The top cyber risks for NZ in an interconnected world
The top cyber risks for NZ in an interconnected world
New Zealand organisations lead in awareness of cybersecurity risks, and bringing these to the attention of the board, according to the 2015 Global Information Security Survey. But they need to scale up on key areas to keep constantly evolving cybersecurity threats at bay.
New Zealand organisations are above average in developing a cybersecurity strategy, but are trailing behind their global counterparts in key areas of managing their security and privacy risks, according to
The Global State of Information Security Survey 2015.
On the bright side, the global report points out that attention on cybersecurity has catapulted all the way to the top echelons of the organisation.
“It is no longer an issue that concerns only information technology and security professionals; the impact has extended to the c-suite and boardroom,” reads the report. “It is incumbent upon the executive team to take ownership of cyber risk and ensure the board understands how the organisation will defend against and respond to cyber risks”.
The report, now on its 12th year, is conducted by PwC (PricewaterhouseCoopers), CIO and CSO. More than 9,700 security, IT, and business executives across the globe – including 85 from New Zealand – participated.
So where do New Zealand organisations lead when it comes to managing information security and what are the areas they can improve on?
Adrian van Hest, PwC partner and cyber practice leader, says when it comes to privacy, New Zealand is at odds with global practices such as requiring employees to complete training on privacy policy, formally acknowledging compliance and imposing disciplinary measures for violations. It is also lagging behind in using data analytics to measure the risk and impact related to information security, he states.
“These risks are exposing organisations to financial, regulatory, brand and productivity impacts and we’re encouraging them to address these,” says van Hest.
“Cyber risks will never be completely eliminated, so organisations must understand that the perpetual and ever changing nature of threat, demands a fairly dynamic and proactive approach.”
Drilling in on local findings and comparing these to global figures, the survey shows the number of detected incidents leapt 48 per cent or to 42.8 million, the equivalent of 117,339 attacks per day in 2013. This increase comes at great cost with total financial losses attributed to security compromises increasing 34 per cent over 2013.
Detected security incidents have increased 66 per cent year-over-year since 2009, the survey data indicates.
“It comes as no surprise that the rising incidents and associated financial impacts continue to increase,” says van Hest. “The scale of the breaches is much larger and their impact extends to c-suite and the boardroom, with insider incidents and high-profile crimes on the rise.”
Worldwide, big losses have been more common this year as organisations reported financial losses in excess of US$20 million, which nearly doubled from last year.
It is incumbent upon the executive team to take ownership of cyber risk and ensure the board understands how the organisation will defend against and respond to cyber risks.
Despite greater levels of concern, the survey found that global information security budgets actually decreased 4 per cent compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 per cent or less for the past five years.
“New Zealand organisations are bucking this trend, however, and 67 per cent plan to spend more on their security budgets in the next 12 months,” says van Hest. “Hopefully this means the increased level of activity in ownership of the issues and a strategic approach is now translating into investment and action.”
Meanwhile, high profile attacks by nation-states, organised crime and competitors are among the least frequent incidents, yet the fastest-growing cyber threats.
This year, respondents who reported a cyberattack by nation-states increased 86 per cent – and those incidents are also most likely underreported. The survey also finds a "striking" 64 per cent increase in security incidents attributed to competitors, some of whom may be backed by nation-states, reports PwC.
“It is vitally important for companies to focus on rapid detection of security intrusions and to have an effective, timely response,” says van Hest. “Given our interconnected business ecosystem, it is equally as important to establish policies and processes regarding third parties.”
Van Hest says larger organisations need to be particularly careful as they’re more likely to be targets since they offer more valuable information and their size and complexity make attacks less likely to be detected.
This year, respondents who reported a cyberattack by nation-states increased 86 per cent – and those incidents are also most likely underreported.
“Organisations must change from focusing on prevention and controls for security, to an information-centric and risk-based approach that uses controls to enable the business,” he states. “Information is a powerful business asset and the right approach to security and privacy will empower organisations to maximise its potential.”
Here, van Hest shares some steps organisations can take in the light of these findings.
Engage with the board
“One of the learnings from the report in general in New Zealand is we seem to have a higher level of engagement with the boards so they are willing to listen,” says van Hest.
“Like any group of decision makers, they have to deal with both the strategic and the now, and security at this moment is both a strategic and the now.”
Therefore, he says, security is top of the agenda. “Management needs to take advantage of that.”
“You have got a willing audience, you need to get your message clear,” he says.
“The best thing people can do is communicate that to the board, ‘this is the extent of the risks we face’, and get it into terms they understand. Then talk about the plan and why they are going to spend this amount of money.”
Providing business technology governance to boards is tipped to be one of the most sought after skills in the digital economy.
The scale of the breaches is much larger and their impact extends to c-suite and the boardroom, with insider incidents and high-profile crimes on the rise.
Across the globe, 51 per cent of respondents have an employee awareness security program but only about 37.5 per cent in New Zealand. So how can organisations fix this gap?
Van Hest says organisations that did well approached this program as a “concerted effort”.
“It means more than simply putting up some guidance or even pointers on an intranet site which some organisations do to effectively tick the box,” he says. “This does not create or improve awareness.
“Where organisations have been effective is where they have engaged their staff members and the messages have been relevant,” says van Hest.
“They put the security objective in context of the objective in context for the user community. They talked about impact on the home user, the family. And, given the nature of their job or industry, what are things they need to look out for or be aware of?
“When something resonates with the user, they will remember it. It will be something they will do rather than something they know they should do.”
End mobile security complacency
An area where New Zealand trails is implementing a mobile security strategy. Just over a quarter (28 per cent) of New Zealand respondents say they have implemented one, compared to 54 per cent globally.
“It is very hard to retrospectively implement security,” says van Hest. “Like anything, it is far easier or more cost effective to design something from the beginning.
“Once you have gone mobile, you have implemented working practices, the infrastructure and the cost of rolling something out, it is very hard and very costly to put a security wrap over the top of it.
“But if you do that from the get go, if you actively invest on getting clear on your security requirements upfront, it does make it a much more cost effective solution.”
Again, if you have not invested in making sure the security you implement is usable and appropriate for your risks, and do it retrospectively, you are likely to inhibit the usability and the value of the mobile solution in the first place, van Hest claims.
“It really is down to fundamental design. Security should be a requirement and it should be a conscious decision about what is the nature of the data on the device, what is the importance of the system that is being rolled out that is being mobilised.”
In doing so, determine what are the usability requirements and experience you are after, he states. “If it is a very unusable system, trying to fix that once it is deployed is very hard and very costly.”
When does information security become involved in major projects?
Wanted: Legal requirements to disclose security breaches
New Zealand also differs from countries like the United States and in Europe where there are laws requiring information breaches to be reported.
“We are an anomaly, absolutely, in this regard,” says van Hest. “The rules for disclosure for both public and private companies have been in place in these countries for years.”
He says it is more beneficial to get into a culture of disclosure because organisations will be in a better position to manage incidents.
“With mobility, with partnerships, going to the cloud, this info is getting out there – your systems are interconnected in an ecosystem. The challenge of you being able to control stuff diminishes,” he says.
“As such, you need to invest in detection systems. How do you actively detect something rather than prevent and equally how and what is your capability to react?”
“These are things you have to address you have to do that holistically, from detection to effective communication to recovery. Do you have this capability in your organisation? Because you are going to need it.”
Dr Ryan Ko, senior lecturer at the University of Waikato and head of the Waikato Cyber Security Lab, says from his research, companies in the US and other countries also have an opt-in system, where they would share information with trusted groups or organisations such as MITRE or CERT.
In terms of audit and fraud prevention, there are USA regulations such as the Sarbanes-Oxley Act (SOX) or the HIPAA which mandate how controls are implemented, and data are stored and processed within companies.
“For NZ, my view is that legislation holding company leaders to account for failure to control cyber security risks faced by their assets would take some time as this is not a straightforward matter,” he says.
“Over time, clients of security-negligent companies will choose the more cyber-ready providers or business partners, resulting in natural selection.
“The pressure to maintain a gold standard in cyber security and management would increase as time goes by, and there will be a point when industry expectations stabilise and the legislation proposed is ready to meet these expectations.”
The pressure to maintain a gold standard in cyber security and management would increase as time goes by, and there will be a point when industry expectations stabilise and the legislation proposed is ready to meet these expectations.
Dr Ryan Ko, University of Waikato
With the types of security incidents that have occurred over the past year, New Zealand shares the same distribution patterns with the rest of the world, he says.
Ko points out one difference in the local figures, which is New Zealand faced lesser data exploitation incidents – 12 per cent compared to 30 per cent globally – perhaps due to the smaller amount of data hosted in NZ.”
With regards to the likely source of incidents, New Zealand shares a common thread to the rest of the globe – the top culprits are insiders, led by current employees(20 per cent in New Zealand, 34.5 per cent globally) and former (27.7 per cent in New Zealand, 30 per cent globally) employees. These are followed by current and former service providers, consultants and contractors, and suppliers and business partners.
Ko says these indicate “all countries and regions are vulnerable to the same sources of incidents – their past and present employees,” says Ko. “Having a robust security strategy could have prevented this, as the company would have removed employee accounts and/or access rights from the moment they leave the company.”
Data compromises and theft
When asked how the organisation was impacted by security incidents, across the globe, nearly 30 per cent said employee records were compromised. In New Zealand, however, the figure is 41.5 per cent.
“It is a concern when one sees how easy employee records are compromised in NZ,” notes Ko. “On the other hand, New Zealand does well in preventing the loss or damage of internal records. There is a possibility that good storage and preservation of internal records led to higher chance of employee records being compromised.”
Worldwide, the top three impacts to the business were theft of hard intellectual property (business plans, sensitive financial documents: 26.8 per cent in NZ, 14.8 per cent globally); theft of soft IP (processes, institutional knowledge: 20.7 per cent in NZ, 24 per cent globally) and financial losses (15.9 per cent in NZ, 19.7 per cent globally).
When asked about the greatest obstacles to improving the overall effectiveness of the organisation’s information security function, New Zealand organisations listed leadership (CEO, board, CIO or CISO) as the top reason.
Ko says the government, with the ConnectSmart Initiative, has recognised such risks and have prepared checklists and information (e.g. SME Toolkit) for small and medium enterprises.
“Perhaps the leadership’s accountability of the cyber safety of their company should be made official, much like the usual leadership’s accountability of finances of a company,” he states.
