Internet connectivity is now integral to New Zealand society and its economic growth and international competitiveness.
We’re very highly connected with 90% of households and 96% of businesses connected to the internet. And while historically our geographical isolation has largely kept us safe from traditional threats, that’s no protection to cyber threats - once you're online you are connected to the world.
New Zealand is not immune to the growing cyber threats that the world faces and every year the Government detects more cyber threats than the year before.
Indeed, a recent report put the cost of cybercrime to New Zealand at $257 million in 2015.
As such, in 2015 the Government launched a refreshed Cyber Security Strategy including a national Computer Emergency Response Team, a partnership between government, business and NGOs to defend businesses and infrastructure against cyber-attacks.
But, it’s not enough to stand behind government strategy. For businesses, both big and small, cybercrime is a fact of life that poses an enormous and immediate risk to their bottom line.
As more companies move services online, keeping ahead of cyber criminals will be essential to protect both customer data and corporate reputation.
As the well-worn FBI quote goes, there are only two types of company: those that have been hacked, and those that will be hacked. This reality has been exacerbated by practices such as bring your own device (BYOD) and the internet of things (IoT), which have introduced weaker links into the chain.
The days of trying to build a fortress are over, explains Steve Rumble, BDO UK partner and Global Head of Technology Risk Assurance at BDO.
“It’s a bit like leaving the front door of your house open. You can’t assume that your front door is going to be secure now. You’re opening up your business model by using technology, and your employees with that, because you’re giving them more agile tools to use. So you can reduce your risk exposure but you will never eliminate it.
“If you look at the next five years and recognise that the world is going to continue to change with technology, data and digitalisation and robotics – all these things are going to be at the heart of it – that creates an increasing environment for cybercrime to operate in,” he continues.
“So organisations have go to shape their governance, education models and people agenda around it. That’s why people make these bold statements about cybercrime becoming the disease of the 21st century.”
In April 2016, the European Parliament voted for more stringent data protection laws, due to come into force in 2018. The new rules will make it compulsory to disclose if a breach has occurred, within 72 hours where possible, and introduce fines of up to 4 per cent of global turnover for failing to protect sensitive data. “You’ve got the cost of recovery, the cost of consequence – whether that’s the consumer element, the reputational impact – and it can take a while for that to play out,” Rumble explains. “Now you’ve got the sanctions that can subsequently occur around the new regulations and what that might mean to organisations as well.”
High-profile data breaches have demonstrated the significant and often long- term reputational impact such intrusions can have. Affected firms have seen a drop in share price, brand damage, loss of clients and difficulty winning new business.
“If there is a security breach and you’ve lost certain amounts of customer data and you are a consumer brand then that is a significant breach of trust between you and your consumer base,” says Stephen Wares, practice leader for cyber risk at insurance broker Marsh. “As individuals we pass our personal details to consumer organisations and we do expect them to keep those details secure, particularly sensitive details like our financial information or our medical records,” he continues. “So for one of those organisations to succumb to a cyber breach, it could be seen as a breach of trust, particularly if it turns out they have not taken sufficient care to secure that data.”
48-hour window
With the inevitability of hacks occurring, response plans are also now deemed essential, with the first 48 hours following the discovery of a hack the most critical time. “If our experience has shown us anything it is that it’s important to have a plan,” says Jimaan Sane, cyber underwriter at Beazley.
“When things go wrong, you need to know what you need to do, who you need to speak to, what vendors you want to bring in and it’s important to test and rehearse that plan. Where large organisations are concerned, the way they manage that breach is probably just as important as the breach itself.”
Some of the biggest data thefts of recent times were also the most highly publicised and embarrassing. These include Ashley Madison, Anthem, Target, TalkTalk, Sony Pictures, JPMorgan Chase, eBay and Home Depot. In the US, which currently has some of the strictest data breach laws, major hacks have sparked expensive lawsuits, some of them targeting directors and officers.
While small firms may lack the IT security resources of larger firms, data protection regulations do not make special allowances for SMEs. In New Zealand, SMEs a central to our economic growth so it’s vital they are equipped to protect the information that is critical to their commercial success.
While risk financing is available through the rapidly developing cyber insurance market, products vary. Some policies indemnify first- party costs such as business interruption, while others offer third-party coverage for notification expenses and legal costs. Fines and penalties are typically uninsurable.
Globally, there has been a sharp increase in hacking and malware, according to the latest research by Beazley. The cyber insurer found that nearly a third of all incidents in 2015 were caused by hacking or malware, compared to 18 per cent in 2014. Perhaps unsurprisingly, in a year that included the Anthem, Premera and Excellus hacks, the percentage of data breaches in the healthcare sector more than doubled.
Keeping up with the hackers
BDO recommends steps that organisations can take to help protect their data, recognising that attacks often succeed by exploiting misconfigured systems or human error, such as successfully luring employees to respond to phishing emails. So- called spear-phishing exercises use personal information (easily found via social media) to give the false impression of familiarity and entice employees into revealing sensitive information.
Some cybersecurity firms run simulated phishing campaigns against the employees of an organisation. The aim is to see whether staff will fall for such an attack, unwittingly revealing password and login information. If they fall for it once, there is a much higher chance they will be more alert to genuine phishing attacks in the future.
With 50 per cent of all cyber claims involving an element of human error, it is easy to see why it is important to raise awareness among employees. This is particularly critical as practices such as BYOD become more common in the workplace.
Larger corporates and financial institutions currently boast the most sophisticated cybersecurity measures, but are also often the most targeted organisations. Among the current deterrents are honeypot computing – where hackers are directed towards a honeypot server, which has nothing on it but is able to detect and contain the intruder – and data loss prevention software.
The latter can detect where data is stored and replicated. “They are really powerful and can track those datasets and see how they move around,” explains Rumble. “So if you start having situations where people start putting attachments into emails it will pick up that this has happened. They’re giving you an intelligent view of what’s going on in your data world.”
While the cost of using the latest security software is prohibitive for many firms, over time this will change, Rumble believes. “Once they’ve got an established marketplace they’ll be able to commoditise it a bit more. All the time you’re building tools around this and getting the right brains to think about it. It’s all about coming up with new ways of prevention. I’m sure that security experts are currently looking at ways of neutralising ransomware risk.”
BDO’s top tips for securing your data:
-
Identify your assets, their location and the risks relating to them: ensure you know what data you hold, where it is stored (and in what format) and the associated sensitivity of that data (eg, personal data, IP, company data)
-
Obtain threat intelligence information: stay up to date on the threat landscape relevant to the environment
-
Maintain the security posture by applying a robust patching regime and utilising technical security testing
-
Create a “culture of security” by championing good cyber hygiene across the organisation: implement a robust training regime that educates employees around the risks to data confidentiality and what their own personal responsibilities are in managing that risk.