Poor cyber security is increasingly affecting all levels of retail. With a few strokes of a keyboard, criminals and rogue nations can launch a cyber attack from anywhere, at any time, causing disruption and damage – often unforeseen until it’s too late. New research from Grant Thornton International’s Business Report (IBR) survey reveals that cyber attacks are taking a serious toll on business globally, with the total cost of attacks globally estimated to be at least US$315 billion over t
he past 12 months. In New Zealand, only 26 per cent of respondents surveyed see cyber attacks as a threat in their sector and only 50 per cent have a person specifically tasked with cyber security. 62 per cent said they did not have an IT privacy and security strategy in place.
Hamish Bowen, partner, operational advisory at Grant Thornton New Zealand, said high profile security breaches are becoming increasingly common.
“Without a comprehensive strategy to prevent digital crime, businesses are really putting themselves in the firing line,” Bowen said. “And it’s not just financial risks that businesses need to be worried about; there can be a high price to pay in terms of reputational damage as well – just look at Ashley Madison and Sony. IT privacy and security should be at the top of the agenda for all organisations. It’s no longer a question of if your business will come under attack, but when.”
According to the Grant Thornton IBR, cyber attacks are estimated to have cost Asia Pacific businesses $81 billion in the past 12 months, while firms in the EU ($62 billion) and North America ($61 billion) are also counting the significant cost of attacks.
Dealing with cyber attacks
This ever-increasing risk to New Zealand’s economy and its businesses needs to be constantly understood and addressed. The Australian Strategic Policy Institute’s cyber maturity report ranks NZ sixth out of 20 Asia-Pacific countries, behind the US, Australia and Japan, for its ability to deal with cyber attacks. The report’s authors describe NZ businesses as ill-prepared, giving the sector a six out of 10.
“NZ businesses are inadequately prepared to protect themselves from cyber threats and have no intention to invest further in cyber security,” the report said.
“While the NZ government’s efforts are notable, NZ’s score in this category is reduced because there does not appear to be a good level of two-way dialogue between government and the private sector.”
According to PwC’s New Zealand insights of the annual Global State of Information Security survey, New Zealand organisations have far less confidence in their own information security activities (as well as their suppliers) than they did last year. PwC Cyber practice leader, Adrian van Hest, said that while confidence has dropped, it is likely a more accurate picture of real versus perceived risk.
Last year, 83 per cent of New Zealand respondents were confident or somewhat confident that their organisations’ information security activities were effective, compared to 65 per cent this year. The drop in confidence is even wider in the security activities of New Zealand organisations’ partners and suppliers. Last year, 82 per cent of New Zealand respondents were “very” or “somewhat” confident, compared to 57 per cent this year.
As more organisations adopt risk frameworks, they are gaining a better understanding of their risks and what they need to do to manage them. In recent years, the survey data in New Zealand has shown that high confidence does not necessarily match the actual measures taken to secure information.
“The reason for this, at least anecdotally, is that some organisations say that no one has told them something is wrong, so they choose to believe there is no issue,” van Hest said. “Another reason is many New Zealand organisations trust their suppliers and believe that they will simply do the right thing when needed despite the absence of, or even the specific exclusion of, security obligations from contractual agreements.
“When called upon to conduct breach assessments in New Zealand, we have identified a significant issue about 90 per cent of the time. What is alarming is that our data indicates that two-thirds of breach notifications now come from outside of the organisation. The reality is until you have invested time in understanding your current state – and that this critical information is driving your security activity – you can never truly know.
“To have an effective strategy, organisations must understand which assets are most important to them, and then focus resources on dynamically protecting them by being in a position to detect, respond and recover when there is an incident. The organisations that want to maintain trust and stay competitive are those using a targeted information security approach.
“There is no magic bullet for effective cyber security. It’s a journey towards a culture of security, not a solution in and of itself. It is a path that starts with the right mix of technologies, processes and people skills. The organisations that will flourish in tomorrow’s interconnected world are those which recognise that good cyber security is good business; and by managing their risks, they can use digital technologies and their information assets to realise opportunity with confidence.”
Cyber dinosaurs
According to the Institute of Directors (IoD), New Zealand businesses are in serious danger of becoming the cyber dinosaur of the developed world in terms of their approach to cyber security and their lack of sharing information on cyber crime in the private sector. Information sharing hubs to combat cyber threats are urgently needed, said IoD CEO, Simon Arcus.
“Cyber crime losses are in the millions, and information sharing on attacks is a way to combat these threats,” Arcus said. “Cyber sharing hubs are a feature of the international scene and play an invaluable role in the collective response to threats. Many companies have no forum to share data and there is often a reluctance to discuss attacks. This puts commercial data at risk, where a combined response to threats will be a major advantage and drive down costs.”
Late last year Norton by Symantec’s Norton Cybersecurity report attributed New Zealand’s loss to cybercrime at more than $256.8 million. On average 22 hours were lost and $300 spent per person dealing with its impacts. The report found that 83 per cent of New Zealanders worry they will be a victim of online crime, and 65 per cent believe it is more likely their credit card information will be stolen online than from their wallets.
“Our findings reveal that consumer reservations are grounded in reality. In the past year, almost $257 million was lost to cyber crime and approximately 856,000 New Zealanders were impacted by online crime,” said Mark Gorrie, director of Norton by Symantec, Pacific region. “Consumer confidence has also been rocked by the number of mega breaches that exposed the identities of millions of people who were making routine purchases from well-known retailers. “Our findings demonstrate that the headlines rattled people’s trust in mobile and online activity, but it hasn’t led to widespread adoption of simple protection measures people should take to safeguard their devices and information online.”
This is part one of a two-part feature on cyber crime and retail. Part two of this feature will be published tomorrow (Wednesday March 9), so watch this space.