Operations were disrupted for a third of large businesses impacted by cyber-attacks
Independent research released by Kordia today shows just how detrimental cyber-attacks are on some of New Zealand’s
largest businesses.
Of the surveyed businesses, all with 100 or more employees, that were hit by a cyber-attack in 2023, more than one in
three (36%) said their business operations were disrupted, and 29% said personal data was stolen or accessed.Key research findingsOne in three (36%) businesses impacted by cyber-attacks or incidents say their business operations were disrupted28% of businesses impacted by a cyber-attack or incident point to third-party suppliers as the cause70% of business leaders say they would consider paying a ransom to a cybercriminalCloud misconfigurations or software vulnerabilities were responsible for causing cyber incidents for almost two out of
five (39%) businessesAround 46% of cyber incidents and attacks took longer than one month to resolve29% of businesses suffering a cyber incident say personal data was stolen or accessed.
More than two-thirds (69%) of businesses claim they experienced an impact from a cyber incident, with nearly half (46%)
finding it took more than a month to resolve the incident, including 9% saying it took five months or more.
“Cybercriminals are financially motivated. What’s interesting in this survey is it highlights the beginning of a trend
where hackers are targeting operational downtime over stealing or encrypting data as a means of extorting their victims.
This is in line with what we’re seeing overseas, such as the recent DP World cyber-attack in Australia.
“It’s much harder for organisations to ignore an attack when they can’t function for a period of time. The motivation to
pay a ransom is greatly increased when you can’t generate an operational income,” says Alastair Miller, Principal
Consultant at Aura Information Security, Kordia’s cyber security advisory and testing consultancy.
Alastair Miller
“Any cyber-attack disruptive enough to cause a business to completely go offline can cripple a business in days, but the
reality is that a major incident can take months to resolve – with costs running into the hundreds of thousands. For
large businesses and critical infrastructure providers, like the ones we surveyed, operational downtime impacts can have
knock-on effects for whole supply chains and our economy.
“Despite this, New Zealand businesses still lag far behind when it comes to elevating cyber security to the highest
levels of governance. Only two thirds of businesses said that cyber security was a very important issue for their board,
and this must change to see real progress in the overall resilience of our national industrial and business landscape,”
continues Miller.The human cost of cybercrime
In 2023 global cyber threats impacted New Zealand citizens on a new, escalated scale. The hack on Australian financial
services company Latitude saw personal data belonging to one million Kiwis (20% of the population) compromised in the
largest privacy breach New Zealand has ever seen.
Miller says harm to privacy is one factor, but increasingly cyber incidents are causing immense harm to the employees of
victim organisations as well.
“Around a quarter of respondents said recruiting skilled people to manage cyber security is a top challenge within their
business. The cyber security labour market is incredibly tight, both globally and here in New Zealand, so being able to
hire and retain skilled people is crucial.
“Many businesses are asking themselves how they will keep up with the moving threat landscape with so few resources
working on mitigating it.”
Miller points to a recent academic study, which found that cyber-attacks can cause high levels of psychological harm — equal to conventional political violence
and terrorism.
“With four in five NZ large businesses in our survey saying they faced a cyber incident in the past twelve months, these
incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their
teams,” continues Miller.Changing threats
As cyber security evolves, so do the threats facing NZ businesses. Of the businesses surveyed that were subject to a
cyber incident[i], 39% said the incident was due to cloud misconfiguration or software vulnerabilities. Distributed Denial-of-Service
(DDoS) attacks were the second most common at 35%.
Miller says, “In 2023, cloud played the most significant role in cyber-attacks across the board, climbing 11 percentage
points YOY in our survey.
“In saying this, DDoS attacks continue to feature prominently globally, there has been an increase in activity stemming
from geo-political events, including cyber warfare in Ukraine and Israel / Palestine. With a very low barrier to use,
DDoS has also been observed as a tactic used in conjunction with other methods, leveraged by threat actors to mask other
attacks occurring concurrently.”
“Phishing continues to remain in focus, whilst supply chain attacks came to the fore for New Zealanders, with
third-party attacks featuring in more than a quarter (28%) of all incidents,” adds Miller.New year, new government, new cyber security legislation?
With the new government now in place, questions are being asked by New Zealand businesses on how they will tackle the
evolving cybersecurity threats.
Kordia’s survey results show that a third (33%) of Kiwi business leaders want the government to increase spending on
national cyber security.
“Business leaders are eager to see more action to penalise organisations that fail to adequately protect data. New
Zealand's current privacy laws only punish failure to report a breach and that caps penalties at NZD$10,000,
significantly more restricted and lower than legislation in other five eyes nations,” says Miller.
“Australia has made notable changes to cyber security governance, through a slew of legislative changes including
harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks. A
notable number of respondents have indicated they would be supportive of similar initiatives in New Zealand.
“New Zealand often looks across the Tasman when it comes to policy, so it will be interesting to see whether similar
legislation will eventuate here,” adds Miller.Kordia has outlined five focus areas for businesses in 2024:
1. Plan for recovery as part of your response.Operational downtime can hurt a business more than the initial cyber-attack.Effectively recovering your businesses as rapidly as possible after a major cyber-attack depends on a properly deployed
backup and restore regime.Any solution should include encryption, along with the combination of full, incremental, and differential backups.Security should go hand in hand with a cloud transformation strategyThere are lingering perceptions that the cloud is more secure than more traditional on-premises systems. While there are
certainly benefits that can be leveraged from the cloud, without the right security layers, businesses are just as
exposed.The best way to ward against misconfigurations and security gaps in cloud environments is to implement an get security
requirements into cloud projects early, that sets out how security is factored into your cloud environment, and ensure
it evolves as your platforms do.Rationalise spending via risk-based planningAssessing how to invest appropriately in security can be challenging – especially in the face of rising costs and tough
economic conditions. As organisations expand their digital operations, a risk-based approach can help rationalise spend
and set strategic objectives to ensure security needs are being addressed.Understanding your risks will help determine areas of focus, providing a starting point to building out a holistic
security programme. Ongoing measurement of the effectiveness of your strategic roadmap will determine whether your
organisation is focusing on the right areas.Factor people into your cyber strategyHuman error accounts for many cyber security incidents and data breaches, there’s a great need for better awareness and
adoption of security behaviours across all facets of organisations.Business leaders need to champion a culture change within the organisation, that sees all employees adopting a mindset
shift.Elevate cyber security to the boardWith increasing impacts and a significant number of businesses confirming that they are being compromised by cyber
incidents, it is imperative that board members take cyber defences seriously.Cyber is no longer an IT or operational issue – it requires good governance to ensure that it’s aligned with the overall
business strategy, and that initiatives have the right level of focus and resources from the top.
The full cyber security report is available to download at Kordia.co.nz.
[i] Survey question: How was your business comprised in the cyber-attack / incident/s? Tick all that apply