Kordia uncovers truth of cyber crime in New Zealand
Independent research released by Kordia has found more than half (55%) of businesses surveyed with 100 or more employees suffered a cyber-attack or incident in the last year.
Peter Bailey, Regional Cyber Security Business Manager at Kordia, says the research shows there is money to be made for cyber criminals targeting New Zealand.
He says, "New Zealand is not immune to the ravages of cyber crime. Our geographic isolation isn't relevant when there is money to be made - we're just as at risk as anywhere else in the world.
"What that means is New Zealand organisations need to be well prepared to not only defend against incoming cyber-attacks, but also develop a response plan to ensure that if their organisation is successfully breached, they have the right things in place to recover quickly - ideally with their reputation and systems intact."
Top research insights:
- 55% of businesses surveyed were subject to a cyber-attack
- 44% of business leaders say they would consider paying a ransom to a cyber criminal
- The top attack method is phishing which is responsible for more than 1/3 (37%) of attacks in the past 12 months
- This is closely followed by third party cyber attacks, and cloud misconfigurations and vulnerabilities - both at 28%
- Almost 1/4 of businesses attacked saw commercially sensitive data or intellectual property accessed or stolen
- 1 in 5 said cyber attacks caused a loss of future business or sales due to reputation damage
- One in five businesses have no plan to deal with a cyber-attack
Despite the success cyber criminals have had in New Zealand, five out of six (85%) businesses are confident in their cyber security safeguards, the research finds.
Supply chains need more focus
Large businesses are feeling significant impacts from third-party cyber attacks, with respondents reporting incidents coming through supply chain partners accounted for 28% of all attacks - second only to phishing.
Bailey says, "With business increasingly taking place online, there's a complex array of third parties that enable digital operations to take place - from cloud and software vendors to online payment platforms and managed service providers.
"Many businesses entrust these third parties with access to their data and systems, but if they haven't put the right cyber security measures in place, they could be putting your business at risk of a serious breach.
"Businesses simply can't afford to operate with a blind spot around their supply chain partners - they need absolute clarity around what third parties have access to, and the layers of security that exist around that access."
Ransoms, fines, and legal action
The research shows New Zealand businesses leaders are willing to put their trust in cyber criminals. Nearly half (47%) of respondents believe it's likely that cybercriminals will restore their data once a ransom is paid. In New Zealand there is no penalty for paying a ransom, yet more than two thirds (68%) of large businesses leaders believe it should be illegal.
Bailey says, "The Government strongly recommends not paying, this is because there is no guarantee a hacker is going to comply even after they've been paid their ransom. They are criminals after all."
Bailey adds that nearly three quarters (73%) think we should introduce harsher financial penalties for businesses that fail to protect personal data.
He says, "For most businesses, the significant consequences of a cyber-attack are the disruption and productivity losses that come with being breached and operations being shut down. There is also the reputational damage that comes with being hacked and losing precious customer data or commercially sensitive intellectual property.
"Further to this, many business leaders and board members across the country will be interested to see 7% of cyberattack victims are facing legal action by customers or other stakeholders.
"There is a long, unpleasant list of consequences. It's important all New Zealand businesses understand this and make cyber security an integral part of their business strategy."
Confidence in the face of threats
Despite the number of businesses being successfully attacked, five out of six (85%) businesses are confident in their cyber security safeguards. Bailey says this is an interesting statistic.
Bailey says, "Our research suggests there is a sense of confidence in the face of growing threats - with the vast majority of business leaders indicating that they feel confident that they have the right safeguards in place to protect their data. Confidence is particularly high among those who have experienced a threat or attack in the past, which could indicate that resilience is being taken seriously."
He continues, "However, adversaries are continually adapting their attack methods, so it's important that Kiwi organisations don't rest on their laurels. Cyber security is a continuous exercise and needs to evolve to meet any operational changes. Yet there's some evidence to suggest we're slipping in this area - almost half of respondents have relaxed their cyber security to boost productivity in the past 12 months.
"Another major concern is nearly one in five large businesses don't have a cyber security awareness or training programme for employees. Given the continuously high volumes of phishing attacks, it's no surprise that this remains a high risk for organisations with employees at risk of clicking on malicious links that grant access to threat actors."
Kordia has outlined five focus areas for businesses in 2023:
- Cyber security needs to be an integral part of your business strategy: Cyber risks can come from a number of sources and can threaten your entire organisation. Security shouldn't be confined to the IT department; it needs to be a core part of your business strategy with regular reports going to the Board.
- Understand your key assets and the risks to them: A risk assessment and IT asset register is vital when breaking down how to protect your key assets. Be sure to analyse the financial, operational, and reputational consequences of failing to secure your business.
- Undertake an audit of third parties: Look into your own organisation and determine which vendors have access to your data or systems. From there, develop assessments and audits to ensure that your suppliers are implementing adequate controls to protect your business assets.
- Focus on what you can control: This includes regular patching and vulnerability management, ongoing cyber awareness training, frequent penetration testing of key assets and reviews of cloud / web facing infrastructure and apps. Measuring and reporting on key metrics around your security posture will help your organisation stay secure from the majority of threats.
- Be prepared: Develop a response plan, if you haven't already, and make sure you practice it in a mock tabletop exercise. Exploring scenarios and likely impacts is the most effective way to ensure your business recovers as smoothly as possible in the event of a successful attack. Also, don't forget to regularly back up your data and systems.