Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

National Cyber Security Centre reports jump in incidents but fall in financial losses to scams

Most incident categories had increased, including an 80% jump in unauthorised access, which the National Cyber Security Centre's Michael Jagusch called
Most incident categories had increased, including an 80% jump in unauthorised access, which the National Cyber Security Centre's Michael Jagusch called "a worrying trend". Graphic / Herald.

A new report from cyber security officials found a jump in incidents but a fall in financial losses for the third quarter.

“We’ve seen an increase in most incident categories, including an 80% jump in unauthorised access, which is a worrying trend,” the National Cyber Security Centre’s (NCSC) Michael Jagusch said.

“Unauthorised access means the attackers are inside your systems or accounts and are potentially stealing information, moving your money around or even preparing for a larger and more devastating attack,” Jagusch said.

Phishing was the biggest incident category, accounting for almost half of all reports in the third quarter.

“It is also the most common way for cyber criminals to gain access to your systems,” the cyber security officials added in the Cyber Security Insights third-quarter report.

In key findings from the report:

The total financial losses reported to Cert NZ were below those found by a Ministry of Business, Innovation and Employment (MBIE) survey on digital scams related to banks.

That survey drew on data supplied directly by ASB, ANZ, BNZ, Kiwibank, Westpac and others and found $198m in losses in 2023.

A Netsafe-Global Anti-Scam Alliance (GASA) survey of 1857 New Zealanders that extrapolated estimated total losses from digital scams at $2.3 billion for the year to August 2024.

Former Cert NZ director Rob Pope (now WorkSafe inspectorate head) conceded his organisation’s figures were just the “tip of the iceberg” due to sheepishness about reporting being scammed and relatively low public awareness of the option to report a scam to his agency.

The Netsafe-GASA survey found many members of the public confused about where to report cyber-incidents – and they could be forgiven for not being able to keep up with recent changes.

Cert NZ – the Computer Emergency Response Team – was created by Sir John Key’s Government in 2016 as a “triage” unit to point small businesses and individuals to the right technical and law enforcement support after suffering a cyber attack.

In the final months of the last Government, GCSB Minister Andrew Little announced that Cert NZ would be folded into the spy agency’s National Cyber Security Centre.

The integration was recently completed, with Pope’s position as Cert NZ director not replaced. The operation is now under NCSC director of mission enablement Michael Jagusch.

The Cert NZ brand will be phased out, the NCSC told the Herald (for the time being, reports have NCSC-Cert NZ co-branding).

The Cert NZ reporting website will remain under its current livery, for the time being, but the Cert NZ “Own Your Online” tips website has (keep up) already been rebranded NCSC.

Scambusters: What can we do better to stop people getting scammed?

Meanwhile, more changes could be on the way, given Commerce and Consumer Affairs Minister Andrew Bayly is currently reviewing how multiple agencies co-operate in their response to scams.

Does Cert NZ’s new management think incidents are being under-reported?

“It is certainly the case that not all incidents are reported, not just here in Aotearoa but globally. Our surveys showed almost half of our respondents experienced a recent cyber security incident, but this volume is not reflected in our reporting numbers,” Jagusch told the Herald.

“Reporting is important to us to understand the threats that are out there, so we can warn others about them, and take actions to disrupt them.”

How is the NCSC encouraging more people to report incidents?

“Through our publications and campaigns, we constantly encourage New Zealanders to report any cyber security incident, big or small to us. Since the beginning of October, we have been reminding people how and where to report, through a small advertising campaign.

“We saw a significant increase in reporting in Q3 and we urge the New Zealand public to keep those reports coming. Increased reporting helps us in understanding the cyber threat landscape better and in shaping our response these threats,” Jagusch.

Some Cert NZ positions ‘disestablished’

In mid-2023, Little positioned Cert NZ’s integration with the NCSC as a move to streamline its response rather than to cut bodies. The integration wrapped up in July.

The NCSC told the Herald last month: “Establishing an integrated structure for New Zealand’s lead operational cyber security agency has enabled the functions of the NCSC and Cert NZ to be brought together to provide cyber security services to all New Zealanders – from individuals through to nationally significant organisations.

“This integration process has meant that some positions were disestablished, and new positions were created. All staff working for the NCSC (including Cert NZ staff) at the time of implementing the new structure from July 2024, were offered roles.”

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.