Contrary to the belief that cyber threats are perpetrated and orchestrated by ‘unknown hackers’ of the outside world, much of the risk persists within an organisation or those closely associated with it.
The latest PricewaterhouseCoopers (PwC) ‘Global State of Information Security Survey’ has found that staff, service providers, suppliers or business partners are among the biggest cyber risks for Kiwi companies.
According to the Survey, 29.6% of respondents said that current staff were responsible for cyber-attacks in New Zealand.
Of course, in each of the cases, the hacker is ‘Unknown.’
The Unknown Hacker
PwC Partner and Cyber Practice Leader Adrian van Hest said that the ‘Unknown Hacker’ syndrome continues.
“The ‘unknown hacker’ was picked as the largest category responsible for cyber-attacks and that is because attribution is difficult, and most companies end up not knowing where or who the attackers are. However, it became clear that people known to the company were also among the biggest threats,” he said.
Mr van Hest said that while the amount invested in cyber security has been on the rise, the number of cost of incidents are also increasing. New business models present different cyber risks and the ongoing uptake of cloud computing and reliance on mobile devices bring new risks, not because the technologies are not safe, but because they require companies to take a different approach to the way they manage cyber security.
Investment in Identity Management
Mr van Hest said that investment in identity management is growing faster overseas because of rising cyber incidents through increased cloud usage.
“Kiwi companies are slightly behind the trend as most of our cyber incidents still seem to occur because of outdated software. However, as more businesses move to the cloud, it is only a matter of time before we face the same risks,” he said.
According to the Report, cyber security is no longer an issue for IT departments but a major problem that cuts across the entire digital society.
“Companies that stay competitive in our digital landscape cannot blindly trust that their businesses and customer data will stay secure. Building and maintaining trust will be the greatest differentiator for New Zealand businesses in our digital society and now is the time to start taking that seriously.”
The global scene
Despite a significant increase in cyber-attacks, many organisations still struggle to comprehend and manage emerging risks in an increasingly complex digital society.
“Executives worldwide acknowledge the increasingly high stakes of cyber insecurity. 40% of survey respondents cited disruption of operations as the biggest consequence of a cyberattack, followed by 39% of respondents who said that compromise of sensitive data was the biggest consequence, 32% cited harm to product quality and 22% said harm to human life was the issue,” the Report said.
Yet despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them. 49% said that they did not have an overall information security strategy; 48% did not have an employee security awareness training programme; and 54% did not have an incident-response process.
The Attack and After
Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power, and many systems are impacted instantaneously or within one day, meaning that there is generally precious little time to address the initial problem before it cascades.
Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes.
Many people worldwide, particularly in Japan, the United States, Germany, the United Kingdom and South Korea, are concerned about cyberattacks from other countries.
Tools for conducting cyberattacks are proliferating worldwide.
Smaller nations are aiming to develop capabilities like those used by larger countries. And the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.
Leadership commitment, resilience and collaboration are critical to success.
About the Survey
The PwC 2018 Global State of Information Security Survey is based on responses of more than 9500 senior business and technology executives from 122 countries. 28% of respondents were from small businesses with under US$ 100 million annual revenue, 46% of respondents were from organisations with revenue of US$500 million plus and 4% were non-profit, government or education bodies.
It was conducted online from April 24, 2017, to May 26, 2017. Readers of CIO and CSO and clients of PwC from 122 countries were invited via email to take the survey.
It said that the frequency of organisations possessing an overall cybersecurity strategy is particularly high in Japan (72%), where cyberattacks are seen as the leading national security threat, and Malaysia (74%).
When cyberattacks occur, most victimised companies say they cannot clearly identify the culprits. Only 39% of survey respondents say they are very confident in their attribution capabilities.
Adrian van Hest