●Adrian van Hest of PwC on the impact of digitisation to the organisation’s information security risk profile - and how New Zealand businesses are responding .
●Prof Hossein Sarrafzadeh of Unitec on immediate steps to take to firm up cybersecurity defences.
●IT lawyer Michael Wigley on what to do if your organisation is hit by ransomware.
●Group IT manager Neil Gong of Airedale Property Trust on cybersecurity pointers for SMBs.
●New Zealand snapshots: Who are the individuals or organisations behind the cybersecurity incidents, plus current and future investments by peer organisations and across industries.
This is the year organisations really need to take it seriously and to invest appropriately and intelligently
New Zealand organisations are currently transforming their functions and interactions with clients, using an empowered digital platform, says Adrian van Hest, partner and cyber practice leader at PwC New Zealand.
He says the appointment of chief digital officers (CDOs) has been a “very real step change” over the past 12 months, as organisations continue to forge ahead with digitalisation.
However, he believes cybersecurity is a “kind of secondary conversation” for many organisations.
“The challenge with security in the past has always been the generic approach to it, ‘I will do what others would do’ or 'I will do the least I need to do, because it is a cost of doing business'.
''Cybersecurity is still primarily seen as a cost, so we need to mitigate this.
“What is unique in New Zealand is the fact that there is no requirement for organisations to disclose when they lose data.”
The challenge is for organisations to take consumer privacy seriously, van Hest states.
“You are talking about people’s digital lives and keeping their information private. It requires legislation to help drive cultural change. That is what happened internationally.
“Organisations know that if they are the custodians of people’s data, they have to take it seriously. They have to protect it, they have to look after it.”
This demands a cultural change across the organisation, similar to campaigns around health and safety in New Zealand.
“We are very far away from that culture,” says Van Hest, who spoke to CIO New Zealand on the results of the local findings for the 2017 Global State of Information Security Survey.
PwC, CIO and CSO interviewed more than 10,000 respondents across the globe, including 89 business and technology executives from New Zealand, for the 2017 report. The survey was conducted online from April 4, 2016 to June 3, 2016.
So what is van Hest's message to Kiwi organisations?
“It is probably a very worn message but even more prescient, which is that ‘context is key’.
“As organisations have moved to adopt more digital strategies and become more digitally dependent, they really need to have a look at what their risk profile looks like.
“And in order to invest effectively, organisations have to take a personalised approach to their cybersecurity. One that is specific to their business needs, their existing digital ecosystem and their relationships with business partners.”
He further notes New Zealand still has a “high trust environment” and therefore people naturally trust people with their data.
But overseas, he says, digital trust is seen as a real enabler or differentiator in the business.
Across the globe, 59 per cent of respondents say digitisation of the business ecosystem has led to an increase in security spending.
Digitisation of the business continues
Across the globe, 59 per cent of respondents say digitisation of the business ecosystem has led to an increase in security spending. This is only slightly less in New Zealand at 56 per cent.
As to what types of security safeguards they will invest in over the next 12 months, New Zealand organisations cite consistency of authentication across channels and new security needs related to evolving business models (both 68 per cent compared to 41 and 45 per cent respectively across the globe), as the top choices.
These are followed by improved collaboration among business, digital and IT; alignment of business objectives with information security strategy; and digital enterprise architecture.
Across the globe, nearly half of respondents (45 per cent) cited security for Internet of Things, but locally this was cited by just over a quarter (28 per cent) of respondents.
Respondents were asked where or to whom their CISO, CSO or equivalent senior information security executives report to directly.
Over a third (34 per cent) of respondents in New Zealand say this role reports to the CEO, close to the global figure of 36.3 per cent. This is followed by the CIO, and then the chief operating officer and the Board of Directors.
The reporting line is important because it is recognising that cybersecurity is a risk across the organisation, rather than simply a technology risk, say van Hest.
The assets for the functions we are talking about are not IT functions, they are business functions, he states.
“The difference between an organisation that is managing its risk effectively or not, is the executive ownership of cybersecurity,” notes van Hest.
“Put it this way, if the CIO is the owner of risk within an executive team, they need to own it holistically and they need to have the CEO’s backing to enforce or deliver the real cultural change that is needed.”
It is important that cybersecurity is not seen as an IT problem or risk, he says. “It is seen as a collective problem.”
“That is the real challenge for people to get their heads around digital,” he adds, “that digital is not a division of the organisation. It is a platform for the organisation. You can not isolate digital technology.”
Digital risk exists in the other departments, because of the risks around the data they have, he adds.
“If you make it the responsibility of an a individual person who is not often at the top table, but is layers below - then you are not addressing the risks and you do not understand the risks.”
The significant rise in concern over cyber security issues, has resulted in concern about the number of cybersecurity professionals available and number of students coming through the pipeline to protect the cyber space
Rise of cloud platforms
This year’s survey finds 63 per cent of organisations worldwide run IT services in the cloud. New Zealand and Australian organisations have higher figures, at 69 and 71 per cent respectively.
Of these, nearly half (45 per cent) of New Zealand respondents say up to 24 per cent of their IT systems are delivered by cloud service providers, while 23 per cent say from 25 to 49 per cent of their IT systems are delivered by cloud service providers.
In five years, they say they expect these figures to rise, with 36 per cent of New Zealand respondents saying they expect to 50 to 74 per cent of their IT services to be delivered by cloud service providers, with another 18 per cent saying 75 to 99 per cent of their IT services will be delivered this way.
While IT services run the most functions in the cloud in New Zealand and across the globe, other business functions are also moving into this environment. In New Zealand, for instance, more than half (51 per cent) of respondents say they run HR functions in the cloud, followed by operations (43 per cent), and marketing and sales and finance, both at 39 per cent.
Van Hest has a message for these organisations: Ensure your cloud providers comply with security or privacy policies.
“You are giving away your data and putting it on the cloud. And unlike your internal employees, which you have some recourse with, you are now giving it to a third party. You have no recourse if they do not look after the privacy of your data and your clients’ information, and whatever your digital assets are.”
Security incidents: Figures, sources and steps ahead
In New Zealand, the most common attacks come from phishing, exploitation of mobile payment system and social/media or social engineering.
The survey notes the rise in attacks coming from persons/groups known to the company. Current employees at 47 per cent (compared to 42 per cent in the previous year) were reported as likely source of the attacks. Meanwhile, 14 per cent of attacks in local organisations are believed to have come from former employees. The rest of the insider attacks come from current and former services providers, consultants or contractors, suppliers/business partners and customers.
For threats that come from outsiders, nearly half (46.5 per cent) were attributed to unknown hackers. These are followed by organised crime, foreign entities and organisations, foreign nation-states and activists and hacktivists.
As to the impact of these incidents to the organisation, in terms of data, the top ones are loss or damage of internal records as cited by nearly a third, 31 per cent of respondents; and customer records compromised (cited by14 per cent).
In business terms, the biggest loss was compromise of business mail (35 per cent), followed by ransomware implanted on systems (28.6 per cent), financial losses (20 per cent) and theft of ‘soft’ intellectual property such as information on processes and institutional knowledge (15 per cent).
In light of these findings, how should organisations prepare themselves?
Dr Hossein Sarrafzadeh, head of the department of computing at Unitec, shares some key steps.
First off, training, professional development and graduate hiring programmes is one of the main areas organisations should consider investing in, he says.
“Most companies are looking for experienced cybersecurity professionals. Though the number of professionals with experience is limited and their salary expectations are high, retention is challenging if there is neither progression in the organisation, or an ongoing professional development programme,” he explains.
“Companies should seriously consider investing in appropriate training and professional development and hiring more graduates.”
The significant rise in concern over cybersecurity issues, has resulted in concern about the number of cyber security professionals available and number of students coming through the pipeline to protect the cyber space, he adds.
According to Forbes, there will be one million cybersecurity job openings in 2016, he states.
This is expected to increase to six million globally by 2019. More than 209,000 cybersecurity jobs in the United States are unfilled.
“This concern is increasing with the rise in the use of digital devices to control the physical environment such as IoT and as cyber threats cross over to the physical world. There is a recognised international shortage of cyber security professionals.”
“For students and IT professionals, the message in this evident shortage is, if you want long-term job security, study cybersecurity,” says Hossein.
Second, he advises organisations to consider taking out cybersecurity insurance. In New Zealand, 29 per cent of respondents say they have cyberinsurance, a figure much lower than their global counterparts where it is 52 per cent, Asia at 57 percent and Australia at 68 per cent.
Although the New Zealand cybersecurity insurance industry is not very big, there are companies offering insurance products, says Hossein.
“Still, companies need to check their insurance policies and understand what is and isn’t covered by the policy, and to what liability levels. Cybersecurity health checks are becoming more common and insurance companies may require them before a policy is issued, and then on an annual basis.”
On top of that, depending on their level of security maturity, SMEs should invest in ensuring their basic security and have a good patching practice in place, and ensure systems hygiene, says Hossein.
“They should also invest in their incident response capability. For most organisations, the occurrence of an incident is no longer a question of if but when. Being able to plan and determine a response without the added pressure of having to deal with an incident, is an opportunity to precious to waste.”
Recently, I saw an IT security audit and assessment offer designed for SMBs and the price starts from $15,000+GST. I would imagine not many small organisations can afford such price.
A balancing act
For small and medium sized organisations, tackling cyber and information security is doubly daunting, notes Neil Gong, group IT manager at Airedale Property Trust.
Managing security well requires specialised skills and expensive resources, which SMB organisations don’t normally have.
"Recently, I saw an IT security audit and assessment offer designed for SMBs and the price starts from $15,000+GST," says Gong. "I would imagine not many small organisations can afford such price. Especially as it is just the discovery and it may cost a lot more for the fix and remedy.”
Another problem with SMBs is that due to lack of internal IT resources, information security becomes a vendor-driven exercise with all focus put on technology components such as antivirus and firewall, he says.
However, it is hard to tell if your organisation is adequately protected, even having all these investments on IT security solutions, he says.
''To help small and medium size organisations address their security challenges, I believe a simplified and balanced approach can be taken by paying attention to the two key elements: prevention and response.''
Adrian van Hest of PwC, meanwhile, notes that despite the fact most of the cybersecurity issues were related to insiders, New Zealand organisations are spending “too much on network and firewall”.
“They are spending on generic tools that address the risks that are not relevant to them,” says van Hest.
“People are not investing the time to understand what is important to them and they are not focusing on what they spend on. They are not taking a holistic view view or adopting a holistic strategy.
Ensure your cloud providers comply with security or privacy policies.
One of the most controversial points is that New Zealand spends “an awful lot of money” on penetration testing, compared to the rest of the world.
He points out New Zealand companies have to diversify into more advanced tools like risk-based authentication/authorisation, while simultaneously addressing risks coming from staff and suppliers.
Penetration testing on its own is highly ineffective, he says.
Because, for penetration testing to be worthwhile, you have to assess your risks first, he says. Then you have the context around what you are testing and why, and you understand the business impact rather than technical decisions.
As well, most importantly, if you look at how an attack happens or how a compromise in New Zealand happens, they are related to social engineering, he says.
“They do not just do the technical things,” he says, “they will try social engineering, they will send you a phishing email.”
“What history teaches us is often the most devastating cyberattacks start with a phishing email,” van Hest says.
He says initial awareness of things such as maliciously planted USBs that may be infected with malware or phishing email are useful, but this should be supplemented with “a programme of cultural change that comes from the top”.
That is the key, for somebody at the top to understand that this is a business risk and they need to ask their teams the right questions, he states.
“They need to understand because they have become a digital organisation, a security issue or a cyber issue is not an IT problem, it is a business problem.
“As a business, they need to fix it because it is putting their business at risk, not their IT function.”
People have historically asked, “Are we secure?”
“The more important question is, do we understand our risk? What are we doing to manage it?”
“If you understand your risk and you understand your purpose and what your digital assets are, you are in a much better position to use them with confidence.”
Benchmark your investments
What safeguards does your organisation not have in place, but is a top priority over the next 12 months?
“What organisations need to recognise is that this is very much the start of the journey,” says van Hest.
“As New Zealand really dives into digital as we have been doing the past year, the risks and impact will become a lot more real.
“This is the year organisations really need to take it seriously and to invest appropriately and intelligently,” says van Hest. (With additional reporting from CIO US, PwC New Zealand, Neil Gong of Airedale Property Trust and IT lawyer Michael Wigley).
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.