Cyber security advice for boards in the era of hybrid working
Businesses should factor in cyber security risks when laying out a hybrid working policy.
In 2021 we witnessed organisations of national significance fall victim to crippling DDoS and ransomware attacks never seen before in our country, causing severe critical operational issues and reputational damage. Our 2021 Aura Cyber Security Market Research shows most IT decision makers are finally starting to realise we’re at as much risk as the rest of the world.
Prompted by recent events, businesses are taking cyber security more seriously with many increasing budget, staff, and conversation around cyber defence. While this is positive, we must consider what can be learned from the past 12 months. Attacks are becoming more frequent and sophisticated, but ultimately the methods of breaching a business have stayed the same.
This year’s research reveals that remote working has now become a long-term strategy for many New Zealand businesses. As businesses migrate to more cloud-based operations, they need to look at new approaches for securing their environments.
Remote working appears to be the new weak link in our cyber security defences. Among ransomware attack victims, more than three quarters (78%) say the attacks happened through a remote connection or while an employee was working from home.
Nearly half (43%) of Kiwi businesses have at least 60% of staff working from home at least one day a week. The fact is, our ways of working have changed, and businesses need to ensure their security posture reflects this.
Last year the Australian Government released their Ransomware Action Plan which introduces a specific mandatory ransomware incident reporting to the Australian Government.
New Zealand cyber legislation often reflects that in Australia, due to similarities between our two markets, so a similar initiative could be on the horizon for our country. Whether or not New Zealand decides to introduce mandatory reporting to the Government specifically for ransomware incidents, it’s certainly a reminder that all businesses should have processes in place to quantify the impact of an attack - as well as ensuring there is an adequate response plan in place to mitigate damages.
The New Zealand Privacy Commissioner doesn’t recommend paying ransoms, but 64% of New Zealand businesses would be willing to pay to regain access to their data. Nearly one in 10 would pay more than $100,000.
Seventy percent of businesses judged their cyber security as mature or very mature when it comes to defending against cyber-attacks. Despite this, less than half of the respondents have run crisis simulation exercises to assess their ability to respond to a cyber security incident.
Hackers are aware of this and will use the chaos that ensues following an attack to take advantage of victims. And as hackers evolve, and technology advances, businesses need to make sure their cyber security programmes keep pace.
Just over two thirds of businesses have policies or training in place to prevent breaches, a slight increase on the previous year. The same number say they report cyber security incidents to the board or senior management. However, the engagement of board or senior management is lower than in previous years, with only 47% engaged or heavily engaged.
From a governance perspective, The Institute of Directors and ASB’s 2021 Director Sentiment Survey reports that slightly fewer boards (44%, down from 47% in 2020) are confident their board receives comprehensive reporting from management about data breach risks and incidents, and the actions taken to address them.
In 2022 expect more of the same. New Zealand is now firmly in the sights of criminals and we can only expect cyber-attacks to keep occurring across all levels of business, government and the not-for-profit sectors.
One of the best ways to protect your organisation is by creating a culture of cyber security awareness in your organisation. The human factor is such a prominent risk when it comes to cyber-attacks – hackers know this and will continue to exploit the people in your business with more sophisticated phishing techniques. Ensure your executive engage in regular communication on cyber-related issues to all staff and roll out regular employee training, especially around work-from-home practices.
Consider a Zero Trust policy in your organisation. With Zero Trust no person and no system is trusted without verification. There are strict access controls required to verify identity, and without the correct responses you can’t gain access to systems. Implementing a Zero Trust policy is a journey and requires leadership from boards and executive teams.
Test your systems and processes. Conduct regular penetration testing on your systems and run crisis simulation exercises to assess your organisation’s ability to respond to a cyber-attack.
Download the full 2021 Cyber security market research report from the Kordia website.