Below are the key takeaways from last week’s discussion with New Zealand’s IT leaders, Josh Bahlman and Geoff Burt of Spark, Nick Baty of CCL, with special guest Rob Cochrane, former CIO for NZ Police.
New Zealand is more than ever a target for cybercriminals around the globe. A topical example - NZX's distributed denial-of-service (DDoS) attack "brought the NZX to its knees for almost a week". DDoS is a disruption of the normal traffic of a specific server, service or network – an example of cybercriminal’s malicious attempts to threaten or hold organisations hostage.
This is by no means the only case - other financial, legal and health institutions have similarly been at the forefront of local and global hacking campaigns.
Resolving cyberattacks can also be more complicated behind the scenes than it looks.
Early DDoS attacks for example were volumetric – that is, sending a high volume of traffic down the data pipeline so no more could be sent.
Last year, multi-targeted multi-layered attacks on financial institutions took people offline. When hackers attacked NZX, less covered in the media was that less than 10 minutes before each attack Spark was also under attack, an attempt to limit Spark from stepping in to help. And every time they attack, hackers often modify their attacks to keep you busy somewhere else. Resolving security attacks using newer methods can be a matter of finding a needle in a haystack.
Opportunistic cybercriminals have also preyed on fear and vulnerabilities stemming from COVID-19, highlighting the uneasy reality that cybercriminals are willing to put lives at risk.
What has changed with the New Zealand privacy law? Changes to the Privacy Act mean it's mandatory to report breaches, which has accelerated the transition of responsibility from the IT department to the top level of leadership – including CEOs and government ministers. The potential legal and reputational fallouts now mean that not reporting breaches is a risk beyond what most organisations are willing to bear.
The state of play for cybersecurity
Organisations and people get the need for it now more than ever. The challenge is three key questions: -What/Where are their most important information assets, What do they need to invest in, and What is their risk appetite?
Organisations have changed their ways of working almost overnight (an estimated 5 years of change adoption occurring in 2 months), there has been increased stressors on ill-prepared security personal and corporate equipment.
As staff need to work from home and access information, the network systems and business protocols haven't necessarily kept up with these evolving requirements. Neither has the mindset shift required to work securely from home.
Couple this with a shortage of skilled IT professionals – and you have the global ingredients for a perfect digital storm.
From a people perspective, corporate leadership and IT are often on different pages, lacking awareness of what the other is dealing with.
Where is the industry going?
Today, the starting point is often understanding security as holistic: look at the supply chain, looking at suppliers, the compliance regimes you have to adhere to, your technology services – your providers but also the hardware, your servers, your racks, the laptops, the desktops the phones – all represent things that require consideration.
On the flipside, also remember it's easy to boil the ocean – and get overwhelmed with all these issues, particularly for smaller organisations.
Assessing and securing the environment should be based on understanding dependencies and taking an end-to-end perspective to addressing them.
Where to start? Points on a robust security system
Lastly, it’s important to acknowledge that security requires time, patience, and investment. Once you establish the baseline controls and test effectively, you should then consider where you made add additional security value.
Otherwise, you will be the one that wears the impact and risk, not the cybercriminals.
Ready to talk cybersecurity for your business?