Extortion and blackmail are more common forms of cyber attack on businesses than theft of data or intellectual property, with the volume of attacks globally rising sharply over the last 12 months.
According to Grant Thornton, the findings lay bare the diversity of the threat to businesses today and the breadth of the response needed to remain resilient.
Specifically, Grant Thornton’s International Business Report (IBR) survey found that in New Zealand, 28 per cent of businesses surveyed have faced a cyber attack over the past year, placing Kiwi businesses eighth in the league table of 37 countries surveyed.
Nearly one in four businesses worldwide (21 per cent) have faced a cyber attack over the last 12 months, compared to 15 per cent who said the same a year ago.
Of those who were attacked, the most common form of cyber attack cited globally was damage to their business infrastructure (22 per cent of firms).
But other forms of cyber attack experienced include using blackmail or extortion to obtain money (17 per cent), a more common occurrence than theft of customer financial details (12 per cent) or theft of intellectual property (11 per cent).
“Blackmail and extortion have been experienced more than theft because these types of attacks exploit the weakest link in an organisation, which is often people who are unaware of how their actions can open their organisation up to some serious vulnerabilities,” Grant Thornton New Zealand, Partner, IT Advisory and Security, Hamish Bowen, said.
“The success of these attacks is also helping to fund more cyber crime.”
In New Zealand, Bowen said there’s a “common misconception” that the country’s physical location “somehow shields us” from cyber attacks.
“Unfortunately the tyranny of distance doesn’t serve us well in this instance; our physical remoteness is irrelevant to attackers and is of no consequence to the exposure to cyber-attacks,” Bowen explained.
“Businesses will face larger financial loss from reputational damage, theft of customer details and intellectual property, and infrastructural damage.
“Regardless of the type of attack, it’s not a question of ‘if’, but ‘when’ your business will be attacked, so cyber security must become a priority for all organisations.”
According to Bowen, Grant Thornton research in New Zealand has revealed that cyber security is one of the key top-of mind risks for organisations.
“But for most,” he added, “risk management is increasingly being viewed as just a compliance or box-ticking exercise; recognising the risk is insufficient to protect your organisation.”
The IBR findings also revealed that globally, of those business leaders who have faced a cyber attack in the last 12 months, nearly one in eight (13 per cent) only realised the attack had occurred more than a week after the event.
For four per cent, it took longer than a month.
“We need to realise security for an organisation is a system of protection, prevention and response that requires people, process and technology,” Bowen added.
“We have too often focused on the technology component leaving ourselves exposed to common threats like ransomware, because we are not investing in security training of people and improving our general security processes.
“This requires urgency and an investment in minimising the damage when the inevitable happens.”