Apathetic Kiwis a mouthwatering prospect for cybercriminals
The most significant and most exploited cybersecurity vulnerability of any New Zealand organisation is its people, usually, due to human error, apathy, ignorance or garden-variety laziness, according Auckland IT security expert Daniel Watson.
Author of the book She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners and SMB cybersecurity expert, Daniel Watson says fixing the human side of cybersecurity will require a bit more effort than buying a new software package.
"However, the return on investment generated by training staff to be more observant, for example, can be much higher than even the best software," he says.
"The most important lesson is that cybersecurity must be a team effort – for companies, industries and sectors.
"Industry bodies and professional associations in New Zealand need to keep pressuring their members particularly in the retail sector – to bolster their cybersecurity efforts and to help keep those companies accountable."
He says firms operating a business-to-business (B2B) model tend to be more aware of the consequences of a cyber breach. After all, a serious violation may result in losing a significant client and, therefore, a chunk of their revenue.
On the other hand, Watson said the attitude of business-to-customer (B2C) companies, such as online retailers, seems to be more laid back about the risks of poor cybersecurity.
"If a B2C company is doing well, it will collect hundreds and thousands of customer names, email addresses and physical addresses or similar," says Watson.
"This is all private information, and any data breach must be reported to the Privacy Commissioner.
"However, we need a more concerted push on online retailers to improve their cybersecurity. A major breach could bring the whole sector into disrepute."
He says it is not so much that B2C companies are worried about the costs of improving their cybersecurity processes. Instead, managers and staff often have so much on their minds that they don't think about the problem.
"Cybersecurity also still isn't treated as a critical part of a business plan," says Watson.
"Companies usually spend all their energy selling more and doing more for their clients. It's only as the company grows that they start worrying about IT security."
In this situation, if a company has outsourced its IT and cybersecurity, that third-party provider may not have the resources or the knowledge to protect the company as it grows.
Watson says this puts the company – and its customers – in the dangerous position of outgrowing its cybersecurity defences.
"IT and cybersecurity must be a hat somebody in the company wears. This reinforces that the common fault line in most cybersecurity today is still the human factor."
Watson offered three tips for improving a company's cybersecurity competency:
1. Get the Boardroom On Board
Even for smaller companies, the issue of cybersecurity should be in the boardroom.
"If a growing company has not made cybersecurity a boardroom discussion topic and nothing is being monitored, then that needs to be addressed immediately," says Watson.
"This single, low-cost change can make a huge difference to a firm's cybersecurity."
2. Audit the Assets
Buying the most relevant cybersecurity software for a company is essential, but even the shiniest software package will be useless if no one in the company knows what to protect.
"Do you have a list of your company's critical information assets? Do you know where that data is kept, where it goes and how it is protected?
"If no one knows these details, they won't know how to secure it either. So, it won't matter what software systems are in place because you'll always miss something crucial."
3. Staff Training
The hustle and bustle of daily responsibilities and normal forgetfulness are perennial problems for staff, no matter where they are in a business.
For this reason, Watson says introducing and maintaining regular cybersecurity training for staff should be part of any robust business plan.
"Consider that a hacker only needs to get lucky once, but a company must always be unexpected," says Watson.
"It's best not to rely on luck at all. That's where good training comes in. Cybersecurity is a team effort, and everyone needs to be in the game for it to work."