In the past, our island nation felt safe in the security of our isolation. As the internet of things expanded, the boundaries of business eroded more and more, New Zealand companies adopted technologies and connected to the online world. However, for all its benefits, it also brought a new threat: cyber crime.
Cyber crime comes in a multitude of forms: phishing, ransomware, malware and data breaches are just the start. If caught unawares, it can cripple a business’s finances and hamstring future growth.
Cyber crime is on the rise
In 2018, one in five small to medium enterprises (SMEs) were the victims of a cyber attack. In the first quarter of last year alone, 506 incidents were reported to our national Computer Emergency Response Team (CERT). The total reported losses were $3 million—steadily growing since CERT’s reporting began at the beginning of 2017. Globally, the number of cyber attacks has risen over 27 per cent in the last year.
Not all loss is financial. Nearly half (45 per cent) of incidents reported to CERT included reputation and/or data losses as well as financial. Moreover, a cyber security incident can also severely impact a business’s ability to function. According to Accenture, it takes an average of 50 days to resolve a malicious insider attack.
The cost of cyber attacks
According to research from IMB, the global cost per lost or stolen record is US$148, on average. However, there are 22 key factors that can affect this cost. Here are the most significant:
Costs go up when:
- A third party caused the breach (+US$13.4 per record)
- Organisations undergo extensive cloud migration (+US$11.9 per record)
- Businesses fail to be compliant with security measures (+US$11.9 per record)
- There is extensive use of mobile platforms (US$10.0 per record)
- Devices are lost or stolen (US$6.5 per record).
Costs go down when:
- Businesses have an incident response team in place (-US$14 per record)
- Data is encrypted (-US$13.1 per record)
- Companies have business continuity management (BCM) involved (-US$9.3 per record)
- Employees receive security training (-US$9.3 per record).
The best way to illustrate the benefit of introducing advanced security measures is with a scenario. Business A is a health provider and they’ve just experienced an unauthorised breach, exposing 50,000 customers personal information.
If they had the top five cost increasing factors in place, they’d be looking at damages of around US$10,085,000.
However, if they had the top five cost-reducing measures in place, their damages would be around US$5,115,000. That’s almost half the cost.
Considering that cyber insurance starts at circa NZ$1,200 per annum—the cost-benefit speaks for itself.
The cost of cyber attacks by industry
While these may be average global figures that span multiple industries, the cost of a breach can vary greatly depending on the industry your business operates in.
The most costly industries of 2018, set at per lost or stolen record:
- Health: US$408 ($260 more than the median).
- Financial: US$206 ($112 more than the median).
- Services: US$181 ($33 more than the median).
- Pharmaceuticals: US$174 ($26 more than the median).
- Technology: US$170 ($22 more than the median).
New Zealand businesses are an easy target
Unfortunately, New Zealand is part of the ‘Cyber Five’: five countries that are the most at risk of cyber attacks in the Australia and Pacific region. Australia, South Korea, Japan and Singapore are the other four.
One of the key reasons we’re at such high-risk is that we’re behind on our legislation. Currently, businesses are not required to report a security incident and with companies fearing the reputational and potential legal fallout of a breach, cyber incidents can get swept under the rug—leaving users, customers and clients at risk.
WannaCry shows we’re not immune
In 2017, the ransomware known as WannaCry affected 150 countries, including New Zealand. In four days it affected 300,000 computers and 200,000 victims, including Britain’s National Health System. The total cost to businesses was estimated at US$4 billion. While it was initially believed that the ransomware spread through email, it was later revealed that it had taken advantage of a vulnerability in the Microsoft Windows operating system.
Z Energy
In 2017, well-know fuel chain Z Energy discovered a privacy breach in its customer loyalty cards. An unauthorised third-party hacked Z’s customer loyalty database and, according to SecurityBriefNZ, gained access to names, addresses, registration numbers, vehicle types and Z Card credit limits.
More concerning, however, was that instead of immediately notifying their affected customers, Z instead sat on the news for seven months.
While the fallout from the incident has yet to be measured, it is safe to say that it has rattled customer confidence and dealt a major blow to the company’s brand.
Read more: An introduction to cyber insurance: what is it and why have it?
Improving cyber security
The good news is that multiple proposals are on the table to help Kiwi businesses improve cyber security measures. However, while updating the legislation around cyber incident reporting is a step in the right direction, it won’t help businesses when they fall victim to an attack.
That is where cyber insurance comes in. Having the right cover can go a long way to protecting your business in the event of a cyber security incident: from replacing lost data to covering lost production time to ensuring you have a cyber IT specialist on hand (post-incident) to mitigate any further fallout.
Summary
Digital technology is constantly evolving, and our cyber security measures need to match it. What worked in 2015 could be woefully inadequate in 2019 and beyond. As businesses grow ever more reliant on technology and cloud-based software, they need to be aware that investing in cyber security is no longer an option, it is a must.
Are the doors of your business open to cyber criminals? Download our cyber security risk assessment checklist to make sure you're covered on all fronts.