Of those surveyed, 80% faced cyber-attacks last year.
New Zealand businesses must be better prepared for increasingly severe, sophisticated, and frequent cyber-attacks, a leading digital forensics expert says.
Conan Bradley, Incident Response and Digital Forensics Practice Lead at cyber-security services company Kordia, says a survey the company ran late last year of over 200 large Kiwi businesses revealed a worrying statistic: 80% of them said they were hit by a cyber-attack or breach in the previous 12 months.
The Government’s Computer Emergency Response Team (CERT) revealed nearly 8000 cyber-security incidents were reported in 2023.
“This is proof that cyber threats are reaching our shores on a new scale,” Bradley says. “In a world increasingly dependent on digital and cloud-first solutions, our geographical isolation offers no shelter against large-scale cyber-attacks and breaches.
“They are arguably one of the biggest risks facing Kiwi businesses today and the reality is every organisation online is a target.”
He says it is imperative businesses understand why it is critical to be prepared. “If I had one message it would be to practice and continue to practise response and recovery plans at least every six months, so that when a breach does occur teams are battle-tested and can resume operations as quickly as possible.
“It is no longer just an IT issue but a whole-of-business issue and while most companies would have recovery plans, I notice that a lot are not practising or testing them. For many, cyber security seems overwhelming, a hill too far to climb but properly deployed processes and technology can better manage attacks and reduce the likelihood of them occurring in the future.”
He says Kordia helps businesses prepare and deal with attacks and breaches through its incident response service which operates 24/7, 365 days of the year. “We love the fight; there is nothing better than stopping a ransomware attack.”
Cyber-crime is costing businesses more. Bradley says a Ministry for Business, Innovation and Employment (MBIE) report, which found almost NZ$200 million was lost by New Zealand organisations to scams in the year to September 2023, makes it clear that “unscrupulous threat actors have discovered there is money to be made by targeting Kiwi organisations.
“Cyber criminals are largely motivated by money and will go to extreme ends to extort victims. They find a target and keep going until they succeed.”
He says just how far they will go was shown globally earlier this year when US-based cloud security firm Zscaler revealed that a staggering US$75 million ransom was paid to a ransomware gang known as Dark Angels, making it the highest known ransom payment yet.
Data is a target too. Bradley says the 2021 hack on Australian financial services company Latitude saw personal data belonging to one million New Zealanders (or 20% of the population) compromised in the largest privacy breach the country has ever seen.
He says attacks not only impact finances but also harm an organisation’s reputation and operations.
“For many, operational downtime can hurt more than the initial attack. In fact, some businesses would simply cease to exist if a cyber-attack took down their IT infrastructure. The cost of rebuilding systems from scratch is enormous – and that’s without factoring in the cost of lost production and sales, legal repercussions and any reputational damage.”
Bradley says Kordia’s 2024 New Zealand Cyber Report showed the risks and damage businesses are facing. Conducted by marketing intelligence agency Perceptive, 219 business leaders were questioned in an online survey in October and November 2023.
Of the 80% who said they had been hit by an attack or breach in the previous 12 months, a third said their day-to-day operations were affected while 29% said personal data was stolen or accessed.
The survey revealed that while 26% of attacks were resolved within a week, 28% took between one and four weeks and 46% took a month or more (including 9% that took five months or longer to resolve).
“In New Zealand, generally speaking, the detection and containment occurs fairly rapidly,” Bradley says. “What takes the most time is the restoration of operations and systems, especially if the business has not adequately backed up their data and systems.”
The report also revealed that 70% of those surveyed said they would consider paying a ransom to a cyber-criminal. But Bradley says this carries a degree of risk – and helps the criminals win.
“I completely understand this if there is no other option, but any money paid to cyber-criminals goes towards increasing the sustainability of organised crime and if you pay, what guarantees are there that you will receive the decryption key, or that the hackers will not sell your data anyway? Or worse, communicate with other ransomware gangs regarding the entry point and your willingness to pay?”
Bradley says cloud adoption in New Zealand has been steadily growing for several years (an International Data Corporation (IDC) study predicts that by 2026, the cloud is expected to add NZ$21 billion to the economy and generate 134,000 new jobs) but presents issues around security.
“Businesses tend to build in the cloud quickly with security often an afterthought. The result means that the cloud works, but it isn’t secure, so businesses need to factor adequate security from the outset.”
Many businesses are also hamstrung by a shortage of people with cyber-skills. The Kordia survey revealed that a quarter of those questioned said they found recruiting skilled people a top challenge.
To learn more about how Kordia’s cyber incident response and forensic services could help you, visit their website.