by Divina Paredes

Kiwi firms urged to take a deeper look at impact of cyberattacks

Nov 29, 2017
APIsBusiness ContinuityBusiness Intelligence

Business leaders are not taking cybersecurity seriously enough, and this poses a significant risk to their companies’ reputations, warns Dr Ryan Ko of the University of Waikato.

“Communications is a much neglected aspect of responding to cybersecurity incidents,” says Ko, speaking at a business forum in Hamilton, organised byHMC Communications.

“The spread of information is so fast, and reputations are very hard to get back when lost,” says Ko, who established New Zealand’s first cybersecurity graduate programme and lab in 2012 and is director of the NZ Institute for Security and Crime Science.

Ko says that the size of cybercrime internationally was larger than drug trafficking, according to a Norton Cybercrime Report.

“It was reported that, globally, cybercrime cost $388 billion which was larger than the cost of drug trafficking at $288 billion,” says Ko, in a statement. “Every half-second a unique malware or virus is created somewhere in the world. Cybersecurity is a serious concern for companies, and New Zealand business leaders need to do more to protect their company and their customers.”

No caption

Cybersecurity has to be the biggest concern for executives today. It has the potential to destroy consumer confidence in an organisation and also materially affect the financials of an organisation.Bradley de Souza

Ko says that there was a global trend with businesses and boards of directors being held liable for cybersecurity incidents. “The public perception is that businesses and boards should take responsibility for personal information, and that means cyber-attacks have legal implications for directors,” says Ko. “It’s not a matter of ‘if’ it will happen, but when, and directors may be facing liability.”

Ko cited the example of Target, a well-known US discount retailer, who was affected by a cybersecurity attack in 2013. Hackers stole credit and debit card information from up to 40 million customers which revealed the company’s weak cybersecurity measures and ended up costing the retailer millions of dollars.

Another case was the Wyndham Worldwide Corporation, a US hotel chain that was sued in 2012 for breaching customer’s confidential information when credit card details were hacked and posted to a Russian website.

Ko says that New Zealand companies are at risk of cyberattack, and more than half – 56 per cent – of New Zealand companies claimed to have a cyberattack at least once a year (in 2014).

The five top threats to New Zealand companies, identified by Ko and his research team, included ransomware, distribute denial of service (DDoS), social engineering, hijacking unpatched platforms and obsolete communications, cyber forces and weaponry.

“Many think it will not affect them, especially small to medium businesses, but they are not immune,” says Ko.

The one area where management needs training has to be cyber security, says Bradley de Souza an internationally recognised CIO/CTO/COO who has specialised in change, transformation and recovery across industries around the world.

“We are seeing an unprecedented level of security breaches across companies of all sizes and technology maturity.”

He says companies are finding out about breaches too late and they are unable to gauge the size of the issue.

“This has to be the biggest concern for executives today. It has the potential to destroy consumer confidence in an organisation and also materially affect the financials of an organisation.”

As an example, the Paradise papers leak represents a treasure map of offshore banking and investment activity which can easily be targetted by criminals, he says.

“Breaches in this area are likely to go unreported due to their dubious legal status and lack of transparency. They present criminals with the perfect opportunity as the police authorities will most likely never be involved.”

No caption

Sidebar: Is your organisation prepared for a cyberattack?

Top things for business leaders to consider.

  • What is your board of directors doing to address the risk of a cyberattack to your business or organisation?

  • Have cybersecurity policies been reviewed (and do they even exist)?

  • Are there policies around external contractors?

  • Does the business or organisation have cyber insurance?

  • Is there a chief information security officer in the company?

  • What would you do in the event of a cyberattack, operationally and with your communications (internally and externally, including stakeholders and media)?

    No caption

Follow Divina Paredes on Twitter:@divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up forCIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.