Kiwi companies lack expertise in dealing with cyber risks – report
“There are big gaps with lack of skills and expertise in the marketplace, and a confusingly broad range of interlocking products to appropriately protect the range of capability required to deliver each business process – so an equal effort is being allocated to ensure a fast and resilient recovery mechanism,” Patterson said.
This comes after several major cyberattacks hit New Zealand businesses this year, including the recent incidents at Mercury IT and Pinnacle Health.
Patterson said that legacy applications and outdated infrastructure often do not have the same cyber protections as newer counterparts, which become vulnerabilities for customers. These old systems can also be some of the hardest services to restore once compromised.
“In the event of a cyberattack, customers need to have a plan on how they can restore their business operations as quickly as possible,” he said.
Paul Caldwell, Dicker Data’s Microsoft Security business development manager, agreed that lack of expertise is the primary challenge for New Zealand businesses.
Caldwell said there is a diverse level of cyber maturity amongst New Zealand businesses, and that it is important to shift the current belief that cyber resilience is all about threat protection to understanding that cyber resilience encompasses an organisation’s ability to prevent, respond to and recover from cyberattacks.
“Cyber resilience requires security teams to move beyond strict threat prevention and to incorporate technologies that can mitigate the damage from sophisticated cyber threats like ransomware and insider attacks and recover data quickly after an attack,” Caldwell said.
Caldwell pointed to liability as a key cyber resilience issue, which stresses the need for organisations to have an incident plan alongside a recovery plan.
With the rapidly changing cyber insurance environment, Caldwell said that following proper business-led risk management will reduce the need to call on an insurer in the first place and assists in demonstrating to insurers that a company understands and adequately manages its risk, resulting in lower premiums.
“Lack of planning and awareness combined with a lack of security resource has resulted in implementation of unsafe practices or shifting of responsibility to try and avoid liability,” Caldwell said. “Cyber insurance is driving verification of controls and considering the IT provider’s track record in assessing risk. Business disruption must be minimised so insurance underwriters are requiring not just a documented tested incident plan but also a recovery plan.”
