In this opinion piece, Russell Craig, National Technology Officer for Microsoft New Zealand, examines how NZ companies are missing out on protection against cyber criminals – and on a big opportunity for growth.
Cybersecurity stands or falls on the "zero trust" concept - and it can help business growth.
In business, as in life, trusted relationships are vital – we rely on them for advice, to make
the right purchase, to open doors and spark new ideas.
But what if there was a real chance you were dealing with an imposter? Or if your trusted partner was found – intentionally or not – leaking secrets about your organisation? Suddenly, that trust disappears.
It's a strange truth that for any business to build and maintain trust, they themselves can trust nothing.
The Zero Trust approach to cybersecurity requires organisations to assume a hacker or malicious software is already inside their systems – what's known as an "assume breach" security posture.
It requires everyone who uses workplace systems to verify their identity every time and restricts permissions to open files only to the people who need access. It's the digital equivalent of a security guard checking your ID every time you pass (but without the queue or the need to wear a lanyard around your neck).
Zero Trust used to be a concept batted around by dedicated cybersecurity specialists but it's been getting increasing global recognition – Kainga Ora is a leading local example – and it's easy to see why.
In research conducted after the lockdowns of 2020, IDC found that, in the race to digitise processes, operations and customer service, security was an afterthought for most New Zealand organisations.
While 98 per cent recognised security was important for business continuity throughout the pandemic, there was a disconnect between that recognition and having truly effective security capabilities or strategies.
More than two-thirds of businesses surveyed didn't have any particular objective in mind when it came to their security posture – just protecting against general threats or just meeting compliance obligations. At the end of last year, only 56 per cent of Kiwi businesses were looking to invest in more cybersecurity services and solutions over the next 12-24 months.
Since then, a series of major cyber incidents have hit the headlines, including attacks on ANZ, Vocus, Kiwibank and public sector organisations. In July, 30 nations, including New Zealand, joined in unprecedented condemnation of state-sponsored cyberattacks originating in China.
Size doesn't matter – around a quarter of New Zealand small and medium businesses have also reported attacks. CERT NZ reported a 25 per cent year-on-year increase in cyberattacks in the first quarter of this year.
With more of us working from home on various devices, shopping online, using digital tools to stay in touch with friends and family unable to travel, we can no longer take the same approach to cybersecurity as in the past. Covid-19 may be the single most impactful cybersecurity event ever seen.
People are increasingly placing their trust in their employers, their service providers and businesses to protect their personal and financial information, or even protect their jobs from disruption.
That trust relies on nothing going wrong. Unfortunately, one weak link can easily result in another headline and loss of money, IP, business continuity or, worst of all, reputation – often the hardest thing to rebuild.
Cyber criminals have realised that the more people work remotely, the more access points to systems for them. They're becoming increasingly clever and active in ratcheting up what feels like an arms race.
Microsoft takes this incredibly seriously and, in August, CEO Satya Nadella announced it was quadrupling its cybersecurity investments to $20 billion over the next five years, with specific funding earmarked to support government agencies.
However, no amount of funding can ever fully eradicate human error. The perception of cybersecurity as a mere added cost means organisations aren't meeting their promise to customers, partners or employees. This may be holding New Zealand back from fulfilling its true potential as a digital nation.
Why Zero Trust matters
To best protect data and operations, it's essential to adopt the Zero Trust mantra: "never trust, always verify". Always authenticate, limit user access to just those who need it (and only when they need it) and always assume a breach has taken place, limiting access to data by "segmenting" it and carrying out constant monitoring of abnormalities.
There's no one "Zero Trust" product or package – it's more of a set of guidelines, backed up by technologies such as digital identity management. However, the general rule of thumb is that security programmes can't just be one-size-fit- all, with no clear objective but "stopping threats".
If you had a valuable art collection at your museum, you wouldn't simply buy an alarm that went off if someone broke through your front door. You'd want to know if your artworks had been removed, or tampered with – if that workman should be there, if the temperature and humidity and lighting are at the right settings.
Data is equally precious and so is trust in your organisation. Security programmes need to be specifically designed to keep customer data safe and targeted to protect core functions, in a way that delivers the best outcomes for customers and supports the wider business.
When looked at this way, a Zero Trust security model isn't a cost to your organisation – it's an enabler. Having the safest possible frameworks in place will empower your teams to work securely from anywhere, enable cloud migration and enable greater innovation.
If you know that the risks have been minimised, there's a lot more scope to play with new technologies like AI, mixed reality and IoT, and open up your platforms to many organisations to share that innovation.
The Consumer Data Right framework, announced recently to enable greater collaboration between finance innovators and banks on new products and services, is one example of how that could benefit all of us.
Microsoft has also recently upgraded the New Zealand Information Security Manual (NZISM) Azure Blueprint to help government organisations safely operate in the cloud.
There are huge opportunities for New Zealand organisations and the public sector to do more with technology, provided their security postures are up to the task. Put another way: Zero Trust, max possibilities.
Click here to read Microsoft's latest white paper on New Zealand's security performance, what that means for our future, and how the right security posture can enable greater trust, growth and innovation.