Can SMEs run a hybrid work model securely in Aotearoa?
While the hybrid work model may have offered protection from COVID-19, have small and medium-sized enterprises (SMEs) remained as safe from outside threats?
According to MYOB's 2022 Business Monitor, 48% of New Zealand SMEs believe that access to finance will be a significant challenge for their business in the coming year.
In addition, 44% say that growing their business is something they plan to focus on over the next two years.
Announced as part of this year's budget, the Government is providing local SMEs with additional funds through a $100 million investment in the independently managed Business Growth Fund, designed to offer a new source of capital for growing businesses.
But when it comes to cybersecurity, should SMEs be concerned in this new era of working life?
KPMG Cyber Security Services partner Philip Whitmore says that it doesn't really make a difference where staff are working from; the main difference is the steps they have put in place to mitigate security risks.
"The security risks faced by organisations are largely the same regardless of whether you work in the office, or from home," Whitmore says.
"However, how you manage those risks and the level of risk presented may vary depending on work location.
"For example, the risk of ransomware exists both in the office and at home, however, unless you've thought through how you manage the risk of ransomware when out of the office, the likelihood of being impacted by ransomware is likely to be higher when working from home."
Whitmore adds that the biggest challenge for businesses shifting from the office to a hybrid model is that the security mechanisms that staff depend on in the office may not be available to them at home, or if they are, they may not be as effective.
"For example, in the office, web browsing may pass through a web filter to stop someone accidentally visiting a malicious website. However, at home, that filtering may no longer be in place.
"You can certainly have the same security mechanisms in place regardless of where you work, however many organisations haven't taken the time to work through how their security practices need to adapt to ensure that the same level of protection is always there."
In regard to legislation, telecommunications providers in New Zealand operate in accordance with the Telecommunications (Interception Capability and Security) Act 2013 (TICSA).
TICSA lays out the obligations Aotearoa's telecommunications network operators are expected to adhere to and falls under the responsibility of the GCSB.
The Act spans two main areas: interception capability and network security.
According to the National Cyber Security Centre (NCSC), a branch of the GCSB, "[p]art 3 of the TICSA, which relates to network security, establishes a framework under which network operators are required to engage with the GCSB (through the NCSC) about changes and developments with their networks where these intersect with national security."
The NCSC goes on to say that the legislation offers a clear path to recognise, manage and prevent risks to network security.
The GCSB Director-General also issued guidelines for network operators to help them implement TICSA, including various exemptions from the duty to notify which are in place.
"The GCSB works co-operatively and collaboratively with network operators so that risks to New Zealand's national security arising from the design, build or operation of public telecommunications networks and their interconnection to other networks both domestically and overseas are identified and addressed as early as possible," the NCSC adds.
But while this is valuable for protecting New Zealand's national security, what do SMEs in Aotearoa need to be doing to ensure they are protected?
"Companies that don't have clear cyber security policies or practices for their employees can easily open themselves up to malware infections and phishing attacks. It just takes one misdirected email, incorrectly stored data file or weak password to let a hacker in," Vodafone head of SME and partnerships Annaliese Atina says.
"This can cause significant disruption to any business, such as reputational damage or a privacy or data breach which may have a significant financial impact."
Citing the 2021 HP NZ IT security survey, Atina notes that the number of cyber attacks has grown with the move to hybrid working.
According to the survey, attacks carried out on small businesses in Aotearoa occurred twice as often compared to 2018.
But Atina says the most significant risk to a business is having staff who lack understanding of the importance of security measures.
"Businesses have had to move to cloud-based services and collaboration tools, and not all employees are technically savvy or understand the risks of not following best [practices]. This is the biggest risk to any business.
"Not all SMEs have an understanding of basic protection, like endpoint security, or have the technical leads that can consult, have the time or resources to find these out.
"This is why organisations such as ours work to communicate basic security protocols to share with SMEs, things such as password protected networks and devices, not sending confidential business information on your personal email, not opening suspicious links or attachments will go a long way to keeping a business safe."
In the case of Vodafone, Atina says the company has taken a range of measures, including having cyber security centres working around the clock to ensure those using its networks are secure.
"With over 15 years of experience managing local businesses' cyber security needs, we have a team of experts dedicated in cyber security to work with customers on strengthening their security position.
"We provide our customers a simple tip sheet for remote working, this includes basic security protocols and within our Vodafone Business website we have resources that any business can access to understand 'why' security is so important and the best solutions on offer to them."
Whitmore notes that the CERT NZ Critical Controls provide robust security and should be a measure that organisations prioritise, whether working in the office or from home.
"For example, when working from home it's important to ensure that multi-factor authentication is in place for anything that's being remotely accessed, including for cloud-based systems such as Microsoft 365," Whitmore adds.
"Likewise, configuring logging and alerting through the use of an EDR (Endpoint Detection and Response) tool is an important security measure when working remotely.
"Ensuring [the CERT NZ Critical Controls] are in place is going to be a good start for any organisation."