This is a high-level, targeted, incredibly sophisticated 'services for hire' industry...These are massive commercial players who have the ability to access and shut down almost every system.
Communications Minister Amy Adams began her talk on cyber risk recounting her meeting last month with a group of cybersecurity providers.
“They are the ‘bad guys for hire’,” she told those attending the forum organised by the Institute of Directors. “They test your system and try to hack it.”
She says the company, which she did not identify, has been doing this work for 10 years. Its clients included banks, insurance companies, hospitals and medical providers, “you name it.”
The company executives told her they have not found a system they can not get full access to in a week.
She says the core message from cyber professionals is that security has to be designed in every aspect of the business process.
“Cyber is not just a technology issue, it is not something you bolt onto your system,” she says. “You don’t build an IT system and add on a cyber product at the end of it.”
Data is the number one asset in most businesses, she says. “Your data has to be protected.”
She says the single biggest risk in most firms is people. One common method cyber criminals use get data is to simply buy access codes from internal staff.
“You can have the flashiest systems in the world but if your staff member is offered $20,000 for their login code, the number of people who will take it is surprisingly high.”
She also shares another strategy by cybercriminals. A person will gain entry into an office and replace a mouse. The new mouse looks like the one it replaced and works entirely as a mouse, but creates a vector that secures the access code.
As well, it is a question of whether you know you have been hacked. As shown by the fake-mouse technique, you would not know someone had full access to your system, she says.
There is a significant shortage of skilled cybersecurity professionals
Data held hostage
One security threat on the rise is ransomware, she says.
This is when organisations have to pay the hackers in order to get their data back.
She says a global security expert has reported that from January to March 2016, the level of ransomware attacks in New Zealand went from 33 per cent of all malware to 90 per cent.
That level of escalation shows incredible growth in that space, she says. “Again, that sort of thinking is what you have got to be aware of.
“One of the messages I really work hard to get out to people is the digital economy and this great thing called cyber economy, is not just happening in the IT sector,” she told the Institute of Directors' forum.
“The transformation we are seeing is happening in every single sector in New Zealand.''
Whether it is farming, law, medicine, retail, tourism or manufacturing “if you business hasn’t already been transformed by cyber, it will be.”
Thus cyber economy can be seen both as an opportunity or threat or challenge with new competitors.
While it is a threat, there is also tremendous opportunity for the smallest niche business in a remote part of New Zealand to reach a global audience and customer base.
“This is not a technology challenge for your technology department. It is one of the most fundamental risks you will be dealing with,” she says.
CERT is the place where business and government can share what is happening on the ground and get real-time information about what is coming, what to look out for and how to deal with it
Bigger than the drugs trade
She reminds the crowd: The cybercrime industry is now bigger than the global drugs trade.
“There is more money being made every year from ‘cybercrime to order’ than there is in drugs,” she says.
Moreover, the criminal network behind this is “incredibly sophisticated”, not a bunch of sweaty 16-year-olds thinking of shutting down your website.
Their activities can range from identity theft, to getting information about your business from your contractor.
“These are massive commercial players who have the ability to access and shut down almost every system.”
Adams says the government is putting cybersecurity “up front and centre” because if it encourages New Zealand to take advantage of the digital economy, it needs to be upfront about the challenges.
The world is increasingly global and New Zealand has to take note on what its global partners are seeing within the threat patterns.
The cybersecurity information shared by its partners is incredibly valuable.
This, she says, is part of the genesis for the formation of the national CERT (Computer Emergency Response Team).
She says CERT is one of the core deliverables when the government refreshed its cybersecurity strategy last year.
The CERT, which will be operational early 2017, is a one-stop shop, a single entry point for cyber issues.
CERT is the place where business and government can share what is happening on the ground and get real-time information about what is coming, what to look out for and how to deal with it, she states.
CERT won’t solve everybody’s issues, but it will track what is going on and disseminate the information, she says.
Adams raises a final point about cybersecurity.
There is a significant shortage of skilled cybersecurity professionals, she says. This is not only true in New Zealand, it is a global issue.
There are some very good cybersecurity professionals in New Zealand, but sometimes it is hard to know who is offering a quality service and what that looks like, she says.
“We are simply not training enough people in this space.''
Follow Divina Paredes on Twitter: @divinap
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.