From new extortion schemes, outside threats and rising cyber attacks, the art of securing organisations across New Zealand has seldom been so complex or challenging.
With distance no longer a viable defence, customers are fighting to stay ahead of the security curve, with 28 per cent of local businesses impacted by a cyber attack within the past 12 months - a figure set to rise in 2017.
Such end-user awareness escalated amid WannaCry, a ransomware attack that ravaged the world, hitting over 10,000 organisations, 200,000 individuals in over 150 countries.
WannaCry was an attack which made front page headlines across the world, with the UK National Health Service (NHS) crippled, the Russian government infected and the Spanish telecommunications sector at a standstill.
While New Zealand missed the bulk of the attack, Christchurch-based Lyttelton Port Company did take its systems offline to prepare for any possible assault, as the potential to cause havoc internationally reached Kiwi shores.
Despite Kiwi businesses surviving the scare, as the dust settles on WannaCry, its impact remains far-reaching across the country.
“Many New Zealand businesses used the WannaCry outbreak to leverage change,” Datacom general manager of cyber security Mark Ellis said. “Organisations realised that this was a route to source money to upgrade systems and processes.”
In understanding how to better manage the threat landscape, on reflection, Ellis said WannaCry was a complex incident for the channel to control, complex in terms of creating an effective process to translate real-time updates to concerned customers.
“As a technology provider, we also took key learnings from the breach because while it didn’t impact New Zealand directly, we were challenged from a communications perspective,” Ellis explained.
“We fielded an enormous amount of calls from concerned customers desperate to understand what was going on, but it was very hard to share information when there was nothing to share.
“None of our systems or warning signs were flagging any issues - because there wasn’t any in New Zealand - yet when you’re speaking to the CEO of an organisation who has the responsibility to manage risk, that’s not a very good answer to give.”
Naturally after a crisis - or a potential crisis in WannaCry - there is a time to learn lessons.
As a result, organisations are now actively engaging with the channel to review vulnerability management plans and re-examine approaches, as businesses begin to recognise the value of taking proactive measures to remain protected.
“We have a mature security practice and proactively sent information to our customers,” Fujitsu New Zealand account manager Jason Diack added. “Customers we hadn’t traditionally dealt with then became aware of how we could help which was a positive element to the attack.
“Security is like life insurance, it’s sold on a fear basis and WannaCry certainly created a compelling reason for customers to assess strategies, providing an opportunity as a partner to offer guidance."
For partners, WannaCry provided a useful reminder of the realities of effective security management, opening the door to end-users previously unaware - or perhaps uninterested - in building secure defence plans.
“It certainly created a discussion, no question,” F5 Networks country manager of New Zealand and Pacific Islands Richard Rogers added. “For New Zealand and our customers, WannaCry has offered the market an opportunity to communicate.
“It’s created a heightened sense awareness and means that our partners are having additional conversations. However, awareness is good but putting your head in the sand is not good.”
Because while maturity can be found across enterprise, throughout New Zealand - specifically through the mid-market and small to medium business sectors - a dangerous disconnect still remains.
“Our mid-market and SMB customers still bury their heads in the sand and think that they are not a target which is an ongoing challenge,” Origin IT CEO Michael Russell observed. “Through our Optinet business we handled a lot of activity following WannaCry but there’s still an education element to consider, particularly outside of the enterprise.
“Partners must explain what businesses need to be aware of because people are still the biggest weakness. We carry out multiple fake phishing attacks and it’s proved to be an eye-opening experience.”
In truth, WannaCry offered the perfect storm for partners in New Zealand - a real-time crisis that captured the imagination and interest of the mainstream, without no serious repercussions or consequences.
“WannaCry was fantastic from a channel perspective,” SecureCom director and partner Greg Mikkelsen acknowledged. “There was no real impact in New Zealand but the awareness that it raised was unbelievable.
According to Mikkelsen, directors are now at risk, rather than the CIO, creating a shift in priorities across the boardroom.
“Directors are now personally responsible for what happens for businesses, and cyber security is raising its profile,” he added.
“It’s raised levels of awareness without any real damage to a stage where several partners are now finding that if customers want to get things done, this proved a catalyst for change."
While no vendor or partner in the channel actively applauds or seeks security breaches, the harsh reality is that customers require trigger points to instigate change.
“Nobody wants to see customers impacted but from a noise perspective, it was beneficial to the channel,” Sophos channel director Australia and New Zealand (A/NZ) Jon Fox added.
“We ran a webinar a few weeks ago, we usually have 30-40 attendees but after WannaCry we had 150, so the amount of awareness was encouraging for the channel.
“But now, how do you use that to educate the customer? Because that’s key and the next steps are crucial - the channel cannot go overboard.”
Fox’s observations are backed up by Mikkelsen, who remained cautious as to how the channel can effectively maximise increased levels of end-user awareness.
“This could easily become a Y2K, when everybody jumps on the bandwagon and there’s no real investment or structure in place in terms of training or standards,” he said. “Everyone jumps on the fear factor and we end up with something that within 18 months will run out of steam because the industry didn’t deliver on what it promised.”
For Computer Concepts CTO Jon Waite, it’s a tough balance to strike for technology providers, as the channel attempts to appease concerned customers without impacting profitability.