NZ businesses lag behind when it comes to elevating cybersecurity to the highest levels of governance, according to new research. Photo: 123RF
New Zealand's top business leaders say there are wide and growing gaps in cybersecurity, with the day-to-day operations of the country's largest companies constantly in the crosshairs.
A number of large businesses with more than 100 staff were victims of cybercrime in 2023, according to independent research released by technology services firm Kordia.
The operations of a third of large businesses were disrupted by a cyberattack in the past year and most (70 percent) of the 200 business leaders surveyed said they were willing to pay a ransom to restore their systems.
"Cybercriminals are financially motivated. What's interesting in this survey is it highlights the beginning of a trend where hackers are targeting operational downtime over stealing or encrypting data as a means of extorting their victims," Kordia spokesperson Alastair Miller said.
He said this was following an overseas trend.
"It's much harder for organisations to ignore an attack when they can't function for a period of time," he said.
"The motivation to pay a ransom is greatly increased when you can't generate an operational income."
Cost of crime
The report cited IBM's Cost of A Databreach report, which estimated the global average cost of a data breach in 2023 at US$4.45 million - 15 percent up on the previous three years.
Kordia's report indicated more than a quarter (28 percent) of businesses were attacked via a third-party supplier, which highlighted the vulnerability of businesses - even those with robust internal systems and emergency responses in place.
Cloud misconfigurations or software vulnerabilities were responsible for causing cyber incidents for more than a third (39 percent) of businesses, with nearly half (46 percent) of cyber incidents and attacks taking longer than one month to resolve.
"Any cyberattack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve - with costs running into the hundreds of thousands," Miller said.
"For large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have knock-on effects for whole supply chains and our economy."
Kordia incident response lead Conan Bradley said any money paid to cybercriminals went towards increasing the sustainability of organised crime.
"The decision to pay or not to pay comes with a degree of risk, whichever route you choose. If you pay, what guarantees are there that you will receive the decryption key, or that the actors will not sell your data anyway? Or worse, communicate with other ransomware gangs regarding the entry point and your willingness to pay," Bradley said.
Governance and leadership
Despite the risk, Miller said New Zealand businesses lagged behind other leading economies when it came to elevating cybersecurity to the highest levels of governance.
"Only two thirds of businesses said that cyber security was a very important issue for their board, and this must change to see real progress in the overall resilience of our national industrial and business landscape."
He said changes to Australian regulations and elsewhere could see boards give more priority to cybersecurity.
"Australia has made notable changes to cyber security governance, through a slew of legislative changes including harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks," he said, with some survey respondents supportive of similar initiatives in New Zealand.
"Business leaders are eager to see more action to penalise organisations that fail to adequately protect data.
"New Zealand's current privacy laws only punish failure to report a breach and that caps penalties at $10,000, significantly more restricted and lower than legislation in other Five Eyes nations."
Response and recovery
The report also focused on steps businesses should take before they became victims of a cyberattack.
Among the recommendations was a need to track assets and map out the location of critical data, which was often held in more than one location, and to work to remove anything that was no longer needed or stale-dated, which could expose a company to unnecessary risk.
It was also critical to have a response and recovery plan in place, which was rehearsed on a regular basis - not just with top tier responders, but with other staff members who may be called to step-up in an emergency.
Bradley said the culture of an organisation was perhaps the most important element in the fight against cybercrime.
"In cyberattacks we've responded to here in New Zealand, generally speaking the detection and containment occurs fairly rapidly.
"What takes the most time is the restoration of operations and systems, especially if the business has not adequately backed up their data and systems. It's a time-consuming process."
The report recommended business leaders champion a culture change within their organisation.
"Start by making cyber security a priority at the top of the organisation, to embed responsibility for cybersecurity across all levels of the business."
