Combating cybercrime in NZ with a robust cybersecurity strategy
When an organisation falls victim to a cyberattack, it can be devastating for its revenue and reputation, and it can be many years before it fully recovers. Cybercrime is an invisible, mercurial foe that shifts and changes as technology evolves - which is why businesses need to be constantly alert to potential threats and how to mitigate them.
Multiple high-profile cyberattacks in recent years show the real-world impact of cybercrime. For example, DDoS (Distributed Denial of Service) attacks against financial organisations and the banking sector significantly impacted financial operations, disabling trading and online banking for days. Ransomware attacks against the health sector resulted in hospitals being shut down, risking patients' lives and exposing their private information.
Those are just examples of attacks which hit the headlines, but there continue to be multiple threats, and every organisation, large, medium, and small, is a target. Criminals operate globally, and New Zealand is very much in their line of sight.
Businesses can expend a lot of resources on people, processes, and technology when it comes to cybersecurity, so it's important to be strategic in your approach. Mind maps published by two leading global CISOs, Henry Jiang and Rafeeq Rehman, provide an indication of the complexity and sheer number of moving parts those responsible for cybersecurity must be across.
As the accountability for cybersecurity always lies with the business, the first step is to identify who will take on this responsibility, whether they will have a team, and if they will work with a Managed Security Services Provider (MSSP). The next step is for that person to develop a cybersecurity strategy, and an excellent resource for this is the NIST CSF framework.
Spark incorporates elements of the NIST framework when developing a cybersecurity strategy, for ourselves, and for our partners.
There are also six guiding principles we apply.
Align to the business strategy
Dont do cybersecurity for its own sake; it needs to align with your business strategy. Cybersecurity is meant to be a business enabler and to ensure the business can continue to function and generate revenue when under a cyberattack.
Annual reports, strategy documents, and talking regularly with key business stakeholders will keep you aligned with business goals.
Take a risk-centric approach
Cybercrime is one of the many risks that a business faces, alongside health and safety, natural disasters and crimes such as fraud and ram raids. Adopting a risk-centric approach will help your organisation understand the specific risks facing your business and prioritise how you can mitigate these based on the potential damage they can cause, whether it be revenue loss, reputational damage, or operational impact. Constraints such as limited resources, budget, and time will also help guide how you prioritise which risks are most important.
When considering potential threats, think about what would have the most impact on your business. Is it malware, ransomware, DDoS, or a combination of all three? An attack such as a DDoS will likely be detrimental to a business that generates most of its revenue online, however a DDoS attack against an accounting firm is unlikely to be an event that's revenue impacting.
CERT NZs quarterly reports and the National Cyber Security Centres annual reports are both good places to learn about current threats to New Zealand businesses.
Adopt a when not if mentality
Assume you are a target and invest in detection capability that enables you to know when you are under attack. And then plan for what to do when an attack occurs by creating an incident response plan. The Comptia State of Cybersecurity Report 2024, noted that 45% of enterprises in its survey are placing higher priority on determining the proper response to incidents.
When creating the plan, consider roles and responsibilities, look at how you can test its effectiveness before you need it, and think of ways to make the wider organisation aware of its existence. Spark recently asked New Zealand businesses when they last tested their incident response plan and found that 52% of New Zealand businesses had done so in the last six months.
There are plenty of incident response templates available online, so you don't need to reinvent the wheel when it comes to developing your own plan. Consider then what type of testing will make the most impact. Defining the goals and anticipated outcomes of your security testing process will help make sure you are turning the dial on your security posture with each test.
Modernise security architecture during digital transformation
As part of your organisation's digital transformation, put the emphasis on modernising security architecture. Long gone are the days when we put our most precious assets and critical data within the centre of our core network.
The increasing adoption of the cloud, as well as many users now working from home, means the traditional perimeter protection mechanism doesn't help to achieve a secure outcome anymore. Adopting Zero Trust principles as part of your business digital transformation, will help ensure you are well positioned to securely adopt new and evolving cloud technology.
Measure and grow your organisation's cyber maturity
Unless you strategically put in place a way to uplift your organisation's cybersecurity, nothing is likely to change. Start by using tools, such as cybersecurity metrics, to measure and understand your current capability, and then determine where you want to be in the next quarter, half year, and full year.
There are a number of good cyber security maturity assessment frameworks available online, including the NIST CSF framework previously mentioned. These frameworks provide you with a good reference to establish key metrics that you can use to measure and report on your current and future cybersecurity maturity. It's important to seek expert advice, as well as use these frameworks, for credibility. It is a helpful tool to demonstrate to your Board and senior management the progress your organisation is making in uplifting its cybersecurity capability over time.
Protect your Crown Jewels
Organisations have finite resources, money, and time, so I suggest spending 80% of your effort on protecting the assets that are the most precious, the Crown Jewels. They are defined as the most critical information assets, which, if compromised, could severely undermine the business's ability to make money and continue to operate. Examples include IP, executive/board papers, pricing data, HR/payroll data, contracts, market intelligence, and cybersecurity details.
These are the assets that get the full cybersecurity treatment, such as ongoing penetration testing, user access reviews, and network segmentation. The other assets, meanwhile, must still be protected with mandatory security controls and vulnerability management.
To quote Sun Tzu, the Chinese military strategist: Hence that general is skilful in attack whose opponent does not know what to defend; and he is skilful in defence whose opponent does not know what to attack.
Sun Tzu wrote the seminal book on strategy, The Art of War, and his advice has rung true throughout the ages. Whether the weapons are swords or source code, it's important to always remember the enemy is out there, ready to strike. The only way to triumph is to have a battle plan that is tailor-made for your business.