'Boards are to blame for increasing cyber attacks' is the headline finding of a new EY report on cyber security.
Directors are signing off on cyber defence budgets that a majority of NZ chief information security officers say are less than they require - and our IT department leaders feel more hard done by than their counterparts in other countries.
EY New Zealand cybersecurity, privacy and trusted-technology partner Nicola Hermansson told the Herald the blame could not all be pinned on directors.
IT departments, and particularly chief information security officers, needed to get better at articulating "as a business problem, not a technology problem and use the language of business.
She noted that the latest quarterly report from our government's Computer Emergency Response Team (Cert NZ), revealed the number one cause of cyber security incidents was still phishing attacks - or staff inadvertently spilling logon details after clicking on dodgy links or email attachments.
And she said a "complex and fractured" regulatory environment didn't help.
But the EY Global Information Security Survey 2021's harshest findings fall at the feet of directors.
The survey of CISOs and other senior IT leaders at 1010 organisations was carried out between March and May this year. It's key for New Zealand respondents:
• Only 32 per cent of respondents believed their boards and executive management teams fully understand the value and needs of the cybersecurity function
• 53 per cent of respondents were working with budgets that fall short of what is required to manage the cyber-related challenges they've seen in the past 12 months - compared to the survey's global average of 43 per cent
• 50 per cent of respondents said they had never felt as concerned as they do now about their ability to manage the cyber threat
• 37 per cent of respondents believed it is only a matter of time until they suffer a major breach that could have been avoided had they been able to invest more in their defences
"CISOs in New Zealand are frustrated," says Nicola Hermansson, EY New Zealand Cybersecurity, Privacy and Trusted Technology Partner.
"While budget pressures are a global concern in this year's survey, resources in Australia and New Zealand appear to be in particularly short supply, and old weaknesses threaten to become serious vulnerabilities."
Such frustration was hinted at in a (initially confidential) May 2020 Reserve Bank report called Digital Services: Consultation for Change, with a foreword by the bank's then-chief information officer Scott Fisher.
The report included the lacerating line that there was "High operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".
Seven months later, an outdated technology platform used by the RBNZ was hit by a data breach. Fisher quit the Reserve Bank in June this year, in what he called a "personal decision".
Directors' group responds
"Clearly, there's still work to be done," Institute of Directors New Zealand CEO Kirsten Patterson said.
"In our most recent director sentiment survey [published in December 2020] only 54 per cent of directors who responded said their boards regularly discussed cyber-risk and felt they had the capacity to respond to a cyberattack or incident.
"Forty per cent thought their board had a clear picture of their organisation's overall cybersecurity strategy and how it relates to industry best-practice."
EY's Hermansson said some of the onus was on CISOs. Her organisation's report had found "a disconnect between board members and chief security officers at Kiwi businesses."
Part of the solution was directors doing more to school-up on cybersecurity threats. But IT leaders also needed to up their game in terms of framing threats in business terms - the better to engage boards' attention.
Patterson agreed. "In our experience, boards are taking these issues very seriously, with directors upskilling and upskilling fast. But it's crucial too that management teams look at how they are communicating these risks to their boards and whether more needs to be done in communicating risks and issues clearly and succinctly," she said.
"Issues regarding cybersecurity and other cyber challenges are some of the most challenging for Boards and organisations as they change at high speed, are complex and require constant attention," Patterson added.
"Cyber resilience must be a priority for all boards. It's not just a 'nice to have' on the agenda. The likes of the Reserve Bank and the FMA have been clear from a regulatory perspective that boards need to take responsibility for overseeing cybersecurity.
"The IoD has prioritised cyber resilience for some time as an essential area for directors to be across – and also in terms of having the right skills on the board. We're all responsible. In the same way that everyone's responsible for finance, we're all responsible for health and safety, and we're all responsible for cybersecurity."
Earlier, Kordia CISO Hilary Walton told the Herald that directors and senior managers needed to bear in mind that they could be legally culpable in the event of a cyber attack.
The death of a female patient in Germany last September, which was blamed on a ransomware attack, illustrated how cyber-security and health and safety issues can intersect, Walton said.
She noted that NZ's Health And Safety At Work Act (2015) makes directors and other company officers directly liable if they fail to exercise due diligence to ensure they know about risks, and put processes in place to minimise them.
The Financial Markets Authority recently raked NZX over the coals for under-resourced cyber defences, in a report that followed last year's series of DDoS attacks on the exchange.
And earlier this month, the Office of the Privacy Commissioner issued a Compliance Notice to the Reserve Bank, relating to its December 2020 data breach.
The OPC said the RBNZ had breached Principle 5 of the new Privacy Act, which states that organisations "must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information".
A spokesperson for the OPC said the Reserve Bank risked a $10,000 fine if it did not follow the measures outlined in the Compliance Notice.
However, Privacy Commissioner John Edwards indicated that was unlikely, given the RBNZ already had upgrades to its security technology and processes under way. Edwards said he was "pleased to see the positive way they've dealt with the aftermath of the attack".
Hermansson said there was one promising stat in EY's report. Some 42 per cent of organisations said they will be investing significantly in data and technology over the next 12 months.
"But only time will tell if this is enough," the EY partner added.