A third of New Zealand’s most prominent businesses were impacted by cyber-attacks last year.
Independent research by Kordia, released this week, shows the detrimental impact cyber-attacks have on some of New Zealand’s biggest organisations.
New Zealand state-owned enterprise Kordia delivers various services, including connectivity, cloud and cyber security services, managed IT, field services, broadcast and safety of life communications.
All of the surveyed businesses have 100 or more employees. Of those hit by a cyber-attack in 2023, more than one in three (36 percent) said their business operations were disrupted, and 29 percent said personal data was stolen or accessed.
More than two-thirds (69 percent) of businesses claimed they experienced an impact from a cyber incident.
Nearly half (46 percent) found it took more than a month to resolve the incident, with nine percent saying it took five months or more.
28 percent of businesses impacted by a cyber-attack or incident point to third-party suppliers as the cause.
Seventy percent of business leaders said they would consider paying a ransom to a cybercriminal.
Cloud misconfigurations or software vulnerabilities caused cyber incidents for almost two out of five (39 percent) businesses.
As cyber security evolves, so do the threats facing New Zealand businesses.
Of the businesses surveyed that were subject to a cyber incident, 39 percent said the incident was due to cloud misconfiguration or software vulnerabilities.
Distributed Denial-of-Service (DDoS) attacks were the second most common at 35 percent.
Cybersecurity Progress
Alastair Miller is the principal consultant at Aura Information Security, Kordia’s cyber security advisory and testing consultancy.
He says that this survey highlights the beginning of a trend where hackers are targeting operational downtime rather than stealing or encrypting data to extort their victims, in line with what’s happening overseas.
“Cybercriminals are financially motivated,” he says.
“It’s much harder for organisations to ignore an attack when they can’t function for a period of time.
“The motivation to pay a ransom is greatly increased when you can’t generate an operational income.
“Any cyber-attack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve – with costs running into the hundreds of thousands.
“For large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have knock-on effects for whole supply chains and our economy.
“Despite this, New Zealand businesses still lag far behind when it comes to elevating cyber security to the highest levels of governance.
“Only two-thirds of businesses said that cyber security was a very important issue for their board, and this must change to see real progress in the overall resilience of our national industrial and business landscape,” Miller says.
He says that cloud played the most significant role in cyber-attacks across the board last year, climbing 11 percentage points year-on-year in our survey.
“In saying this, DDoS attacks continue to feature prominently globally; there has been an increase in activity stemming from geo-political events, including cyber warfare in Ukraine and Israel / Palestine.
“With a very low barrier to use, DDoS has also been observed as a tactic used in conjunction with other methods, leveraged by threat actors to mask other attacks occurring concurrently.
“Phishing continues to remain in focus, whilst supply chain attacks came to the fore for New Zealanders, with third-party attacks featuring in more than a quarter (28 percent) of all incidents,” Miller says.
The Human Cost
Global cyber threats impacted New Zealand citizens on a new, escalated scale last year.
The hack on Australian financial services company Latitude saw personal data belonging to one million Kiwis (20 percent of the population) compromised in the most significant privacy breach New Zealand has ever seen.
Miller says harm to privacy is one factor, but cyber incidents are increasingly causing massive harm to the employees of victim organisations.
“Around a quarter of respondents said recruiting skilled people to manage cyber security is a top challenge within their business.
Miller says the cyber security labour market is incredibly tight, both globally and here in New Zealand, so hiring and retaining skilled people is crucial.
“Many businesses are asking themselves how they will keep up with the moving threat landscape with so few resources working on mitigating it.”
Miller cites a recent academic study that found that cyber-attacks can cause high levels of psychological harm — equal to conventional political violence and terrorism.
“With four in five New Zealand large businesses in our survey saying they faced a cyber incident in the past twelve months, these incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their teams,” Miller says.
Eyes on the New Government
New Zealand businesses are asking how the new coalition Government will tackle the evolving cybersecurity threats.
Kordia’s survey results show that a third of Kiwi business leaders want the government to increase spending on national cyber security.
“Business leaders are eager to see more action to penalise organisations that fail to adequately protect data.
New Zealand’s current privacy laws only punish failure to report a breach, and that caps penalties at NZD $10,000, significantly more restricted and lower than legislation in other five eyes nations,” Miller says.
“Australia has made notable changes to cyber security governance through a slew of legislative changes, including harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks.
“A notable number of respondents have indicated they would be supportive of similar initiatives in New Zealand.”
Miller says that when it comes to policy, New Zealand often looks across the Tasman, so it will be interesting to see whether similar legislation will eventually be implemented here.
Future Proofing Your Business Against Cyber Risks
Investing in future-proofing your business against cyber risks may seem like an extra expense, but it’s a wise investment in the long run.
It can save you money, protect your reputation, and ensure the continued success of your business.
Kordia offered five ways you can prepare against cyber risks.
Plan for Recovery in Your Response
Operational downtime can hurt a business more than the initial cyber-attack.
Effectively recovering your businesses as rapidly as possible after a significant cyber-attack depends on an adequately deployed backup and restore regime.
Any solution should include encryption, along with the combination of full, incremental, and differential backups.
Security and Cloud Transformation Together
There are lingering perceptions that the cloud is more secure than traditional on-premises systems.
While there indeed are benefits that can be leveraged from the cloud, without the proper security layers, businesses are just as exposed.
The best way to ward against misconfigurations and security gaps in cloud environments is to implement and integrate security requirements into cloud projects early.
This will set out how security is factored into your cloud environment and ensure it evolves as your platforms do.
Rationalise Spending Via Risk-Based Planning
Assessing how to invest appropriately in security can be challenging, especially given rising costs and tough economic conditions.
As organisations expand their digital operations, a risk-based approach can help rationalise spending and set strategic objectives to ensure security needs are being addressed.
Understanding your risks will help determine focus areas, providing a starting point for building a holistic security programme.
Ongoing measurement of the effectiveness of your strategic roadmap will determine whether your organisation is focusing on the right areas.
Factor People into Your Strategy
Human error accounts for many cyber security incidents and data breaches; there’s a great need for better awareness and adoption of security behaviours across all facets of organisations.
Business leaders must champion a culture change that sees all employees adopting a mindset shift.
Elevate Cybersecurity to The Board
With increasing impacts and a significant number of businesses confirming that cyber incidents are compromising them, it is imperative that board members take cyber defences seriously.
Cyber is no longer an IT or operational issue – it requires good governance to ensure that it’s aligned with the overall business strategy and that initiatives have the right level of focus and resources from the top.The full cyber security report is available to download at www.kordia.co.nz.
SPONSORED
