Attacks at the Olympics underline the urgency facing NZ businesses

The Olympic Games isn’t just a global showcase for sporting excellence; it’s also a prime opportunity for cybercriminals to disrupt events and extort organisers, and this extends beyond the Olympics itself.

The growth in cyberattacks during the Games highlights just how Olympic-sized the problem of cybercrime has become. There were 212 million documented attacks during the London 2012 Summer Olympics, rising to a staggering 4.4 billion at the Tokyo 2020 Summer Olympics, according to Fortinet research. These attacks pose some extremely pertinent questions for New Zealand businesses. 

“You’ve got hacktivist-type attackers who go after operational technology (OT) and often want to make a statement,” says Josh Alcock, principal security strategist, Fortinet. “Then you’ve got nation-state attackers that want to disrupt or harm the event. We’ve seen a spike in activity by pro-Russian groups, partly because Russia has been excluded from these Games.”

However, an organisation or event doesn’t need to have a global presence to be affected by cyberattacks. Nearly one-third of businesses surveyed experienced at least six intrusions during the previous 12 months, with the loss of business-critical data and productivity rising from 34 per cent to 43 per cent, according to Fortinet’s 2024 State of Operational Technology and Cybersecurity Report.

OT systems are attractive targets for attackers, whether it’s the fires in the French rail network or the malware attack that nearly brought the Pyeong Chang 2018 Winter Olympics to a halt on opening day. 

“Car manufacturers, airports, ports and energy infrastructure have seen a big increase in these sorts of environments being compromised,” Alcock says. “It causes massive disruptions, costs a lot of money, and has serious safety implications.”

Cyberattacks evolving at speed

Cyberattacks are booming because they are hugely profitable for threat actors who can operate outside the traditional economy, evolving quickly to target more organisations more effectively. 

An event, even a relatively small one, involves managing attendee data, payment systems and servers. These present attractive targets for threat actors of all sizes, from anywhere in the world. It could be a teenager in their bedroom or an organised criminal group; they take a shotgun approach to attacks, probing for vulnerabilities wherever they occur. 

“There’s a misconception that we’re sheltered here in New Zealand,” Alcock says. “But just because we’re not physically close to other markets doesn’t mean we’re safe. There are many factors beyond our control. That’s why it’s so vital to get the basics right.”

Ransomware is becoming more sophisticated and targeted, according to the Fortinet report. In a quarter of manufacturing company breaches, the demanded ransom was US$1 million or more.  Businesses are increasingly willing to pay a ransom because the cost of downtime is so high. That high price is only the start of the problems that a cyber incursion can cause for events and businesses. 

“People underestimate both the costs and the reputational damage that an OT attack can cause,” says Alcock. “Organisations are now starting to look at the cost of the risk versus the cost of the control to prevent it. They’re finding the prevention cost much lower than having their reputation damaged severely. 

“Bad guys don’t have to deal with paying taxes and following rules, which means they can move rapidly,” Alcock points out. “It’s a bit like the story of the bear attack, where you just have to outrun the other guy; your business just needs to be better protected than the next business. Getting the basics right is the best thing you can do in this situation.” 

What are these basics? Alcock says: 

  • Train your team so they understand why security measures are important. “Make it easy for people to understand what they need to do. Training and awareness help reduce human errors, which are a major cause of vulnerabilities. If people just stop clicking on suspicious links, that would solve half the problems.” 
  • Turn on multifactor authentication (MFA) wherever possible. For example, when you log into a banking app on a desktop, you might confirm your login on your phone. Without this, someone with your password details could access your account. 
  • Implement effective patch management. When a provider discovers a vulnerability, they send out a patch and provide frequent updates to ensure you always have the latest fixes. “This is important because, last year, more than 30,000 vulnerabilities were publicly disclosed, so staying on top of those should be a priority. A lot of what’s being exploited has fixes available.” 
  • Limit access to information so people can only see what’s appropriate for their role. Companies have been stepping up their efforts to implement role-based access this year, according to the Fortinet report. “You wouldn’t let anyone wander through a hotel with the master key to every room; it's the same with your network.”

Alcock recognises it’s challenging to find skilled IT professionals to oversee your network and cybersecurity, so be prepared to invest in contractors or remote talent. 

“If you don’t have the in-house expertise to manage your cybersecurity, there are organisations that will provide these services for you,” he says. “There are resourcing challenges, but don’t let these prevent your business from implementing cybersecurity measures. Make it as easy as possible for you and your team to keep your systems safe.”

To view the full report: global.fortinet.com/apac-lp-nz-ot-report-2024