Menu
CIO upfront: Get the fundamentals right, build trust with security baselines

CIO upfront: Get the fundamentals right, build trust with security baselines

The latest Microsoft security study ranks New Zealand as one of the most low-risk countries in the world for cyberattacks. However, Kiwis have also seen a 205 per cent increase in cybersecurity incidents in the past year. As we’ve learned the hard way, low risk does not mean no risk, writes Russell Craig of Microsoft NZ

Credit: Dreamstime

As organisations become better at dealing with ransomware, attackers are increasingly returning to the stealthier mode of operation. They are seeking to stay under the radar to perform new forms of attacks

Russell Craig, Microsoft NZ

The meteoric explosion of connected devices, backed by online cloud-based services, is creating tremendous economic and social opportunities for consumers, governments and businesses.

At the same time, the deluge of confidential data being transmitted and stored creates an increasingly lucrative target for cybercriminals.

The latest Microsoft security study ranks New Zealand as one of the most low-risk countries in the world for cyberattacks, which is excellent. However, Kiwis have also seen a 205 per cent increase in cybersecurity incidents in the past year. As we’ve learned the hard way, low risk does not mean no risk. New threats are always evolving, and as our organisations go even more digital, we need a strong cybersecurity framework more than ever.

Today, many organisations and governments are struggling to deal with the growing sophistication and prevalence of cyberattacks as well as the opportunistic, evolving nature of cybercrimes.

According to our latest Security Intelligence Report (SIR) Volume 24, as organisations become better at dealing with ransomware, attackers are increasingly returning to the stealthier mode of operation they have employed in the past. They are seeking to stay under the radar to perform new forms of attacks. 

For example, we are seeing the emergence of cryptocurrency mining malware which uses the infected devices’ compute power to “mine” for cryptocurrency like Bitcoin. This trend is especially prevalent in Asia Pacific where the cryptocurrency mining malware encounter rate is 17 percent higher than the global average. Despite New Zealand’s high ranking as a secure digital nation, last year we ranked 29th in the world for cryptocurrency mining malware encounters. This increase reflects the rise in cryptocurrency values. As the value of cryptocurrency rises, so does the encounter rate. 

New threats are always evolving, and as our organisations go even more digital, we need a strong cybersecurity framework more than ever

Russell Craig, Microsoft NZ

The results of an attack are a severe degradation in your device’s performance, while cybercriminals have backdoor access to the system. This approach also allows them to leverage the processing power of hundreds of thousands of computers. Even when a minor infection is discovered, the anonymous nature of cryptocurrency complicates efforts to track down the responsible parties. 

Another form of malware with increasingly insidious delivery methods is drive-by-downloads, which infect unsuspecting users when they visit a compromised website. Users can be infected with malware simply by visiting a website, even without attempting to download anything.

Based on our SIR, Asia Pacific suffers from 22 per cent more drive-by download attacks than the rest of the world, although New Zealand is so far unaffected, with an encounter rate 100 per cent lower than the global average. 

In the modern digital world, it’s unlikely that will be the case forever. What makes drive-by downloads that much harder to guard against is that they can be hosted on legitimate websites as attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form. 

More advanced drive-by download campaigns can also install ransomware or even cryptocurrency mining malware.

According to the SIR, Japan, Australia and New Zealand have the lowest malware encounter rates in Asia Pacific.

Our relative safety relies on our mature cybersecurity infrastructures and well-established programmes for protecting critical infrastructure and communicating with all New Zealanders about basic cybersecurity best practices. Organisations such as CERT NZ, Netsafe and the National Cyber Security Centre are good examples.

One of the ways to raise security readiness across industries and cyber resiliency within an organisation is through security baselines, which are a foundational set of policies, outcomes, practices and controls intended to help organisations manage cybersecurity risk and build trust in their digital initiatives.

Russell Craig of Microsoft NZ
Russell Craig of Microsoft NZ

As organisations become better at dealing with ransomware, attackers are increasingly returning to the stealthier mode of operation. They are seeking to stay under the radar to perform new forms of attacks

Security baselines are particularly useful in improving cybersecurity because they can cover a range of risks that are applicable across a variety of environments. While cyberthreats constantly evolve, most risks faced by governments and enterprises are similar, so security baselines can address a significant majority of cyber risks across organisations.

Encouraging, enabling and requiring organisations, especially critical infrastructure providers, to better manage cyber risks is a sensible government priority given the tremendous damage that cyberattacks can wreak.

CERT reported a 205 per cent increase in cybersecurity incidents in 2018, with 18 per cent of targets experiencing financial loss. Total losses amounted to $14 million, and this doesn’t take into account less tangible impacts such as reputational damage, lost productivity, data loss and even emotional harm.

Likewise, the approaches that organisations take in developing, evolving, and implementing security baselines will have far-reaching impacts.

Effective approaches will not only strengthen their security posture but also support innovation, productivity and economic opportunity.

A balanced, comprehensive approach that assesses and manages cybersecurity risk in the context of overall enterprise risk management is critical. Organisations that are developing or evolving security baselines can promote and foster a holistic approach by considering the following best practices:

  • Use a ‘common language’ to discuss risk —a shared way of understanding and using terms and concepts. This enables stakeholders to communicate in a meaningful way about risk, resulting in more informed decisions on how to prioritise resources and creating continuity in security strategy, planning, and investments.
  • Establish a set of baseline practices grounded in your organisation’s risk and threat landscape. This allows you to focus on security strategies and practices that are likely to have the greatest positive impact. The ‘Guidance’ section of the SIR discusses cybersecurity measures that can help you bolster your prevention, detection and response capabilities.
  • Make your security baselines outcome-focused, articulating what your organisation should aim to achieve, rather than how you should implement security. This provides you with the flexibility to regularly update your security baseline to reflect the changing technology and threat environments.
  • Leverage existing industry best practices and guidelines. Rather than building out a set of risk management practices from scratch, utilising tried and tested methods such as the NIST Cybersecurity Framework will provide you with a valuable starting point.

The consequences of cybercrimes are not just economic costs, they also erode individual privacy and diminish trust in online services.

A robust and holistic security baseline that organisations can reference and assimilate will allow both public institutions and private companies to accelerate the adoption of cloud-based innovation and maximise the benefits of promising new technologies such as artificial intelligence.

Equally important, it will endow individuals with the trust and confidence they need to make the most of technology and participate meaningfully in the digital economy.

Use a ‘common language’ to discuss riskCredit: Dreamstime
Use a ‘common language’ to discuss risk

Russell Craig is national technology officer, Microsoft New Zealand

Sign up for  CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags strategyCISOAIStealthIoTcio and ceoMicrosoft NZCIOS and the boardcryptocurrencyCERT NZRussell Craigleadershipcryptocurrency mining malware

More about AustraliaLeverageMicrosoftNetsafeSIRTwitter

Show Comments