2022 has seen two notable cybersecurity incidents: the significant data breach of the Pinnacle Midlands Health Network and the white-hat hacking of the Christchurch Hot Pools.
While the Christchurch breach was downplayed as having been conducted by an “ethical hacker” intentionally identifying security vulnerabilities, the important takeaway in both cases is that a security hole in the systems was breached, and many customers’ data was exposed. In businesses that no doubt thought they would not be targeted. Businesses were not the only victims this year either.
It was recently reported that a pensioner lost $134k after his online bank accounts were hacked, and customers of Unity Bank in Hastings were victims of a Bank Identification Number (BIN) attack – proving kiwi banks are a growing cybercriminal target. This uptick was recently explained by Forbes Magazine who said “Cybercriminals thrive in times of uncertainty.” And that during this time of economic downturn businesses should be aware that “Threats like phishing, ransomware and business-email compromises have a significant impact on the health and viability of a business.
Beyond financial consequences, a breach can also lead to loss of customer trust and significant reputational damage.” Closer to home, CERTNZ responded to 2,001 cyber incidents in Q2, 2022 with a direct financial cost of $3.9m. Phishing and credential harvesting, scam and fraud cases and unauthorized access incidents accounted for 94% of these incidents – confirming that human connection is still the weakest link when it comes to cybersecurity.
And just to drive the point home, if Q4 2021 (with a reported financial impact of cybercrime in NZ of $6.6m) is any indication, this holiday season will see a major cybercrime impact on businesses and individuals in NZ, and an increase in cybercrime can be expected in 2023.
So, what can you do about this?
- Identify your vulnerabilities with a comprehensive cybersecurity audit by an independent, trained professional. You wouldn’t get your accountant to complete your financial audit, and neither should your IT department/MSP undertake your cybersecurity audit. Impartiality is imperative.
- Determine your potential for damage with a risk assessment. Understanding your risks goes a long way to protecting your company. Assessing your risks means understanding the “what if’s” that threaten you every operations, identifies gaps and provides opportunities to take preventive measures.
- Create a robust risk management program. There are a few ways to handle risk treatment. Avoid the risk- remove the opportunity completely. Mitigate the risk – put measures in place to lower the risk. Accept the risk- the cost of protection outweighs the threat.
These are the three most common responses to risk treatment and set the countermeasures against each scenario in the assessment. We have identified that the lack of robust risk analysis and treatment plans is common across New Zealand.
Throwing cybersecurity technologies and employee awareness training at the problem can only go so far. Moving into 2023, the focus needs to shift at the Board, owner, and executive level to understanding cybersecurity gaps and the risks to businesses and plugging them.
Cybercrime is unpredictable, and the New Year is a good time to start taking a top-down cyber risk management approach to ensure your business is secure.
Introducing GOVERN. From 2023 Hartley & Associates will now be known as GOVERN Cybersecurity. www.govern.co.nz We are excited to continue to work with businesses to master their cybersecurity resilience, and look forward to introducing tailored training packages for board members and C-Suite executives.