Supply chain attacks and cloud vulnerabilities threaten Kiwi organisations

End user organisations urged to audit third party vendors and partners with access to their data or systems.

Comments

Research commissioned by Kordia has found more than half of Kiwi businesses with 100 or more employees suffered a cyber-attack or incident in the last year.

Despite the onslaught, 85 per cent of the 213 business leaders surveyed were confident in their cyber security safeguards.

Peter Bailey, regional cyber security business manager at Kordia, said the research shows there is money to be made by cybercriminals targeting New Zealand.

“What that means is New Zealand organisations need to be well prepared to not only defend against incoming cyber-attacks, but also develop a response plan to ensure that if their organisation is successfully breached, they have the right things in place to recover quickly – ideally with their reputation and systems intact,” he said.

The survey also found phishing was the preferred attack mode, responsible for 37 per cent of attacks in the past year, and that 44 per cent of NZ business leaders indicated would consider paying a ransom to a cybercriminal.

Phishing was followed by third party cyber attacks, mainly affecting large businesses and executed through supply chain partners, and also by cloud misconfigurations and vulnerabilities, both modes recorded by 28 per cent of respondents.

With business increasingly taking place online, a complex array of third parties enabled digital operations to take place – from cloud and software vendors to online payment platforms and managed service providers, Bailey said.

"Many businesses entrust these third parties with access to their data and systems, but if they haven’t put the right cyber security measures in place, they could be putting your business at risk of a serious breach,” he said.

“Businesses simply can’t afford to operate with a blind spot around their supply chain partners – they need absolute clarity around what third parties have access to, and the layers of security that exist around that access.”

Almost a quarter of businesses attacked had commercially sensitive data or intellectual property accessed or stolen while one in five of the leaders surveyed said cyber-attacks caused a loss of future business or sales due to reputational damage.

One in five businesses also had no plan to deal with a cyber-attack.

However, Cisco also released results from local research today that indicated the cyber posture of New Zealand organisations was roughly on a par with those offshore. Unfortunately, that bar was not very high.

Only fourteen per cent of organisations in New Zealand had a cybersecurity posture mature enough to defend against the threats of a hybrid world, Cisco found, compared to 15 per cent globally and 11 per cent in Australia.

In New Zealand there is no penalty for paying a ransom, yet 68 per cent of leaders in large businesses believed it should be illegal.

“The Government strongly recommends not paying," Bailey said. "This is because there is no guarantee a hacker is going to comply even after they’ve been paid their ransom. They are criminals after all."

However, forty-seven per cent of respondents believed it was likely cybercriminals would restore their data once a ransom was paid.

Nearly three quarters of respondents said they thought New Zealand should introduce harsher financial penalties for businesses that failed to protect personal data.

Business leaders and board members across the country would be interested to see 7 per cent of cyberattack victims are facing legal action by customers or other stakeholders, Bailey said.

“There is a long, unpleasant list of consequences. It’s important all New Zealand businesses understand this and make cyber security an integral part of their business strategy."

Cyber security was a continuous exercise and needed to evolve to meet any operational changes, Bailey said. Despite that, almost half of respondents had relaxed their cyber security to boost productivity in the past 12 months.