By the time you've been hacked, it's too late. That's the cruel lesson of cybersecurity.
Keeping networks safe requires vigilance, common sense, and very likely some advice from experts.
Peter Bailey, the general manager of Wellington-based Aura InfoSec, says there are an estimated million vacancies in information security around the world, so it's a career where there are opportunities for those with the right skill sets and aptitude.
Technical ability is an obvious prerequisite, but people skills are important as well.
As hacker turned security consultant Kevin Mitnick pointed out on his recent visit to New Zealand, the exploits that landed him in prison were based on getting people to give passwords and other information, rather than mere coding.
Even now when his business does pen (for penetration) testing, he claims 100 per cent success when some sort of social engineering is involved, but a lower success rate for a purely technical hack against a well-protected corporate fortress.
Bailey says a lot of companies focus on the technical side because it's easier to control and hey think they can just upgrade or change the system.
"We do social engineering jobs as well where we look at a company holistically - is there any way in, can we use social media information, can we trick call centre staff into giving details, can we tailgate someone into the building, USB drops, phishing emails.
"All those things that are people-based are still the weakest link, particularly in New Zealand - we are a trusting bunch, we like to be helpful and friendly," Bailey says.
Aura InfoSec started a decade ago with three staff and now has 22.
Last year it was bought by business telecommunications provider Kordia, which wanted to boost the security services it could offer customers.
Services include pen testing of websites and networks, advising companies of the policies and procedures they need to keep safe, teaching developers how to write secure code, auditing systems, and generally keeping up to date with the fast-moving threats.
One of the big threats in recent times is ransomware, which is hitting not just large organisations but also lots of individual users who find their files encrypted.
Bailey says it's a great argument for backing up.
While some algorithms have been published and security specialists can circumvent the hackers, most people just have to pay up and hope the pass key works.
A tip from Bailey - is you really want to look into that suspicious attachment, send it to a Gmail account and open in preview -- any problems will be dealt with on the Gmail server, not your hard disc.
"Cybercrime is now bigger than old-style organised crime," he says.
"Hackers will scan the internet for people running software with known problems. That takes surprisingly little time, and they will then go in and attack those sites.
Bailey says people entering the field will preferably have done some level of development work so they understand how sites are put together and how they function.
"They also need to be inquisitive enough to say if I can put something together, how do I take it apart, or are there ways to make it do different things? How far can I push this if I really want to exploit it?
"We find the guys are real problem solvers, they sit by themselves thinking it through, or sometimes they put together teams to discuss ways around a problem.
"That inquisitive, security side is hard to find, and you have to mix that with the consulting side as well. You need to not only be really technical but you need to be able to sit down with the CIO or a CEO and explain some quite technical stuff in terms they will understand for their business impact.
"It's all very well going in and saying 'you have a SQL injection on this,' you need to be able to explain what that means for the business.
"It could be with a site collecting credit card information, they enter a line of SQL code that will reach right back and mine the database."
Salaries start at about $75,000, reflecting international demand.
Bailey says because of Aura's government contracts, it likes to hire New Zealanders and to bring in younger people to train up, as well as going to the international market for more high level specialist skills.
Peter Bailey's tips for keeping out hackers:
- Make sure staff understand about phishing emails, the importance of not putting unknown USB sticks into networked computers, the dangers of email attachments, and the needs for secure passwords.
- Make sure all system patches are up to date.
- Get your systems checked regularly. "Whether you run some software yourself or get a company like us in to pen test you. The only other way you will learn you have a problem is when someone hacks you, and then it's too late."