If you’re in busi­ness, you’re at risk – a tar­get to all sorts of con­ti­nu­ity ex­po­sures. Risk man­age­ment is a vast sub­ject that narrows down to one in­dis­putable fact: the best de­fence strat­egy is to be pre­pared.

The def­i­ni­tion of risk man­age­ment, ac­cord­ing to the In­ter­na­tional Risk Man­age­ment In­sti­tute web­site, is: “The prac­tice of iden­ti­fy­ing and analysing loss ex­po­sure and tak­ing steps to min­imise the fi­nan­cial im­pact of the risks they im­pose.” Per­haps a lay­man’s def­i­ni­tion could sim­ply be – staying on top of the chal­lenges that keep busi­ness own­ers awake at night!

There is so much that can be lumped un­der the head­ing of risk man­age­ment – from those in­creas­ingly fre­quent nat­u­ral dis­as­ters to tech­nol­ogy risks such as cy­ber-threats, risks as­so­ci­ated around worker safety, late pay­ments, volatile mar­kets, new reg­u­la­tions, the econ­omy – we could go on.

In­stead, we’ve se­lected some key risk ex­po­sures and gone to the ex­perts for some strate­gies and ad­vice. It’s far from com­pre­hen­sive, and the risks are in no par­tic­u­lar or­der – but tuck your­self in, and let’s see if we can get you sleep­ing more soundly!


Let’s kick off with the risk that ar­guably causes the most grief – cy­ber­se­cu­rity.

In a global sur­vey con­ducted by Marsh and Mi­crosoft, 60 per­cent of New Zealand re­spon­dents listed cy­ber in­ci­dents in their top five risks, and only 22 per­cent said they were highly con­fi­dent in man­ag­ing, re­spond­ing and re­cov­er­ing from one. What’s more, 43 per­cent of re­spon­dents did not as­sess the cy­ber risks of their ven­dors or sup­pli­ers.

The 2017 Nor­ton SMB Cy­ber Se­cu­rity Sur­vey found that al­most one quar­ter of Kiwi SMBs (24 per­cent) had ex­pe­ri­enced a cy­ber-at­tack or hack­ing at­tempt com­pared to 18 per­cent in 2016. And cy­ber­crime cost New Zealand SMBs an av­er­age of $15,592 in the past 12 months.

Large scale global ran­somware at­tacks and the rise of cryp­tocur­ren­cies have dom­i­nated head­lines – the lat­ter con­tribut­ing to an in­crease in cryp­tocur­rency scams, with its as­so­ci­ated cryp­to­min­ing (pro­grams that steal com­puter and mo­bile phone re­sources,

slow­ing down and even dam­ag­ing de­vices).

Phish­ing cam­paigns that steal data on peo­ple are be­com­ing in­creas­ingly so­phis­ti­cated; spear phish­ing is a tar­geted ver­sion where the at­tacker emails spe­cific peo­ple ask­ing for in­for­ma­tion. CERT NZ, the gov­ern­ment-backed agency charged with im­prov­ing the coun­try’s cy­ber-se­cu­rity, has seen a re­port in­volv­ing a chief ex­ec­u­tive post­ing com­ments on so­cial me­dia while away at a con­fer­ence. A seem­ingly le­git­i­mate email is then re­ceived by his com­pany’s ac­counts payable ‘from the CE’, re­quest­ing to ur­gently pay an in­voice. By the time CE re­turned, the money had gone.

An­other dis­turb­ing ex­am­ple was the Of­fice 365 phish­ing and ‘cre­den­tial har­vest­ing’ cam­paign that cir­cu­lated in 2017.

Rob Pope, di­rec­tor of CERT NZ, says no busi­ness is too small to be tar­geted. “With the in­crease in op­por­tunis­tic cy­ber-at­tacks, any­one can be af­fected. It’s not about liv­ing life in fear, or not do­ing new things be­cause there could be risks, in­stead it’s about hav­ing a solid foun­da­tion of cy­ber-se­cu­rity ac­tions that are easy to im­ple­ment.”

Pope says small busi­nesses should also think about how mo­bile de­vices are used as part of busi­ness work, to pre­vent at­tack­ers gain­ing ac­cess to data.

“Your mo­bile de­vices need the same level of man­age­ment and con­trol as any other de­vice.”

(For in­for­ma­tion about what dif­fer­ent cy­ber­se­cu­rity is­sues are and how they can af­fect you, visit: busi­nesses-and-in­di­vid­u­als/guides/)

Nor­ton is a rich source of se­cu­rity tips as well – a stand­out in­volves de­fault pass­words.

Make it a habit to change de­fault pass­words on all net­work-con­nected de­vices, like smart ther­mostats or Wi-Fi routers, dur­ing set-up. And if you de­cide not to use In­ter­net fea­tures on var­i­ous de­vices, dis­able re­mote ac­cess as an ex­tra pre­cau­tion.

Mul­ti­fac­tor au­then­ti­ca­tion is an­other sim­ple mea­sure for pro­tect­ing your­self, and your busi­ness, from the cy­ber-at­tacks men­tioned here.

But we’ll leave the fi­nal word on cy­ber-se­cu­rity to Ash­ley Wearne, GM Aus­tralia and New Zealand for Sophos (the com­pany be­hind In­ter­cept X, an end­point protection prod­uct).

“Cy­ber-at­tacks are real and hap­pen­ing every day, to busi­nesses of all sizes – and it’s not just an IT is­sue. It’s vi­tal that all lev­els of the busi­ness un­der­stand the ex­po­sures, risks and busi­ness im­pli­ca­tions posed by the tech­nolo­gies keep­ing us con­nected.”


Worker health and safety (H& S) is an­other im­por­tant consideration un­der the um­brella of risk man­age­ment. Nowa­days tech­nol­ogy plays a ma­jor role in en­sur­ing that busi­nesses meet their obli­ga­tions un­der New Zealand’s H& S reg­u­la­tions.

An ex­am­ple of this is safety mon­i­tor­ing tech­nol­ogy be­ing mar­keted by Get Home Safe (GHS) – a Kiwi-- de­vel­oped ser­vice combo of cloud-based soft­ware and GPSen­abled mo­bile app.

If you have staff who travel or work alone, there is an el­e­ment of risk that if some­thing goes wrong they may not be able to call for help. GHS doesn’t just share your lo­ca­tion, it proac­tively checks you are OK and is backed by a ro­bust over­due alert­ing process.

“It’s this risk of not be­ing able to call for help your­self that greatly com­pounds all other risks as­so­ci­ated with any em­ploy­ees trav­el­ing or work­ing alone,” ex­plains GHS di­rec­tor and founder Boyd Peacock.

“GHS fits into travel or work­ing alone pol­icy and pro­ce­dure as be­ing the fail-safe way for all staff to record their work in­ten­tions and check in to con­firm they are OK, ei­ther dur­ing or at the safe com­ple­tion of what they are do­ing.”

It’s the safety net that sits be­low every other mea­sure you have in place to cover all ob­scure, highly un­likely and un­fore­seen sit­u­a­tions, he adds. “To en­sure no em­ployee’s left in a sit­u­a­tion where they need as­sis­tance, [and there’s no­body around].”

Peacock an­tic­i­pates more com­pa­nies phas­ing out man­ual ways of do­ing things and au­tomat­ing across every as­pect of their ad­min and safety sys­tems.

“It is fine and well to make it pol­icy you must phone into the of­fice at the start and end of every high-risk task, but the prac­ti­cal­i­ties of ac­tu­ally do­ing that and keep­ing a record soon be­comes oner­ous,” he ex­plains. “Which is where GHS makes things quick and easy.”

Peacock is amazed at the va­ri­ety of ap­pli­ca­tions for his tech­nol­ogy. These range from ferry op­er­a­tors log­ging trips and pas­sen­ger num­bers, lab work­ers ‘press­ing a but­ton’ hourly, aged-care work­ers check­ing in af­ter a home visit, and truck­ers check­ing in af­ter 14 hours on the road.

“One of the more unique sit­u­a­tions we know about is a re­gional coun­cil us­ing Get Home Safe while fly­ing staff between moun­tain­sides planting for ero­sion con­trol. Staff on the ground, in the air and on the road had full sit­u­a­tional aware­ness on the same screen.”

Peacock says com­pa­nies are look­ing for a tech­nol­ogy that does much more, and is less er­ror-prone, than sim­ply tex­ting or phon­ing.

“GHS has a 12-month re­ten­tion rate of more than 90 per­cent, so we must be do­ing some­thing right.”


With on­line shop­ping grow­ing ex­po­nen­tially, Card Not Present (CNP) and tap-and-go style pay­ments have be­come hugely pop­u­lar. While these changes are wel­comed in the mar­ket, they’ve led to a dra­matic in­crease in fraud for mer­chants.

“Fail­ing to up­date to tech­nolo­gies that deal with new pay­ment types only mean greater cost im­pli­ca­tions for busi­nesses, whether in the form of in­creased fraud, charge­backs or cus­tomer dis­sat­is­fac­tion,” ex­plains An­drew Reszka, Ver­ifi’s re­gional lead-Aus­tralia and New Zealand.

“For mer­chants and banks alike, this can have enor­mous cost im­pli­ca­tions – in the hun­dreds of mil­lions of dol­lars.”

For every non-fraud dis­pute that re­sults in a charge­back the bank charges a fee, he says.

“Of­ten, this fee falls to the mer­chant who may experience re­cur­ring dis­putes, whereby they strug­gle to dis­tin­guish between le­git­i­mate and fraud­u­lent claims – putting them­selves at risk of be­ing out of pocket for goods or ser­vices pro­vided.”

Reszka be­lieves it’s up to mer­chants and banks to tackle the is­sue in a more col­lab­o­ra­tive man­ner. To ad­dress the is­sue, Ver­ifi’s pri­mary of­fer­ing is a charge­back pre­ven­tion tool. The Card­holder Dis­pute Res­o­lu­tion Net­work (CDRN) is a “closed loop” plat­form that con­nects global card is­su­ing banks with mer­chants, to re­solve card­holder dis­putes, of­ten within 24 hours, rather than the cur­rent in­dus­try av­er­age of 30 days.

Also, Ver­ifi’s Or­der In­sight (OI) so­lu­tion man­ages dis­pute de­flec­tion be­fore it even reaches the point of be­com­ing a charge­back.


Con­tin­gency plan­ning is a key el­e­ment of risk man­age­ment, par­tic­u­larly in New Zealand given the num­ber of nat­u­ral dis­as­ters the coun­try ex­pe­ri­ences. It’s for this very rea­son that more Kiwi busi­nesses are em­brac­ing off­shore data cen­tres, Aus­tralia in par­tic­u­lar, ex­plains Joshua Bartlett, south­ern re­gion man­ager-en­ter­prise for in­for­ma­tion man­age­ment spe­cial­ist OpenText.

He says busi­nesses are run­ning a dis­as­ter re­cov­ery strat­egy where data is repli­cated in two data cen­tres lo­cated hun­dreds of kilo­me­tres apart, to help re­duce po­ten­tial down­time and dis­rup­tion. “As tech­nolo­gies ad­vance, how­ever, con­tin­gency plan­ning also needs to in­cor­po­rate po­ten­tial im­pacts of se­cu­rity in­ci­dents, both in­ter­nal and ex­ter­nal, not just the ef­fects of cli­mate change and nat­u­ral dis­as­ters.”

In terms of de­vel­op­ing a con­tin­gency plan, Bartlett says it’s essen­tial to un­der­stand the in­for­ma­tion that is crit­i­cal to keep­ing a busi­ness run­ning at op­ti­mal level, and how this could be im­pacted in the event of an emer­gency.

“Start with the key in­for­ma­tion – what can’t go off­line, what in­for­ma­tion needs to al­ways be avail­able and who has ac­cess to it – and then form an over­all strat­egy.

“This is not a lin­ear process by any means, and re­quires en­gage­ment across the en­tire busi­ness to en­sure all key in­for­ma­tion is in­cor­po­rated in the con­tin­gency plan and over­all risk man­age­ment process.

“Fol­low­ing this struc­ture will en­sure that when an emer­gency oc­curs, in­for­ma­tion ei­ther never goes off­line or is avail­able as soon as pos­si­ble,” he says. “This en­tire process should en­gage IT part­ners and risk man­age­ment firms where rel­e­vant, to help and de­velop com­pre­hen­sive busi­ness con­tin­gency plans.”

Newspapers in English

Newspapers from New Zealand

© PressReader. All rights reserved.