time to review your Business Continuity Plan, or if you don’t have one, to take the time to create this highly important document. 

Firstly, what is a Business Continuity Plan?

A business continuity plan (BCP) is a living breathing document that consists of the critical information an organization needs, to continue operating during an unplanned event:

  • BCP helps in events such as natural disasters, cyber-attacks or a key staff member, piece of equipment or data becomes unavailable.
  • BCP are designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • In order for a BCP to remain relevant, they need to be reviewed at least annually and/or when the business changes.

Why do you need a BCP?

Most businesses rely on mission-critical IT systems. Failure to plan for scenarios where these are unavailable can be devastating. IT Centre can advise on how to ensure critical systems remain operational in the event of a disaster or major problem such as a server or network outage by:

  • allowing timely recovery of critical operations.
  • minimising loss.
  • meeting legal and regulatory requirements.

So, what does your plan need to cover? 

IT Systems Audit

An IT Systems audit is a good place to start. Your IT provider can review your systems to make sure they’re meeting your business objectives, ensure you have a secure operation by creating reference documents, as well as recommending improvements. 

Inventory Audit

This can be done in conjunction with your IT provider. They will do an audit of your existing IT equipment, the date it was installed, and therefore when it is likely to need replacing based on its expected life. 

This Inventory Audit needs to be revised every year for both your BCP and for budgeting purposes.

This list can help you have a clear and actionable plan on existing equipment, when warranties expire, and the requirements for a staggered plan for new hardware, as well as your business plans for growth.

Your BCP should also record the software that you use, as well as information around your antivirus updates.

If you already have an established BCP make sure:

  • It is up to date, and has been tested. 
  • Look at both the best and worst case scenarios. 
  • Understand your risks and apportion the appropriate resources to minimize those risks.
  • Make the plan proactive.
  • Know your suppliers, providers and have updated contact information. 

Ask these questions:

  • Is our BCP still relevant to our business? 
  • Has our business changed and/or grown so much that we need to update the business plan?

To Summarise: 

Most importantly have a plan, revise it, communicate it to your team, know what to do, and who to call. 

If you don’t know where to start, or would like advice, feel free to reach out to us here at IT Centre. For more information contact us here or visit our page here for more information.

A data breach involves any unauthorized access to confidential, sensitive, or protected information, and it can happen to anyone.

Internationally well known companies such as Apple, Meta, Twitter, and Samsung have all disclosed cybersecurity attacks this year.

In the most recent quarter, CERT NZ responded to 2,001 incident reports about individuals and businesses from all over New Zealand.

In New Zealand Phishing and credential harvesting remains the most reported incident category (from CertNZ).

This graph shows the breakdown by incident category for the past quarter in New Zealand.

Australian telecoms company Optus – which has 9.7 million subscribers, suffered a “massive” data breach this year. According to reports, names, dates of birth, phone numbers, and email addresses may have been exposed, while a group of customers may have also had their physical addresses and documents like driving licenses and passport numbers accessed.

IBM found the cost of a breach hit a record high this year, at nearly $4.4 million.

So how does a data breach happen?

Data breaches happen mainly when hackers can exploit user behaviour or technology vulnerabilities.

The threat surface continues to grow exponentially. We are increasingly reliant on digital tools such as smartphones and laptops. With the Internet of Things (IoT), we’re adding even more endpoints that unauthorized users can access.

Popular methods for executing malicious data breaches include:

  • Phishing – emails in which hackers persuade users to hand over access credentials or the data itself.
  • Brute-force attacks – hackers use software and sometimes even hijacked devices to guess password combinations until they get in.
  • Malware – infects the operating system, software, or hardware (often without the user knowing) and steals private data.
  • Disgruntled employees or political hacktivists can also be behind data breaches. However, more often than you would hope, the breach is due to poor cyber hygiene.

How to reduce risk to your business:

Here are some key tips for mitigating risks to your business. If you require help with these, please reach out.

  • Identify what is exposed to the internet: to help mitigate this risk, it’s important to identify what is being exposed to the internet. Your IT Alliance member can help you do this. You can also use scanning tools like Nmap and Nessus to help assess your situation.
  • Only expose what you really need to: Reducing the number of services you use lowers the number of targets that attackers have access to. This is known as reducing your attack surface.
  • Segment your network to stop – internet-exposed services from reaching your internal network. If your more vulnerable services get compromised, a segmented network will make it harder for attackers to reach other devices.
  • Patch services and devices exposed on the internet. Having the latest version will fix many of the vulnerabilities known to the vendor, and that means attackers have fewer known vulnerabilities they can use to gain access.
  • Turn on multi-factor authentication (MFA) to add an extra layer of security and help prevent unauthorized access.
  • Use logging and alerting to help monitor devices and services, especially any that may be exposed on the internet. These are potential weak points that attackers may target. This can help notify you of an incident and provide details of what has happened.

Don’t risk data breach damage

Data breaches cause business downtime and can cost your reputation and bottom line. Once you’ve had a data breach and it has been made public, your customers may lose faith in your ability to protect their private information.

A managed services provider can install protection and take precautions against data breaches. Contact our team here to discuss this further.

Why do you need to create a Cyber Security policy for your business?

If you own a business, it is important to have a cyber security policy.  This is not only a guide and reference to be used internally with your employees, but also as a reference point to deal with any external data from customers. 

Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business. 

What does your Cyber Security policy need to cover?

Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with. 

The first thing you need to do is to identify the particular risks for your business. If you are an accountant for example, your focus is on how you deal with customers’ personal information, bank details, IRD number etc. 

Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong. Your IT Alliance member has knowledge of a wide variety of industries, and will be able to assist you to clarify what you need to be mindful of. 

Having a clear plan in place, means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.  

You will also need to create two cyber security policies. One, an internal one for employees, and the second one is a public one for customers. 

What needs to be included in the Policy?

The below information has been taken from the Cert nz website

Cert NZ suggests that you break your internal policy down into different areas.

Data

This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:

  • how much to collect
  • where you’ll store it (locally or in the cloud)
  • how to protect it, for example keeping data at-rest (when stored) and in-transit (when communicating) encrypted
  • how often you’ll back it up, and who’s responsible for doing backups.

Systems

It’s important to identify what systems you have, and which ones are critical to your work. Consider:

  • setting some rules around updating, or patching, your systems — how to make sure they’re done regularly and who’s responsible for making sure it happens
  • what systems your staff can use, including any cloud applications or software running inside your business’s network
  • how much access your staff need to your systems. You should make sure your staff only have the minimum level of access in each system they need to do their job. This is what’s called the ‘principle of least privilege’.

Security and protection

Security and protection covers how your staff and customers access your systems and data. It means thinking about:

  • how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN with 2FA.
  • how they authenticate themselves on your system. This includes your password policy and use of two-factor authentication
  • what devices your staff can use at work. This covers whether staff can use personal devices for work, or if you’ll provide devices to them.

People and users

You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:

  • what their responsibilities are
  • what kind of things they should report to you
  • how you expect them to take ownership of their accounts and their devices.

Physical devices and systems

When you think about protecting your business’s devices and systems, make sure you cover both:

  • protection against loss — if something is stolen, and
  • protection against the environment — for example, if your business is flooded during a storm and your devices are water damaged.

You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:

  • having strong passwords on them
  • using device encryption
  • setting rules for them about use outside the office.

Problems and incidents

You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.

What next?

We can help you in creating a Cyber Security policy for your business. Reach out to our team here to discuss this further.

What should I be doing to secure my business? 

One of the first things about Security is realizing that security is much more than stopping people “hacking in”. 

It is fundamental to any business to have a business continuity plan (BCP). If you plan for a power outage what happens? Your IT systems will be down.  

Can I use the same plan if an outage occurs to my IT systems and it’s not a power problem?  

Security is the foundation of resilience. 

The hardest part about security is getting started. Often, it’s on the “to do list” until it’s too late.  

Hopefully you have already talked to your IT Alliance partner and had the security business continuity conversation.

If not “What should I do first” is a common question? Rather than recommend one single thing, the answer should be – “Have a plan”  

So, what does your plan need to cover? 

  • Firstly, look at any existing business continuity plan. Is it up to date has it been tested? 
  • Look at not just the worst case but also the best case and know that when an incident occurs it will lie somewhere in
  • Most importantly have a plan, know what to do and who to call. 
  • Understand your risks and apportion the appropriate resources to minimize those risks.
  • Make the plan proactive. Be a fence at the top of the cliff and don’t rely on an ambulance at the bottom. 
  • Prevent rather than recover.
  • Inventory is a crucial starting point of any plan. What equipment do you have? what software do you have? What data do you have?
  • Then look at where are the biggest risks. Is there a single point of failure?

Look at your plan as being a holistic business continuity plan, that is a living document. Continually revisit, update, fire drill, and improve.  

Many of the incidents we see disrupt business are due to poor Cyber hygiene not some advanced nation state hack.  

Do the following to enhance your security: 

  1. Keep the software for your devices and applications up to date.
  2. Access? How do I verify my user is in fact who I think they are? Is MFA (Multi factor authentication) on!!!
  3. What information do I have? Where is it stored? Who has access?
  4. What are my essential services?
  5. What are the financial implications of these risks?
  6. What are my obligations to customers, employees, and shareholders?
  7. If I was breached, how would I know and when?
  8. Am I running Microsoft 365 Business Premium?

Can my staff trust that the Cyber workplace is as safe and secure as possible? If it is, you will see productivity and creativity flourish, staff retention rises as well as the ability to recruit new staff. 

“She’ll be right” –  Is not a plan! “No surprises” is a plan. 

For further advice, contact your local IT Alliance member to discuss creating a plan for your business.  

By Paul Caldwell – Microsoft Security BDM 

Cyber Security is a very real issue for businesses in New Zealand these days. Here we look at Cyber Insurance, what it is, what the laws are, and why you need it.

Why do you need Cyber Insurance?

Cyber attacks on businesses in New Zealand are increasing in both sophistication and frequency. High profile companies like Air New Zealand partner Travelex, Fisher & Paykel Appliances, Toll Group, Garmin, Canon, Honda, BlueScope Steel, Lion, transport giant Toll Group, Twitter, MetService and most recently even the NZX, are just some of the organisations to have been targeted by cyber criminals. However it is not just the big companies, many small businesses are also being targeted. It really is a matter of ‘when not if’.

What is Cyber insurance?

Cyber insurance is designed to fill the gap that traditional insurance policies don’t cover, minimising the impact of cyber incidents by providing cover for your own loss and third party costs. It provides your business with a structured crisis response plan and assists with returning to ‘business as usual’.

  1. Won’t my general liability policy cover cyber liability?

General liability insurance covers bodily injuries and property damage resulting from your products, services or operations. Cyber insurance is often excluded from a general liability policy.

It pays to check your current policies and ask questions. You may find that your other business cover won’t respond to a cyber or data breach claim.

  1. The law has changed

The new Privacy Act 2020 which came into effect on 1 December 2020 means that all businesses now have legal requirements surrounding

The new Act requires mandatory data breach reporting if it’s reasonable to believe that the breach would cause serious harm to an individual. For example: If you’re engaging with a service provider to hold your clients’ personal data, for example a cloud-based CRM system, you remain responsible for the security and use of that personal information. If a Cyber breach were to occur, you would be held liable.

What does Cyber Insurance cover?

Ensuring business continuity and safeguarding your business from Business Interruption will enable you to return to the same financial position you were in before a Cyber event.

The benefits of Cyber Insurance will depend on the type of policy you take out but can include:
– Access to a dedicated and experienced team of experts if an attack occurs
– Protection from loss where you are legally liable to others
– Cover for your financial loss if your business is interrupted due to a Cyber event.

Things to look out for in your Cyber Insurance policy:

  • Business Interruption: Look for a policy that covers the costs of any business interruption as you can lose time and money trying to get your business back up and running after a cyber attack.
  • Hacker Theft Cover: A plan that covers compensation for loss incurred, including theft or destruction of stored data, hardware, or cyber extortion from employees.
  • Restoration costs: Compensation for expenses incurred to research, replace, restore, or recollect digital assets during the period of restoration.
  • Public Relations: Reimbursement for any costs involved with public relations.
  • Network Extortion: Indemnity for the amount paid to avoid, defend, preclude or resolve a network extortion attempt
  • Data Forensic Expenses: Costs incurred to investigate, examine and analyse a computer network
  • Third-Party Liability: Indemnity for the sums claimed and incurred defending claims in relation to alleged privacy breaches, network security wrongful acts or media and social media wrongful acts.

What is the likely cost of Cyber Insurance?

Like most insurance, premiums vary by insurer, the type of cover selected and your risk profile. As an estimate a policy with $100,000 cover could cost as little as $600 per annum.

All businesses need a security plan to protect their business and they should consider a Cyber Insurance policy as an essential part of this plan.

Top tips to avoid cyber security threats:

CERT NZ has a number of useful and practical resources for businesses on keeping systems and data safe from cyber security attacks, including cyber security risk assessments for business, cyber security awareness for staff, phishing scams and your business and protecting your business online.

CERT NZ offers the following tips for simple, practical steps for businesses.

  1. Install software updates
  2. Implement two-factor authentication (2FA)
  3. Back up your data
  4. Set up logs
  5. Create a plan for when things go wrong
  6. Update your default credentials
  7. Choose the right cloud services for your business
  8. Only collect the data you really need
  9. Secure your devices
  10. Secure your network
  11. Manually check financial details

For more info and links click here:

Cyber Security is a very real issue facing business owners these days. If you would like to discuss your individual needs, we provide advice to business owners and security assessments to ensure that your business has the best protection.

Please feel free to reach out to us here.