NZ Inc. grapples with cybersecurity as it suffers a hidden scourge

New Zealand CIOs, CSOs, security consultants, and government officials debate the merits of mandatory reporting, stepping up criminal investigations, and not paying ransom.

boxing man defense

Should it be mandatory to report cybersecurity breaches, even if it results in media attention? Or does keeping cyberattacks under wraps help minimise the risk? Those are questions being grappled with by CIOs and CSOs throughout New Zealand, following the well-publicised cyberattacks on the NZX.

Government Communications Security Bureau (GCSB) director-general Andrew Hampton told a trans-Tasman Business Circle audience this week that the perpetrators of the DDoS attacks on the stock exchange are “highly likely” to be a criminal group, which has also been active in Australia and globally. He says the group has been active for up to two years, and “in terms of their motivation, it’s all about money.”

Divided views on whether cyberattacks should be made public

Hampton’s advice to companies under attack is that, while it is important to make customers and stakeholders aware of what is occurring if it affects them, be careful what you say publicly.

What we do know is that this actor, or actors generally, they are monitoring what is in the media, they are responding to what’s in the media. If they see an organisation is being rattled in the media, they’ll hit them harder. So that’s my advice to organisations: to be very careful about what they say publicly. … By outing yourselves, by saying you’re subject to a DDoS attack, which is very serious, and what the volumes are, is likely to incentivise them to go harder.

To continue reading this article register now

Download CIO's Roadmap Report: 5G in the Enterprise