Business leaders are not taking cyber security seriously enough, said internationally renowned cyber security expert Dr Ryan Ko, and that poses a significant risk to their companies’ reputations.
“Communications is a much neglected aspect of responding to cyber security incidents,” said Dr Ko, speaking at business learning lunch event in Hamilton. “The spread of information is so fast, and reputations are very hard to get back when lost.”
Dr Ko, director of the NZ Institute for Security and Crime Science, was speaking at CRUNCH – Crucial Conversations Over Lunch, organised by Hamilton public relations firm HMC Communications. During the workshop Dr Ko described the current state of cybercrime in New Zealand and, together with the HMC team, led business leaders in a cyberattack scenario.
This week marks Cyber Smart Week in New Zealand, where people are encouraged to review and strengthen their cyber security systems at home and work.
Dr Ko said that the size of cybercrime internationally was larger than drug trafficking, according to a Norton Cybercrime Report. “It was reported that, globally, cybercrime cost $388 billion which was larger than the cost of drug trafficking at $288 billion,” said Dr Ko. “Every half-second a unique malware or virus is created somewhere in the world. Cybersecurity is a serious concern for companies, and New Zealand business leaders need to do more to protect their company and their customers.”
Dr Ko said that there was a global trend with businesses and boards of directors being held liable for cybersecurity incidents. “The public perception is that businesses and boards should take responsibility for personal information, and that means cyber-attacks have legal implications for directors,” said Dr Ko. “It’s not a matter of ‘if’ it will happen, but when, and directors may be facing liability.”
Dr Ko cited the example of Target, a well-known US discount retailer, who was affected by a cybersecurity attack in 2013. Hackers stole credit and debit card information from up to 40 million customers which revealed the company’s weak cybersecurity measures and ended up costing the retailer millions of dollars.
Another case was the Wyndham Worldwide Corporation, a US hotel chain that was sued in 2012 for breaching customer’s confidential information when credit card details were hacked and posted to a Russian website.
Dr Ko said that New Zealand companies are at risk of cyber-attack, and more than half – 56 per cent – of New Zealand companies claimed to have a cyber-attack at least once a year (in 2014).
The five top threats to New Zealand companies, identified by Dr Ko and his research team, included ransomware, distribute denial of service (DDoS), social engineering, hijacking unpatched platforms and obsolete communications, cyber forces and weaponry.
“Many think it will not affect them, especially small to medium businesses, but they are not immune,” said Dr Ko.
As with any crisis, cybercrime affects a company’s reputation, said HMC Communications director Heather Claycomb. “We know that a company’s reputation is one of their organisation’s primary assets,” said Claycomb. “Reputation is harder to manage than any other risk, and those risks are increasing.”
She said that it was important for businesses to include communications planning when preparing for potential cybercrime situations. “Cybercrime is a major risk to New Zealand organisations. And just like any other major business crisis, you can take back some control in a seemingly uncontrollable situation when you do two things: plan and practise. It’s not enough to have a solid cyber security strategy – you also need a robust crisis communications plan as part of your risk mitigation.”
Participants left with a better understanding of cybersecurity risks and how they might affect their business. They also received useful information and referrals to resources to help get them better prepared and more successfully communicate during a cyberattack crisis.
“I think we are quite naïve in New Zealand around risk,” said Campbell Parker, general manager of Waikato Milking Systems. “You see it in fraud cases, and it’s true when it comes to cybersecurity also.”
He said that large organisations often had robust systems, policies and procedures in place but smaller firms were vulnerable, especially those reliant on external providers. “When you think that 97 per cent of New Zealand companies are SMEs (small-to-medium enterprises) with less than 20 employees, then there is a risk to them.”
Tag IT managing director Josh White said he learnt a lot from the presentation and it highlighted areas to focus on. “We’ll be reviewing systems and strategies,” said White.
Myles Imperial, managing director of Workhub Services said cybersecurity is a topic that all business people should brush up on. “We are in a computer age and you have to have a plan if something happens online. This is a session that should be done by all business leaders,” said Imperial.
Habitat for Humanity general manager for the central North Island, Nic Greene, said protecting data and privacy was integral to his organisation. “We trade on our reputation as a charity.”
He also valued the opportunity to discuss the topic with other business leaders, and consider the management and communications response to cybercrime. “Also, Ryan Ko is a bit of a legend,” said Greene.
ARE YOU PREPARED FOR A CYBER ATTACK? Things for business leaders to consider
What is your board of directors doing to address the risk of a cyber-attack to your business or organisation?
Have cyber security policies been reviewed (and do they even exist)?
Are there policies around external contractors?
Does the business or organisation have cyber insurance?
Is there a chief information security officer in the company?
What would you do in the event of a cyber-attack, operationally and with your communications (internally and externally, including stakeholders and media)?