Hit enter to search or ESC to close
25 June 2019
Out of the blue: cybercrime
For many SMEs, managing the potentially colossal risk associated with a cyber-attack remains a daunting proposition. Now comprehensive cyber insurance and thought leadership around cyber risk, have become vital components of business.
As organisations of all shapes and sizes embrace ever more sophisticated computer networks, e-commerce solutions, mobile connectivity and social media initiatives, the risk of suffering a potentially debilitating cyber-attack has increased exponentially.
Not only do such attacks pose an enormous threat to business security, new data breach notification rules mean that the ramifications of specific attacks could have far-reaching consequences for bottom lines and reputations.
Crombie Lockwood Cyber Practice Leader, Elizabeth Harbison, says that certain misconceptions about cybercrime mean many New Zealand companies are potentially leaving themselves open to tremendous risk.
Crombie Lockwood Cyber Practice Leader Elizabeth Harbison
“I think there is a general perception that cyber-attacks affect large multinational businesses and criminals leave small businesses alone. Unfortunately that isn’t the case; both the types of businesses being targeted and the way in which systems are breached has changed significantly,” says Elizabeth.
As has the frequency of such attacks. A recent market research report revealed that a quarter of New Zealand businesses have been subject to a cyber-attack within the past 12 months, with more than a third of survey respondents having been personally targeted by a phishing or ransomware attack in the last 12 months.
During 2018, Aura Information Security partnered with Perceptive to undertake a market research report focusing on cybersecurity in New Zealand. The online survey panelled 231 business IT decision-makers from New Zealand organisations with more than 20 employees.
Almost 40 percent of the surveyed businesses estimate they are targeted by more than five phishing or ransomware attacks per quarter. More than 20 percent of respondents said this number is closer to 5 - 10 attacks per quarter. Naturally, for many entities, as employee numbers grow, so too does the number of estimated phishing or ransomware attacks on an individual business. Most respondents also anticipate cyber-attacks will become more frequent and complex.
Away from the country’s IT departments though, Elizabeth says knowledge of and preparedness for such threats is still far from commonplace.
“Among general business owners in New Zealand, there is still something of an ‘It won’t happen to me’ mentality that remains,” she says.
Legal implications of cyber breaches for business
“Overseas in countries such as the United States – a more litigious environment where the ramifications of a data breach are potentially much more damaging – cyber risk management is a prime concern," says Harbison.
“Understanding the threats and managing risk in these scenarios is crucial for all businesses, regardless of their size, especially considering the impending changes to the Privacy Bill relating to mandatory data breach notifications.”
Only half of Aura Information Security / Perceptive survey respondents were aware of impending changes to the Privacy Bill relating to mandatory data breach notification. Although the majority (71 percent) believed the introduction of mandatory data breach reporting will make New Zealand a more cyber secure country.
Only a third of businesses have any breach reporting requirements under General Data Protection Regulation (GDPR). But 83 percent of respondents said their business would be prepared to notify clients if a breach did occur, most doing so within 48 hours. GDPR has already had an impact on how businesses react to such breaches overseas, with large fines having been handed out in the United Kingdom.
“There is a potential financial implication to any data breach,” continues Elizabeth. “But what is far less easy to quantify is the reputational fall-out for a company. This unknown aspect of the cybercrime threat is what gets business owners sitting up and listening.”
Thankfully, cyber insurance as a product is maturing to meet the challenge.
Accessing cyber risk management expertise
Crombie Lockwood, backed by Gallagher’s Cyber Liability Practice, boasts the expertise to deliver a full complement of cyber risk management and insurance services to New Zealand clients. As cyber risks continue to evolve, thought leadership is of utmost importance.
Thanks to thought leaders based in markets such as the United States and the United Kingdom, Crombie Lockwood is keenly aware of the cyber threat and has expertise and experience on the subject with which to advise local industry.
Guidance around IT security best practice, third party benchmarking, contract analysis, advice on incident response planning and even a breach cost calculator can be made available to clients.
While an attack might always come out of the blue, for all companies it is now much easier to have the tools to react to such an attack more quickly and, potentially, with less ongoing interruption to business.
These advances, however, do come with a caution. Elizabeth says that while companies might divert more of their budget to their IT infrastructure these days – including security measures – criminal hacks have nothing to do with system robustness.
“Criminals are savvy and constantly evolving the methods with which they infiltrate business data.
Much of the time it is behavioural vulnerability rather than system vulnerability that leads to a breach.
“Unfortunately, there is no way around the fact that cybercrime will increase as industries rely on ever more complex digital tools and systems. Cyber forensics experts agree that robust system testing is one thing, but at the end of the day having cyber insurance is more crucial now than ever before.
“And because these are unchartered waters for many businesses, clients will be looking for decisive thought leadership around how to tackle the issue. I do believe this is something we are in a position to provide."