Small fry face big cyber risks
OPINION: The world has seen two fairly grunty cyber attacks over the past two months. Cyber attacks that cost several companies more than $100 million each.
May’s WannaCry attack was a cryptoworm that targeted computers running the Microsoft Windows operating system. It encrypted data on people’s machines and demanded a ransom payable in Bitcoin.
Then in June the NotPetya incident initially looked like a general ransomware attack as well, but was traced back to being a very targeted attack on two of the taxation software partners of the Ukrainian State Bank.
Software users got invited to upgrade their software, but rather than being an upgrade, it was malware dressed up to look like ransomware.
NotPetya spread quickly, infecting a host of well-known companies including German logistics company DHL, a Cadbury processing plant in Australia and FedEx in the United States.
Here in New Zealand, Ports of Auckland was affected, as were many global ports that interfaced with shipping company Maersk, which was hard hit.
While I’m glad that the impact on New Zealand was limited, I’m also kind of not. It would have been good to have given businesses a bit of a wake-up call about their own state of readiness for a cyber-security attack.
I’m not talking about the big businesses, but more the small to medium-sized companies of 10 to 100 people. Companies that might have an IT manager who does a decent job with often slim resources, but struggles to keep up with a growing business and its demands.
Though small, the systems these companies use can be diverse including fickle hardware, legacy software, various SaaS services and a range of BYO devices. Together it makes it tough to run a defensible perimeter.
There are about 47,000 SMEs in New Zealand – companies with between six and 50 staff. And unlike the big companies they typically don’t have the blessings of dedicated IT security staff, external governance or discretionary time to bone up on the latest digital risks.
The irony is that they will have the same sort of critical information that the big companies have, but with even greater dependence on it because their income stream is typically concentrated in just one or two lines of business.
It’s not clear to me that the cybersecurity industry has done a good job of taking care of these sorts of businesses.
The industry gold standard for bucketing cyber security is the US National Institute of Standards and Technology (NIST), which organises activity into five functions – identify, protect, detect, respond, recover.
It then breaks these five into 22 categories and 98 sub-categories, which is all very well if you are General Electric, or Spark or Xero, and are happy to gold plate.
But it’s pretty much hopeless if you are a 50-person company in Sydenham, Petone or Hamilton.
What SMEs in New Zealand need now is meaningful and relevant advice about what to do and how to do it. Across the ditch the Australians have made a useful start on this with the Australian Signals Directorate’s ‘‘Essential 8’’.
The Essential 8 is a package of eight baseline strategies which will make it much harder for baddies to defile systems. Four of these relate to foiling malware and four are designed to limit the extent of incidents and allow speedy recovery.
It strikes me that New Zealand needs its own version of this to make it easy for SMEs to help themselves, and a responsible agency to own it and actively educate the sector.
An obvious candidate for this is the Government’s recently created $22m Computer Emergency Response Team (CERT NZ).
The Government did a pretty decent job in getting CERT NZ up and running in short order (probably due to a lack of civil servants on the establishment board). But now that it has established the incident reporting service, and embedded itself in the inter-government security ecosystem, the question is: What’s the organisation’s day job?
Seems to me that putting together a framework for the ‘‘big middle’’ of SMEs would be a way to deliver value, as would actively supporting this group to boost net economic growth.
Even better if they are nimble in doing so – a big ask for any small agency embedded in a bulky government organisation.
For those SMEs that are further down the track of understanding the threat, but lack the resources to hire a full-time cyber-risk specialist, there’s another option.
A shrewd little Kiwi company – Cyber Toa – saw this niche and has set up a virtual chief information security officer (CISO) service.
A virtual CISO works inside a company for a few days a month helping them improve their cybersecurity processes and can also step in to lead a response in case of attack. Smart.
Mind you, as a geek mate likes to remind me, even with the best security in place there’s always a weak link, and it’s a wet one.
The weakest link has always been the badly patched, rapidly degenerating, inefficient, inconsistent, memory lapsed, floppy input devices we call humans. And that’s not about to change.
There are about 47,000 SMEs in New Zealand. And unlike the big companies they typically don't have the blessings of dedicated IT security staff.
Mike ‘‘MOD’’ O’Donnell is an e-commerce manager and professional director. Way back when he was young he took a case to court that resulted in the first successful custodial prosecution under Section 249 of the Crimes Act (accessing a computer for dishonest purposes).