Gaps in cybersecurity leave NZ’S largest companies vulnerable
New Zealand’s top business leaders say there are wide and growing gaps in cybersecurity, with the day-to-day operations of the country’s largest companies constantly in the crosshairs.
A number of large businesses with more than 100 staff were victims of cybercrime in 2023, according to independent research released by technology services firm Kordia.
The operations of a third of large businesses were disrupted by a cyberattack in the past year and 70 per cent of the 200 business leaders surveyed said they were willing to pay a ransom to restore their systems.
“Cybercriminals are financially motivated. What’s interesting in this survey is it highlights the beginning of a trend where hackers are targeting operational downtime over stealing or encrypting data as a means of extorting their victims,” Kordia spokesman Alastair Miller said.
He said this was following an overseas trend.
“It’s much harder for organisations to ignore an attack when they can’t function for a period of time,” he said.
“The motivation to pay a ransom is greatly increased when you can’t generate an operational income.”
Cost of crime
The report cited IBM’S Cost of A Databreach report, which estimated the global average cost of a data breach in 2023 at US$4.45 million — 15 per cent up on the previous three years.
Kordia’s report indicated more than a quarter (28 per cent) of businesses were attacked via a third-party supplier, which highlighted the vulnerability of businesses — even those with robust internal systems and emergency responses in place.
Cloud misconfigurations or software vulnerabilities were responsible for causing cyber incidents for more than a third (39 per cent) of businesses, with nearly half (46 per cent) of cyber incidents and attacks taking longer than one month to resolve.
“Any cyberattack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve — with costs running into the hundreds of thousands,” Miller said.
“For large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have knock-on effects for whole supply chains and our economy.”
Kordia incident response lead Conan Bradley said any money paid to cybercriminals went towards increasing the sustainability of organised crime.
“The decision to pay or not to pay comes with a degree of risk, whichever route you choose. If you pay, what guarantees are there that you will receive the decryption key, or that the actors will not sell your data anyway? Or worse, communicate with other ransomware gangs regarding the entry point and your willingness to pay,” Bradley said.
Despite the risk, Miller said New Zealand businesses lagged behind other leading economies when it came to elevating cybersecurity to the highest levels of governance.
“Only two thirds of businesses said that cyber security was a very important issue for their board, and this must change to see real progress in the overall resilience of our national industrial and business landscape.”
He said changes to Australian regulations and elsewhere could see boards give more priority to cybersecurity.
“Australia has made notable changes to cyber security governance through a slew of legislative changes including harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks,” he said.
“Business leaders are eager to see more action to penalise organisations that fail to adequately protect data.
“New Zealand’s current privacy laws only punish failure to report a breach and that caps penalties at $10,000, significantly more restricted and lower than legislation in other Five Eyes nations.” —RNZ