SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Zero trust crucial as high-profile ransomware attacks rise
Wed, 27th Apr 2022
FYI, this story is more than a year old

High-profile ransomware attacks and increased reliance on digital infrastructure sees an increasing need for New Zealand businesses to embrace zero trust cybersecurity settings, according to Palo Alto Networks.

Physical infrastructure such as roads, powerlines and pipes have long been seen as crucial economic assets by governments, but the pandemic cemented the fact that digital infrastructure was just as crucial.

"As governments around the world, including New Zealand, face a growing wave of ransomware attacks against critical public services, we are witnessing a renewed interest in setting up systems to protect infrastructure to ensure important information that flows through it is well-protected," says Misti Landtroop, New Zealand country manager for Palo Alto Networks.

The Biden administration's zero trust framework

In mid-May last year, the Biden administration announced an executive order aimed at improving the United States cybersecurity, in part by implementing a zero trust framework. This established the Cyber Safety Review Board (CSRB), a team made up of cybersecurity professionals including Wendi Whitmore, senior vice president of Palo Alto Networks' global threat intelligence team Unit 42.

Landtroop says the CSRB has since focused its efforts on establishing zero trust framework, which was developed around ten years ago by former Palo Alto Networks employee John Kindervag. Since then, it has been growing in popularity as government departments and businesses realise they face a new wave of cybersecurity threats as a result of remote working and the proliferation of devices.

"Over the last two years, as much of the world was stuck at home, millions of workers came to rely on their internet connections. Zero trust allows organisations to identify and verify each person, device and application before they are given access, meaning no entity is implicitly trusted by default, and all must verify using multi-factor authentication, every time," Landtroop explains.

Kindervag worked at Forrester Research when he developed the zero trust framework and, not surprisingly, his old employer was bullish about the Biden administrations executive order and expected its decision to flow into the private sector: The United States federal government has validated, confirmed, and required zero trust. For the US government and its suppliers, this executive order represents massive change. But nongovernment organisations should expect to feel repercussions of this, as well.

"According to Kindervag, zero trust systems that once took three years to set up can now be set up in three months. And its well worth the effort," says Landtroop.

"While accurate figures are obviously hard to come by, some estimates suggest that businesses are losing up to $20bn a year through ransomware attacks."

According to the 2022 Ransomware Threat Report produced by Palo Altos global threat intelligence team Unit 42, the average ransom demand in cases worked by the Palo Alto Networks Unit 42 security consultants rose 144% in 2021 to $2.2 million, while the average payment climbed 78% to $541,010.

"That's just the ransom payment, which is often reduced by negotiators and doesn't include the cost of disruption to the business, or in some cases, the disruption to the public," Landtroop says.

"In the US, the recent Colonial Pipeline hack stopped the flow of petrol and saw Americans hoarding supplies as stations in a number of states ran dry. There were emergency declarations, petrol prices spiked and the company paid a ransom of $5 million in Bitcoin to regain access to its systems (some the cryptocurrency was later recovered by authorities). The CEO admitted to the senate that the hackers were able to bring the country's biggest pipeline down by stealing a single password and that there was no multi-factor authentication, which is now seen as basic cybersecurity hygiene. Major beef producer JBS was also targeted."

How prepared are New Zealand businesses?

Closer to home, companies like Lion, Toll Group and Fisher - Paykel Appliances have been targeted and the May 2021 Waikato DHB ransomware attack caused significant disruption to the regions health system. Surgeries were delayed, confidential patient information was sent to the media by the hackers and questions were asked about whether the other DHBs had taken the necessary steps to avoid a similar fate.

"With plans to centralise the country's 20 DHBs into a single health service, we need to be confident that the IT systems undergirding such crucial public services are robust and that sensitive data remains safe - and a zero trust network is the best way to do that," Landtroop says.

"Cyber security professionals know zero trust is the way to go, but many New Zealand businesses do not."

A recent Palo Alto Networks survey found that only one-third of New Zealand businesses have implemented a zero trust policy, and more than 40% of respondents do not know what a zero trust policy means. The most common reasons for not adopting zero trust are a lack of knowledge and expertise to know how to make it happen (40%), a lack of resources to invest in cyber security (24%), and that Government is not providing enough information or resources to support businesses adopt a zero trust strategy.

"To use a military analogy and trying to fight against cybercriminals is an ongoing battle the perimeters of our organisations have expanded dramatically as employees were scattered to the four winds," says Landtroop. "And, as a result, these perimeters are easier to breach."

Many of those employees have started to return to the office, but the systems we need to continue operating what many experts believe will be the new norm - hybrid working from home and the office - are also the systems attackers are targeting. In NTT's 2020 Global Threat Intelligence Report, across the ditch in Australia, application-specific (40%) and web-application (20%) attacks dominated, accounting for nearly 60% of all attacks combined.

And, like the Colonial Pipeline hack, it is compromised credentials that continue to be the favoured method of attack.

Of all reported cyber incidents, 79% involved compromised credentials with phishing, brute-force attack, or unknown methods. In aggregate, this means that over half of ALL breaches, whether caused by a cyber incident, human error or system fault can be traced back to a credential-based issue.

"Cybersecurity is not just about avoiding ransoms and embarrassment, however (New Zealand law now requires all companies to report data and privacy breaches). Its also an investment," says Landtroop.

"Recent research by Forrester on the economic impact of Palo Alto Networks security products showed businesses had a 247% return on investment and $40.1 million in benefits over three years. That came via efficiency gains for IT, security, and end users; cost savings from sunsetting legacy technology; and the reduced risk of a data breach.

"There is no such thing as complete cybersecurity, simply because humans are involved and humans are fallible. It is a team sport, where everyone individuals, businesses, and the authorities need to work together to safeguard the organisations data and integrity of assets. Thats why smart businesses (and smart government administrations) are increasingly looking to employ a zero trust framework to limit the risk," Landtroop adds.

"In the real world, trust is crucial if you want to create healthy relationships in your personal and professional life. In the remote working world, we need to trust employees to do their jobs. But in the online world, trust is a vulnerability."