Cyber-attacks present an ever-growing threat to the Kiwi construction industry with independent research revealing just how detrimental cyber-crime is to New Zealand businesses, and how few company boards prioritise the threat.
In Kordia’s national survey of Kiwi businesses with over 100 employees, that were hit by a cyber-attack in 2023, more than a third (36%) said their business operations were disrupted, yet only two thirds of businesses said that cyber security was a very important issue for their board.
“Any cyber-attack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve – with costs running into the hundreds of thousands. For large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have knock-on effects for whole supply chains and our economy,” says Alastair Miller, Principal Consultant at Aura Information Security, Kordia’s cyber security advisory and testing consultancy.
“Despite this, New Zealand businesses still lag far behind when it comes to elevating cyber security to the highest levels of governance. Only two thirds of businesses said that cyber security was a very important issue for their board, and this must change to see real progress in the overall resilience of our national industrial and business landscape.”
Of the Kiwi businesses surveyed, 29% said personal data was accessed or stolen in a cyber-attack, and a massive 70% of business leaders said they would consider paying a ransom to a cyber-criminal. Cloud misconfigurations or software vulnerabilities were responsible for causing cyber incidents for almost two out of five (39%) businesses, while third-party suppliers were found to be the cause of the cyber-attack for 28% of Kiwi businesses. The survey also showed around 46% of cyber incidents and attacks on New Zealand businesses took longer than one month to resolve.
“It’s much harder for organisations to ignore an attack when they can’t function for a period of time. The motivation to pay a ransom is greatly increased when you can’t generate an operational income,” he says.
The human cost of cybercrime
In 2023, global cyber threats impacted New Zealand citizens in a new, escalated scale. The hack on Australian financial services company Latitude saw personal data belonging to one million Kiwis (20% of the population) compromised in the largest privacy breach New Zealand has ever seen.
Miller says harm to privacy is one factor, but increasingly cyber incidents are causing immense harm to the employees of victim organisations as well.
“Around a quarter of respondents said recruiting skilled people to manage cyber security is a top challenge within their business. The cyber security labour market is incredibly tight, both globally and here in New Zealand, so being able to hire and retain skilled people is crucial.
“Many businesses are asking themselves how they will keep up with the moving threat landscape with so fewer resources working on mitigating it.”
Miller points to a recent academic study, which found that cyber-attacks can cause high levels of psychological harm.
“With four in five NZ large businesses in our survey saying they faced a cyber incident in the past twelve months, these incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their teams.” continues Miller.
Changing threats
As cyber security evolves, so do the threats facing NZ businesses, reports Kordia. Of the businesses surveyed that were subject to a cyber incident, 39% said the incident was due to cloud misconfiguration or software vulnerabilities. Distributed Denial-of-Service (DDoS) attacks were the second most common at 35%.
“Phishing continues to remain in focus, whilst supply chain attacks came to the fore for New Zealanders, with third-party attacks featuring in more than a quarter (28%) of all incidents,” Miller says.
Kordia’s survey results show that a third (33%) of Kiwi business leaders want the government to increase spending on national cyber security, after Australia made notable changes to cyber security governance, through a slew of legislative changes. These include harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks. A notable number of respondents in the Kiwi survey have indicated they would be supportive of similar initiatives here.
“New Zealand often looks across the Tasman when it comes to policy, so it will be interesting to see whether similar legislation will eventuate here,” adds Miller.
Kordia has outlined five focus areas for businesses in 2024:
- Plan for recovery as part of your response
- Operational downtime can hurt a business more than the initial cyber-attack.
- Effectively recovering your businesses as rapidly as possible after a major cyber-attack depends on a properly deployed backup and restore regime.
- Any solution should include encryption, along with the combination of full, incremental, and differential backups.
- Security should go hand in hand with a cloud transformation strategy
- There are lingering perceptions that the cloud is more secure than more traditional on-premises systems. While there are certainly benefits that can be leveraged from the cloud, without the right security layers, businesses are just as exposed.
- The best way to ward against misconfigurations and security gaps in cloud environments is to implement and get security requirements into cloud projects early, that sets out how security is factored into your cloud environment, and ensure it evolves as your platforms do.
- Rationalise spending via risk-based planning
- Assessing how to invest appropriately in security can be challenging – especially in the face of rising costs and tough economic conditions. As organisations expand their digital operations, a risk-based approach can help rationalise spend and set strategic objectives to ensure security needs are being addressed.
- Understanding your risks will help determine areas of focus, providing a starting point to building out a holistic security programme. Ongoing measurement of the effectiveness of your strategic roadmap will determine whether your organisation is focusing on the right areas.
- Factor people into your cyber strategy
- Human error accounts for many cyber security incidents and data breaches, there’s a great need for better awareness and adoption of security behaviours across all facets of organisations.
- Business leaders need to champion a culture change within the organisation, that sees all employees adopting a mindset shift.
- Elevate cyber security to the board
- With increasing impacts and a significant number of businesses confirming that they are being compromised by cyber incidents, it is imperative that board members take cyber defences seriously.
“It’s much harder for organisations to ignore an attack when they can’t function for a period of time. The motivation to pay a ransom is greatly increased when you can’t generate an operational income,” he says.
The human cost of cybercrime
In 2023, global cyber threats impacted New Zealand citizens in a new, escalated scale. The hack on Australian financial services company Latitude saw personal data belonging to one million Kiwis (20% of the population) compromised in the largest privacy breach New Zealand has ever seen.
Miller says harm to privacy is one factor, but increasingly cyber incidents are causing immense harm to the employees of victim organisations as well.
“Around a quarter of respondents said recruiting skilled people to manage cyber security is a top challenge within their business. The cyber security labour market is incredibly tight, both globally and here in New Zealand, so being able to hire and retain skilled people is crucial.
“Many businesses are asking themselves how they will keep up with the moving threat landscape with so fewer resources working on mitigating it.”
Miller points to a recent academic study, which found that cyber-attacks can cause high levels of psychological harm.
“With four in five NZ large businesses in our survey saying they faced a cyber incident in the past twelve months, these incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their teams.” continues Miller.
Changing threats
As cyber security evolves, so do the threats facing NZ businesses, reports Kordia. Of the businesses surveyed that were subject to a cyber incident, 39% said the incident was due to cloud misconfiguration or software vulnerabilities. Distributed Denial-of-Service (DDoS) attacks were the second most common at 35%.
“Phishing continues to remain in focus, whilst supply chain attacks came to the fore for New Zealanders, with third-party attacks featuring in more than a quarter (28%) of all incidents,” Miller says.
Kordia’s survey results show that a third (33%) of Kiwi business leaders want the government to increase spending on national cyber security, after Australia made notable changes to cyber security governance, through a slew of legislative changes. These include harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks. A notable number of respondents in the Kiwi survey have indicated they would be supportive of similar initiatives here.
“New Zealand often looks across the Tasman when it comes to policy, so it will be interesting to see whether similar legislation will eventuate here,” adds Miller.
Kordia has outlined five focus areas for businesses in 2024:
- Plan for recovery as part of your response
- Operational downtime can hurt a business more than the initial cyber-attack.
- Effectively recovering your businesses as rapidly as possible after a major cyber-attack depends on a properly deployed backup and restore regime.
- Any solution should include encryption, along with the combination of full, incremental, and differential backups.
- Security should go hand in hand with a cloud transformation strategy
- There are lingering perceptions that the cloud is more secure than more traditional on-premises systems. While there are certainly benefits that can be leveraged from the cloud, without the right security layers, businesses are just as exposed.
- The best way to ward against misconfigurations and security gaps in cloud environments is to implement and get security requirements into cloud projects early, that sets out how security is factored into your cloud environment, and ensure it evolves as your platforms do.
- Rationalise spending via risk-based planning
- Assessing how to invest appropriately in security can be challenging – especially in the face of rising costs and tough economic conditions. As organisations expand their digital operations, a risk-based approach can help rationalise spend and set strategic objectives to ensure security needs are being addressed.
- Understanding your risks will help determine areas of focus, providing a starting point to building out a holistic security programme. Ongoing measurement of the effectiveness of your strategic roadmap will determine whether your organisation is focusing on the right areas.
- Factor people into your cyber strategy
- Human error accounts for many cyber security incidents and data breaches, there’s a great need for better awareness and adoption of security behaviours across all facets of organisations.
- Business leaders need to champion a culture change within the organisation, that sees all employees adopting a mindset shift.
- Elevate cyber security to the board
- With increasing impacts and a significant number of businesses confirming that they are being compromised by cyber incidents, it is imperative that board members take cyber defences seriously.
