Research reveals the harmful impact of cyber-attacks on large Kiwi businesses

New Zealand Security Magazine - Update

Alastair Miller
Alastair Miller, Principal Consultant at Aura Information Security. Image: Kordia.

According to research commissioned by Kordia, operations were disrupted for a third of large businesses in New Zealand impacted by cyber-attacks.


Independent research released by Kordia on Tuesday shows just how detrimental cyber-attacks are on some of New Zealand’s largest businesses.

Of the surveyed businesses that were hit by a cyber-attack in 2023, more than one in three (36%) said their business operations were disrupted, and 29% said personal data was stolen or accessed.

Key research findings

  • One in three (36%) businesses impacted by cyber-attacks or incidents say their business operations were disrupted
  • 28% of businesses impacted by a cyber-attack or incident point to third-party suppliers as the cause
  • 70% of business leaders say they would consider paying a ransom to a cybercriminal
  • Cloud misconfigurations or software vulnerabilities were responsible for causing cyber incidents for almost two out of five (39%) businesses
  • Around 46% of cyber incidents and attacks took longer than one month to resolve
  • 29% of businesses suffering a cyber incident say personal data was stolen or accessed.

More than two-thirds (69%) of businesses claim they experienced an impact from a cyber incident, with nearly half (46%) finding it took more than a month to resolve the incident, including 9% saying it took five months or more.

“Cybercriminals are financially motivated. What’s interesting in this survey is it highlights the beginning of a trend where hackers are targeting operational downtime over stealing or encrypting data as a means of extorting their victims,” said Alastair Miller, Principal Consultant at Aura Information Security, Kordia’s cyber security advisory and testing consultancy. “This is in line with what we’re seeing overseas, such as the recent DP World cyber-attack in Australia.

“It’s much harder for organisations to ignore an attack when they can’t function for a period of time. The motivation to pay a ransom is greatly increased when you can’t generate an operational income.

“Any cyber-attack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve – with costs running into the hundreds of thousands. For large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have knock-on effects for whole supply chains and our economy.

“Despite this, New Zealand businesses still lag far behind when it comes to elevating cyber security to the highest levels of governance. Only two thirds of businesses said that cyber security was a very important issue for their board, and this must change to see real progress in the overall resilience of our national industrial and business landscape,” continues Miller.  

The human cost of cybercrime

According to the Kordia report, in 2023 global cyber threats impacted New Zealand citizens on a new, escalated scale. The hack on Australian financial services company Latitude saw personal data belonging to one million Kiwis (20% of the population) compromised in the largest privacy breach New Zealand has ever seen.

Miller says harm to privacy is one factor, but increasingly cyber incidents are causing immense harm to the employees of victim organisations as well.

“Around a quarter of respondents said recruiting skilled people to manage cyber security is a top challenge within their business,” said Miller. “The cyber security labour market is incredibly tight, both globally and here in New Zealand, so being able to hire and retain skilled people is crucial.

“Many businesses are asking themselves how they will keep up with the moving threat landscape with so few resources working on mitigating it.”

Miller points to a recent academic study, which found that cyber-attacks can cause high levels of psychological harm — equal to conventional political violence and terrorism.

“With four in five NZ large businesses in our survey saying they faced a cyber incident in the past twelve months, these incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their teams,” he said.

Changing threats

As cyber security evolves, so do the threats facing New Zealand businesses. Of the businesses surveyed that were subject to a cyber incident, 39% said the incident was due to cloud misconfiguration or software vulnerabilities. Distributed Denial-of-Service (DDoS) attacks were the second most common at 35%.

“In 2023, cloud played the most significant role in cyber-attacks across the board, climbing 11 percentage points year-on-year in our survey,” said Miller

“In saying this, DDoS attacks continue to feature prominently globally, there has been an increase in activity stemming from geo-political events, including cyber warfare in Ukraine and Israel / Palestine. With a very low barrier to use, DDoS has also been observed as a tactic used in conjunction with other methods, leveraged by threat actors to mask other attacks occurring concurrently.

“Phishing continues to remain in focus, whilst supply chain attacks came to the fore for New Zealanders, with third-party attacks featuring in more than a quarter (28%) of all incidents,” he added.

New year, new government, new cyber security legislation?

With the new National Party-led government in place, questions are being asked by New Zealand businesses on how they will tackle the evolving cybersecurity threats.  

Kordia’s survey results show that a third (33%) of Kiwi business leaders want the government to increase spending on national cyber security.

“Business leaders are eager to see more action to penalise organisations that fail to adequately protect data. New Zealand’s current privacy laws only punish failure to report a breach and that caps penalties at NZD$10,000, significantly more restricted and lower than legislation in other five eyes nations,” said Miller.

“Australia has made notable changes to cyber security governance, through a slew of legislative changes including harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks. A notable number of respondents have indicated they would be supportive of similar initiatives in New Zealand.

“New Zealand often looks across the Tasman when it comes to policy, so it will be interesting to see whether similar legislation will eventuate here,” he added.

Kordia’s five focus areas for businesses in 2024

1. Plan for recovery as part of your response.

  • Operational downtime can hurt a business more than the initial cyber-attack.
  • Effectively recovering your businesses as rapidly as possible after a major cyber-attack depends on a properly deployed backup and restore regime.
  • Any solution should include encryption, along with the combination of full, incremental, and differential backups.

2. Security should go hand in hand with a cloud transformation strategy

  • There are lingering perceptions that the cloud is more secure than more traditional on-premises systems. While there are certainly benefits that can be leveraged from the cloud, without the right security layers, businesses are just as exposed.
  • The best way to ward against misconfigurations and security gaps in cloud environments is to implement an get security requirements into cloud projects early, that sets out how security is factored into your cloud environment, and ensure it evolves as your platforms do.

3. Rationalise spending via risk-based planning

  • Assessing how to invest appropriately in security can be challenging – especially in the face of rising costs and tough economic conditions. As organisations expand their digital operations, a risk-based approach can help rationalise spend and set strategic objectives to ensure security needs are being addressed.
  • Understanding your risks will help determine areas of focus, providing a starting point to building out a holistic security programme. Ongoing measurement of the effectiveness of your strategic roadmap will determine whether your organisation is focusing on the right areas.

4. Factor people into your cyber strategy

  • Human error accounts for many cyber security incidents and data breaches, there’s a great need for better awareness and adoption of security behaviours across all facets of organisations.
  • Business leaders need to champion a culture change within the organisation, that sees all employees adopting a mindset shift.

5. Elevate cyber security to the board

  • With increasing impacts and a significant number of businesses confirming that they are being compromised by cyber incidents, it is imperative that board members take cyber defences seriously.
  • Cyber is no longer an IT or operational issue – it requires good governance to ensure that it’s aligned with the overall business strategy, and that initiatives have the right level of focus and resources from the top.

The full cyber security report is available to download at Kordia.co.nz.

Babcock
RiskNZ