The top cyber risks for NZ in an interconnected world
New Zealand organisations lead in awareness of cybersecurity risks, and bringing these to the attention of the board, according to the 2015 Global Information Security Survey. But they need to scale up on key areas to keep constantly evolving cybersecurity threats at bay.
New Zealand organisations are above average in developing a cybersecurity strategy, but are trailing behind their global counterparts in key areas of managing their security and privacy risks, according to The Global State of Information Security Survey 2015.
On the bright side, the global report points out that attention on cybersecurity has catapulted all the way to the top echelons of the organisation.
“It is no longer an issue that concerns only information technology and security professionals; the impact has extended to the c-suite and boardroom,” reads the report. “It is incumbent upon the executive team to take ownership of cyber risk and ensure the board understands how the organisation will defend against and respond to cyber risks”.
The report, now on its 12th year, is conducted by PwC (PricewaterhouseCoopers), CIO and CSO. More than 9,700 security, IT, and business executives across the globe – including 85 from New Zealand – participated.
So where do New Zealand organisations lead when it comes to managing information security and what are the areas they can improve on?
Adrian van Hest, PwC partner and cyber practice leader, says when it comes to privacy, New Zealand is at odds with global practices such as requiring employees to complete training on privacy policy, formally acknowledging compliance and imposing disciplinary measures for violations. It is also lagging behind in using data analytics to measure the risk and impact related to information security, he states.
“These risks are exposing organisations to financial, regulatory, brand and productivity impacts and we’re encouraging them to address these,” says van Hest.
“Cyber risks will never be completely eliminated, so organisations must understand that the perpetual and ever changing nature of threat, demands a fairly dynamic and proactive approach.”
Drilling in on local findings and comparing these to global figures, the survey shows the number of detected incidents leapt 48 per cent or to 42.8 million, the equivalent of 117,339 attacks per day in 2013. This increase comes at great cost with total financial losses attributed to security compromises increasing 34 per cent over 2013.
Detected security incidents have increased 66 per cent year-over-year since 2009, the survey data indicates.
“It comes as no surprise that the rising incidents and associated financial impacts continue to increase,” says van Hest. “The scale of the breaches is much larger and their impact extends to c-suite and the boardroom, with insider incidents and high-profile crimes on the rise.”
Worldwide, big losses have been more common this year as organisations reported financial losses in excess of US$20 million, which nearly doubled from last year.
It is incumbent upon the executive team to take ownership of cyber risk and ensure the board understands how the organisation will defend against and respond to cyber risks.
Despite greater levels of concern, the survey found that global information security budgets actually decreased 4 per cent compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 per cent or less for the past five years.
“New Zealand organisations are bucking this trend, however, and 67 per cent plan to spend more on their security budgets in the next 12 months,” says van Hest. “Hopefully this means the increased level of activity in ownership of the issues and a strategic approach is now translating into investment and action.”
Meanwhile, high profile attacks by nation-states, organised crime and competitors are among the least frequent incidents, yet the fastest-growing cyber threats.
This year, respondents who reported a cyberattack by nation-states increased 86 per cent – and those incidents are also most likely underreported. The survey also finds a "striking" 64 per cent increase in security incidents attributed to competitors, some of whom may be backed by nation-states, reports PwC.
“It is vitally important for companies to focus on rapid detection of security intrusions and to have an effective, timely response,” says van Hest. “Given our interconnected business ecosystem, it is equally as important to establish policies and processes regarding third parties.”
Van Hest says larger organisations need to be particularly careful as they’re more likely to be targets since they offer more valuable information and their size and complexity make attacks less likely to be detected.
This year, respondents who reported a cyberattack by nation-states increased 86 per cent – and those incidents are also most likely underreported.
“Organisations must change from focusing on prevention and controls for security, to an information-centric and risk-based approach that uses controls to enable the business,” he states. “Information is a powerful business asset and the right approach to security and privacy will empower organisations to maximise its potential.”
Here, van Hest shares some steps organisations can take in the light of these findings.
Engage with the board
“One of the learnings from the report in general in New Zealand is we seem to have a higher level of engagement with the boards so they are willing to listen,” says van Hest.
“Like any group of decision makers, they have to deal with both the strategic and the now, and security at this moment is both a strategic and the now.”
Therefore, he says, security is top of the agenda. “Management needs to take advantage of that.”
“You have got a willing audience, you need to get your message clear,” he says.
“The best thing people can do is communicate that to the board, ‘this is the extent of the risks we face’, and get it into terms they understand. Then talk about the plan and why they are going to spend this amount of money.”
Providing business technology governance to boards is tipped to be one of the most sought after skills in the digital economy.
The scale of the breaches is much larger and their impact extends to c-suite and the boardroom, with insider incidents and high-profile crimes on the rise.
Adrian van Hest, PwC
Fix the security awareness gap
Across the globe, 51 per cent of respondents have an employee awareness security program but only about 37.5 per cent in New Zealand. So how can organisations fix this gap?
Van Hest says organisations that did well approached this program as a “concerted effort”.
“It means more than simply putting up some guidance or even pointers on an intranet site which some organisations do to effectively tick the box,” he says. “This does not create or improve awareness.
“Where organisations have been effective is where they have engaged their staff members and the messages have been relevant,” says van Hest.
“They put the security objective in context of the objective in context for the user community. They talked about impact on the home user, the family. And, given the nature of their job or industry, what are things they need to look out for or be aware of?
“When something resonates with the user, they will remember it. It will be something they will do rather than something they know they should do.”
End mobile security complacency
An area where New Zealand trails is implementing a mobile security strategy. Just over a quarter (28 per cent) of New Zealand respondents say they have implemented one, compared to 54 per cent globally.
“It is very hard to retrospectively implement security,” says van Hest. “Like anything, it is far easier or more cost effective to design something from the beginning.
“Once you have gone mobile, you have implemented working practices, the infrastructure and the cost of rolling something out, it is very hard and very costly to put a security wrap over the top of it.
“But if you do that from the get go, if you actively invest on getting clear on your security requirements upfront, it does make it a much more cost effective solution.”
Again, if you have not invested in making sure the security you implement is usable and appropriate for your risks, and do it retrospectively, you are likely to inhibit the usability and the value of the mobile solution in the first place, van Hest claims.
“It really is down to fundamental design. Security should be a requirement and it should be a conscious decision about what is the nature of the data on the device, what is the importance of the system that is being rolled out that is being mobilised.”
In doing so, determine what are the usability requirements and experience you are after, he states. “If it is a very unusable system, trying to fix that once it is deployed is very hard and very costly.”
When does information security become involved in major projects?
Wanted: Legal requirements to disclose security breaches
New Zealand also differs from countries like the United States and in Europe where there are laws requiring information breaches to be reported.
“We are an anomaly, absolutely, in this regard,” says van Hest. “The rules for disclosure for both public and private companies have been in place in these countries for years.”
He says it is more beneficial to get into a culture of disclosure because organisations will be in a better position to manage incidents.
“With mobility, with partnerships, going to the cloud, this info is getting out there – your systems are interconnected in an ecosystem. The challenge of you being able to control stuff diminishes,” he says.
“As such, you need to invest in detection systems. How do you actively detect something rather than prevent and equally how and what is your capability to react?”
“These are things you have to address you have to do that holistically, from detection to effective communication to recovery. Do you have this capability in your organisation? Because you are going to need it.”
Dr Ryan Ko, senior lecturer at the University of Waikato and head of the Waikato Cyber Security Lab, says from his research, companies in the US and other countries also have an opt-in system, where they would share information with trusted groups or organisations such as MITRE or CERT.
In terms of audit and fraud prevention, there are USA regulations such as the Sarbanes-Oxley Act (SOX) or the HIPAA which mandate how controls are implemented, and data are stored and processed within companies.
“For NZ, my view is that legislation holding company leaders to account for failure to control cyber security risks faced by their assets would take some time as this is not a straightforward matter,” he says.
“Over time, clients of security-negligent companies will choose the more cyber-ready providers or business partners, resulting in natural selection.
“The pressure to maintain a gold standard in cyber security and management would increase as time goes by, and there will be a point when industry expectations stabilise and the legislation proposed is ready to meet these expectations.”
The pressure to maintain a gold standard in cyber security and management would increase as time goes by, and there will be a point when industry expectations stabilise and the legislation proposed is ready to meet these expectations.
Dr Ryan Ko, University of Waikato
With the types of security incidents that have occurred over the past year, New Zealand shares the same distribution patterns with the rest of the world, he says.
Ko points out one difference in the local figures, which is New Zealand faced lesser data exploitation incidents – 12 per cent compared to 30 per cent globally – perhaps due to the smaller amount of data hosted in NZ.”
With regards to the likely source of incidents, New Zealand shares a common thread to the rest of the globe – the top culprits are insiders, led by current employees(20 per cent in New Zealand, 34.5 per cent globally) and former (27.7 per cent in New Zealand, 30 per cent globally) employees. These are followed by current and former service providers, consultants and contractors, and suppliers and business partners.
Ko says these indicate “all countries and regions are vulnerable to the same sources of incidents – their past and present employees,” says Ko. “Having a robust security strategy could have prevented this, as the company would have removed employee accounts and/or access rights from the moment they leave the company.”
Data compromises and theft
When asked how the organisation was impacted by security incidents, across the globe, nearly 30 per cent said employee records were compromised. In New Zealand, however, the figure is 41.5 per cent.
“It is a concern when one sees how easy employee records are compromised in NZ,” notes Ko. “On the other hand, New Zealand does well in preventing the loss or damage of internal records. There is a possibility that good storage and preservation of internal records led to higher chance of employee records being compromised.”
Worldwide, the top three impacts to the business were theft of hard intellectual property (business plans, sensitive financial documents: 26.8 per cent in NZ, 14.8 per cent globally); theft of soft IP (processes, institutional knowledge: 20.7 per cent in NZ, 24 per cent globally) and financial losses (15.9 per cent in NZ, 19.7 per cent globally).
When asked about the greatest obstacles to improving the overall effectiveness of the organisation’s information security function, New Zealand organisations listed leadership (CEO, board, CIO or CISO) as the top reason.
Ko says the government, with the ConnectSmart Initiative, has recognised such risks and have prepared checklists and information (e.g. SME Toolkit) for small and medium enterprises.
“Perhaps the leadership’s accountability of the cyber safety of their company should be made official, much like the usual leadership’s accountability of finances of a company,” he states.
Next: A CIO’s perspective: Security first
Page Break
Kevin Angland, CIO of IAG New Zealand, is empathic about the critical role of education awareness when it comes to cyber security, and why security should be considered from the outset of any process in the organisation.
“We see events occur in the marketplace and they immediately become a trigger for us to say, ‘Well okay, have we got enough certainty that we could stop that happening here?’”
Some of that will be the education component of reminding people, and others would be from an IT perspective of putting more risk mitigation processes in place to stop cyber attacks from happening, he says.
He says IAG has a strong learning and development process.
“It’s not something that's just IT specific, we’ll bundle that up with other online learning programs.”
IAG has a head of information security that reports to him, and a new role, the chief risk officer.
Information security is everybody’s business.
Kevin Angland, IAG
“What we’re doing now is bundling risk aspects under an executive who is responsible for risk,” he says.
“If you think about our organisation, our biggest asset is the information and the data that we hold around our customers,” says Angland.
“We would say information security is everybody’s business because a security breach could be as simple as putting the wrong customer’s information in an email and sending it somewhere that it shouldn’t have gone.”
“So the big role of the information security team is, to a large extent, the boundary protection and making sure we’ve got mechanisms in place to prevent breaches.”
IAG has a holistic approach to information security. Depending on the scenario, Angland says the organisation has a crisis management process. That could be anything from a fire at a major site or an earthquake, to a potential information security breach with significant media reputational risk attached to it, he says.
“We would invoke our crisis management plan, which has a mixture of leadership across the organisation. It's not IT specific; it's an organisational wide process.
“We are an insurance company. And so our job is to identify, manage, and mitigate risk.”
Insurance is also one of those industries that are moving more and more online, he says. “We’ve got to be absolutely certain that in building new solutions, which is what our customers want, that we’re not exposing that asset or the organisation to risk.
“That’s a key: We don’t deploy any new public facing technology without conducting a significant amount of security penetration testing on that solution before we would make it live.
“Security is designed in at the outset rather than ‘now [that] I've got all this, how do we secure it?’”
Send news tips and comments to divina_paredes@idg.co.nz
