SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Partner content
Story image

Why is NZ lagging behind the world in cybersecurity?

By Jessie Chiang
Tue 21 Jun 2022

A recent report by the Technology Users Association of New Zealand (TUANZ) has revealed that we are ranked 56th in the world when it comes to cybersecurity. Why are we so far behind other countries, and what must be done for us to be better?

TUANZ is a 35-year-old independent organisation that represents the people who use technology. Its CEO, Craig Young, says they want Aotearoa to be in the top 10 digitally ready nations by 2030, which includes getting up to speed on cybersecurity.

The ranking is based on the international network readiness index by the Portulans Institute - and it's not looking good for New Zealand.

"This year's report is based on 2021 research and we've dropped down to 20th from 16th," he says.

Compare that to Australia, which only dropped to 13th from 12th, while Scandinavian countries and places like Singapore rank highly. Young says the index looks at a wide range of issues, including how a country uses and develops technology, how its people use it, and whether they are being trained.

As part of its Digital Priorities Report 2022, TUANZ also interviewed 23 senior business and government leaders in New Zealand, including Kiwirail, Spark, NZ Rugby and Auckland Council.

So, just how bad is the situation?

State of cybersecurity in NZ

In 2021, 8831 incidents were reported to CERT NZ, a 13% increase on 2020. The statistics show that 15% of the incidents reported to CERT NZ included direct financial loss, with a combined total value of $16.8 million.

A survey released by Kordia's Aura Information Security last December found that more than half (55%) of Kiwi businesses have been successfully targeted by a ransomware attack in 12 months. Young says New Zealand doesn't do well regarding things like secure internet service or the more technical issues.

"It's quite sobering to think that New Zealand ranks 56th in cybersecurity and I think there's a couple of reasons for that," he says.

"I think that New Zealand companies and organisations, felt safe and secure by being down the bottom of the world. For example, for COVID-19 we were able to close our borders, because we're an island down the bottom of the Pacific Ocean. We stopped planes coming and going, and people coming and going because of our physical location."

But Young points out that this kind of thinking doesn't cut it in the cyber world.

"We're only a few milliseconds from anywhere and we are heavily connected with the rest of the world. It only takes a couple of milliseconds for a message to come or leave New Zealand," he says.

Young says a reputation of not being overly strong in cybersecurity can also make Aotearoa an attractive choice for hackers to route their messaging or software. For example, if the hacker's originating country may come up as a red flag, routing it through New Zealand is less likely to cause concern. He says while New Zealand organisations might think they're big, they're quite small.

"Overseas players can just hammer them because they have the capacity to do so, they're built to take on the big guys and our organisations aren't that big," he says.

"We've sort of sat here in a feeling of security because we're a long way away, we're small, and we don't think we've got anything of value. Well, actually, we do. It's very quick to get here and that complacency has led us to be in a place of not being overly secure."

But high-profile cyber attacks in New Zealand like the NZX and the Waikato DHB have affected how companies view cybersecurity.

Kordia's survey found just under half of IT decision-makers say their businesses take cyber security more seriously as a result of these local attacks. In addition, it found 41% had more discussion around cyber security within their organisation, while 37% expanded their cyber security team or agency. The survey also revealed that 85% of IT decision-makers considered New Zealand equally or more at risk as the rest of the world when it came to cyber-attacks, up from just 67% in 2018. But Kordia's report also found that 42% of businesses admit not running crisis simulation exercises to assess their ability to respond to a cyber-attack.

And the game is changing. 

The growth of hybrid work, spurred on by the pandemic, is another security risk.

"If I work for a large corporate and I'm working from home, suddenly I've got a device here that's connected to the general internet, not just that it's connected to my internal network," says Young.

"I think a lot of the CIOs are struggling with trying to figure out how to raise the cyber skill sets or the cyber ability within their organisations for that space."

Upskilling staff and having a talent pipeline

Young says one of the most important areas New Zealand companies need to focus on is building cybersecurity skills in its staff. He says most successful attacks on organisations often come through phishing or one person. 

"With cyber security, you can have all the firewalls or the up-to-date software that you should have, but if somebody lets somebody in, you know, it's like letting someone in the front door, they're gonna get in and go for it," he says.

The TUANZ CEO says Aotearoa also needs cybersecurity experts and a talent pipeline.

The draft of the government's Digital Technologies Industry Transformation Plan was open for consultation earlier this year, and Young hopes the final plan will have a real drive towards getting not only younger people into cybersecurity but also retraining people. He says the skills required for those working in the cyber area differ from standard IT.

"The people that you want in that area aren't necessarily the same people that you've generally hired before. They aren't necessarily people who are good at running a network. What they're good at is breaking into a network or they're good at protecting a network because they know how to break it," he says.

"They're good at ferreting things out, or they're creative. I'm not saying you have to go out and hire a hacker. I'm just saying that people have slightly different skill sets than just the standard network provider."

In TUANZ's report, the organisation said its research shows there is not enough local talent in the tech industry to meet demand and the leaders it interviewed confirmed this perspective. Globally, there were 3.5 million cybersecurity jobs unfilled in 2021, and New Zealand was part of an international scramble attract talent.

In terms of cybersecurity as a government focus though, Young says it does have to raised up the pecking order. The Australian government recently announced the appointment of a dedicated Cybersecurity Minister, Clare O'Neil.

"We don't have a minister for cybersecurity. It's not really talked about," he says.

"There are some very good people in government doing some very good things like CERT NZ, but they aren't big, they are small, and they are targeted to specific things. The government itself has to do quite a lot of work on its own security because I mean, they hold huge swathes of data for New Zealanders."

There have been several different government initiatives. For example, at the end of 2020, it launched the Digital Boost programme, which targets small business owners and aims to help them get digitally ready. The training platform offers 500 video tutorials and Q&A sessions, daily live workshops with experts and live helpdesk support. In Budget 2022, the government also set aside funding for cybersecurity, including $30m for CERT NZ and $320m for updating data and digital infrastructure for health systems. It's also developing the Digital Strategy for Aotearoa, which will be released later this year.

Young says that will show the direction the government is taking when it comes to things like cybersecurity.

Automation plays a critical role

The TUANZ CEO says things like AI and machine learning are already a huge part of beefing up cybersecurity measures.

"The people who are doing the attacking, they're using those tools. They're using those tools to change things daily, you know, to or within the hour," he says.

"If they can't get in one way or another they'll change the messaging around. So you got to fight fire with fire in this situation."

Young says companies won't be able to keep up unless they have some form of automation. He points to the NZX example, where the stock exchange was bombarded with Denial-of-Service (DoS) attacks in 2020.

"Numbers were incomprehensible compared to what they would normally see. That's where your automation comes in because it continuously bats away these things," he says.

Young says in next year's report, he's hoping Aotearoa will be out of the 50s for cybersecurity and trending through the 40s. However, he acknowledges that some things take time.

"Certainly, it's one of those things that we're definitely going to be keeping an eye on and making some noise on during the year," he says.

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Tech job moves
Tech job moves - Bitdefender, Cohesity, Fortinet & MODIFI
We round up all job appointments from June 27-30, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Artificial Intelligence
Juniper study reveals top AI trends in APAC region
Juniper's research shows an increase in enterprise artificial intelligence adoption over the last 12 months is yielding tangible benefits to organisations.
Story image
Research
New study reveals 51% of employees using unauthorised apps
The research shows that 92% of employees and managers in large enterprises want full control over applications, but they don't have it.
Story image
Microsoft
Digital innovation could shape the future of NZ - Microsoft
With cloud technologies available to more people around the world than ever before, it is not only businesses who will benefit from using them.
Story image
Cybersecurity
FIDO Alliance releases guidelines for optimising UX with FIDO Security Keys
The new guidelines aim to accelerate multi-factor authentication deployment and adoption with FIDO security keys.
Story image
Cybersecurity
Zscaler launches co-located data centres in Canberra and Auckland
The investment will offer public and private sector enterprises greater resilience in support of their zero trust cybersecurity posture.
Story image
Cybersecurity
Email threats spike 101%, remains a top attack vector
"Each year we see innovation in the threat landscape, but each year email remains a major threat to organisations."
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Cybersecurity
The link between cybersecurity, extremist threat and misinformation online in Aotearoa
Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.
Story image
Cybersecurity
Vulnerable APIs costing businesses billions every year
Large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as they accelerate digital transformation.  
Story image
Cybersecurity
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
Gartner
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
Cloud Security
Palo Alto Networks bolsters cloud native security offerings
Latest Prisma Cloud platform updates help organisations continuously monitor and secure web applications with maximum flexibility.
Story image
Compliance
Stock security features inadequate in face of rising risk
"Organisations must proactively find ways of identifying unseen vulnerabilities and should take a diligent, holistic approach to cybersecurity."
Story image
Ransomware
Secureworks reveals new information on BRONZE STARLIGHT threat group
New research from Secureworks has uncovered new information on the Chinese threat group BRONZE STARLIGHT and how they are using targeted ransomware to initiate complicated attacks.
Story image
Revenue
Datacom announces revenue of $1.45 billion, fall in profit
Growing market pressures and border closures saw Datacom place increased focus on talent development initiatives for both existing and future employees.
Story image
Cybersecurity
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Cybersecurity
Zero trust security adoption rises 27% in just two years
A survey of WAN managers has revealed that multi-factor authentication and single sign-on are the top zero trust features implemented.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from CrowdStrike
Scott Jarkoff joins us today to discuss current trends in the cyber threat landscape, and the reporting work CrowdStrike is doing to prevent further cyber harm.
Story image
Cyber Criminal
Identity and access: the fight is on
Blue team defenders are used to protecting our data, applications, and users with access controls and other security mechanisms, which is why attacks like this are especially challenging when they target identity and access control systems.
Story image
Web Development
Whitecliffe fosters careers for the future of tech
Do you want a career in Information Technology, Networking, Web Development, Software Development, or are you looking to upskill?
Story image
Cloudera
Overcoming hybrid and multi-cloud challenges to drive innovation
Driven by improvements in technology, financial services companies have advanced both internal and external systems and processes, with the likes of digitisation, personalisation and risk management redefining the industry.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Phishing
Online identity theft is rising in NZ - here’s what to do about it
It may start with a few stolen details online, but it could end with thousands of dollars missing or worse, a reputation down the drain.
Story image
Cybersecurity
Blasé attitudes to cybersecurity by business a national risk
The largely unregulated state of cybersecurity in NZ, and consequential ambivalence of most businesses, risk hurting the country's trading prospects.
Story image
API
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
HP Inc
Firmware attacks significant threat in age of hybrid work
Changing workforce dynamics are creating new challenges for IT teams around firmware security, according to new research.
Story image
Internet of Things
ManageEngine wins big in IDC MarketScape assessment
ManageEngine's Endpoint Central service has been recognised as a leader by IDC MarketScape in several categories including Internet of Things device deployments and UEM software for SMEs.
Story image
Cybersecurity
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
Artificial Intelligence
Abnormal Security finds financial supply chain under threat
New research by Abnormal Security has found a rising trend in financial supply chain compromise as threat actors increasingly impersonate vendors.
Story image
Cybersecurity
Unknown connections: How safe is public WiFi in Aotearoa?
If it's not your own household WiFi, then who has control of your data and is your connection actually safe?
Story image
Trend Micro
5G network projects driven by improving security and privacy
Trend Micro's new study reveals the prospect of improved security and privacy capabilities are the main motivations behind private 5G wireless network projects.
Story image
Digital Transformation
What CISOs think about cyber security, visibility and cloud
Seeking to uncover the minds of CISOs and CIOs across Asia Pacific, my company recently asked Frost & Sullivan to take a snapshot of cloud adoption behaviour in the region.
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Cybersecurity
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Identity and Access Management
Ping Identity launches corporate venture capital fund
Ping Identity has launched a corporate venture capital fund to foster innovative offerings for the identity security market.
Story image
Manufacturing
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
Cybersecurity
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Collaboration
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Microsoft
SMX partnership with Microsoft leads to NTT recognition
SMX has captured the attention of NTT after receiving positive reviews from businesses across Australasia and beyond for its email security.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.
Story image
Oracle Cloud
Commvault, Oracle to deliver Metallic Data Management as a Service
"We are excited to partner with Commvault and enable our customers to restore and recover their most mission-critical cloud data."