In the past, our island nation felt safe in the security of our isolation. As the internet of things expanded, the boundaries of business eroded more and more, New Zealand companies adopted technologies and connected to the online world. However, for all its benefits, it also brought a new threat: cyber crime.
Cyber crime comes in a multitude of forms: phishing, ransomware, malware and data breaches are just the start. If caught unawares, it can cripple a business’s finances and hamstring future growth.
In 2018, one in five small to medium enterprises (SMEs) were the victims of a cyber attack. In the first quarter of last year alone, 506 incidents were reported to our national Computer Emergency Response Team (CERT). The total reported losses were $3 million—steadily growing since CERT’s reporting began at the beginning of 2017. Globally, the number of cyber attacks has risen over 27 per cent in the last year.
Not all loss is financial. Nearly half (45 per cent) of incidents reported to CERT included reputation and/or data losses as well as financial. Moreover, a cyber security incident can also severely impact a business’s ability to function. According to Accenture, it takes an average of 50 days to resolve a malicious insider attack.
According to research from IMB, the global cost per lost or stolen record is US$148, on average. However, there are 22 key factors that can affect this cost. Here are the most significant:
Costs go up when:
Costs go down when:
The best way to illustrate the benefit of introducing advanced security measures is with a scenario. Business A is a health provider and they’ve just experienced an unauthorised breach, exposing 50,000 customers personal information.
If they had the top five cost increasing factors in place, they’d be looking at damages of around US$10,085,000.
However, if they had the top five cost-reducing measures in place, their damages would be around US$5,115,000. That’s almost half the cost.
Considering that cyber insurance starts at circa NZ$1,200 per annum—the cost-benefit speaks for itself.
While these may be average global figures that span multiple industries, the cost of a breach can vary greatly depending on the industry your business operates in.
The most costly industries of 2018, set at per lost or stolen record:
Unfortunately, New Zealand is part of the ‘Cyber Five’: five countries that are the most at risk of cyber attacks in the Australia and Pacific region. Australia, South Korea, Japan and Singapore are the other four.
One of the key reasons we’re at such high-risk is that we’re behind on our legislation. Currently, businesses are not required to report a security incident and with companies fearing the reputational and potential legal fallout of a breach, cyber incidents can get swept under the rug—leaving users, customers and clients at risk.
In 2017, the ransomware known as WannaCry affected 150 countries, including New Zealand. In four days it affected 300,000 computers and 200,000 victims, including Britain’s National Health System. The total cost to businesses was estimated at US$4 billion. While it was initially believed that the ransomware spread through email, it was later revealed that it had taken advantage of a vulnerability in the Microsoft Windows operating system.
In 2017, well-know fuel chain Z Energy discovered a privacy breach in its customer loyalty cards. An unauthorised third-party hacked Z’s customer loyalty database and, according to SecurityBriefNZ, gained access to names, addresses, registration numbers, vehicle types and Z Card credit limits.
More concerning, however, was that instead of immediately notifying their affected customers, Z instead sat on the news for seven months.
While the fallout from the incident has yet to be measured, it is safe to say that it has rattled customer confidence and dealt a major blow to the company’s brand.
Read more: An introduction to cyber insurance: what is it and why have it?
The good news is that multiple proposals are on the table to help Kiwi businesses improve cyber security measures. However, while updating the legislation around cyber incident reporting is a step in the right direction, it won’t help businesses when they fall victim to an attack.
That is where cyber insurance comes in. Having the right cover can go a long way to protecting your business in the event of a cyber security incident: from replacing lost data to covering lost production time to ensuring you have a cyber IT specialist on hand (post-incident) to mitigate any further fallout.
Digital technology is constantly evolving, and our cyber security measures need to match it. What worked in 2015 could be woefully inadequate in 2019 and beyond. As businesses grow ever more reliant on technology and cloud-based software, they need to be aware that investing in cyber security is no longer an option, it is a must.
Are the doors of your business open to cyber criminals? Download our cyber security risk assessment checklist to make sure you're covered on all fronts.