This is part two of a two-part feature on cyber crime and retail. Part one of this feature can be found here. Despite concern and awareness of cybercrime, consumers are overconfident in their online security behaviours according to Norton by Symantec’s Norton Cybersecurity report. When asked to grade their security practices, they consistently award themselves a solid “A”. But in reality, most are not passing the most basic requirement of online security password use. In New Zealand
d, less than half (45 per cent) always use a secure password, ie a combination of at least eight letters, numbers and symbols, and people share passwords to sensitive accounts with friends and family. Of those sharing passwords, more than one in three (38 per cent) share their banking account password and, on average, they are sharing passwords for two accounts, with the most common passwords shared being email (54 per cent) and social media (46 per cent).
Women are also more likely to share their passwords than men (31 per cent versus 23 per cent).
Also, according to the report, less than half (38 per cent) are confident they know what to do if there were affected by online crime. More than one-third of millennials think they are not interesting enough to be a target of online crime, despite 51 per cent experiencing online crime. And just over half of New Zealand consumers think that storing their credit/banking information in the cloud is riskier than not wearing a seatbelt.
“In the face of this, rapid information sharing is an essential element of cyber security because a collective response is more effective than companies trying to deal with cyber risks alone,” Arcus said.
“Pace is everything – we have an evolving cyber threat to tackle. It is adaptable. Our cyber adversaries move with speed and stealth. We need to keep pace.
“The very confidentiality that a business relies on to operate is working against it when facing a sophisticated and relentless enemy. It is a huge advantage to hackers that businesses are unwilling or unable to share data. Hubs make collaboration safer, faster, and easier to respond.”
The IoD said the government must lead and urgently expedite plans for better information sharing because it is the only entity that can facilitate information sharing groups in a cross-industry and liability appropriate environment.
“We need businesses to have safe places to share. We must link the good initiatives we have seen from the government in lockstep with the private sector needs. We need to see a breathless pace of action from government with a fresh, energised framework for engagement in place.”
Arcus added that the government must lead in the establishment of a sharing hub – but tread a fine line between involvement and ownership of the space.
“I don’t think government should own or run these groups, but they should be kept informed and act as a key player and facilitator. ”
Political leadership needed
Political leadership is a key feature of this in countries such as the US and UK. In the US, the number of Information Sharing and Analysis Organisations (ISAOs) has grown. President Obama issued an executive order in February 2015 to encourage more information sharing on cyber security threats with the government and each other.
In the UK the Cyber security Information Sharing Partnership (CiSP) is a joint industry/government initiative to share cyber threat and vulnerability information. Its members exchange cyber threat information in real time in a secure and dynamic environment but, critically, protections exist for doing so.
“Cyber hackers respect no national boundaries. It is old fashioned to think that geographical distance equates to protection from threat for our islands. We need to take the steps any country with a modern developed cyber infrastructure might do,” argued Arcus
“If we do not facilitate private sector sharing, we face the dire outcome that the hackers start to win. If you don’t report a house break-in to the police they can’t solve the case. In New Zealand’s case we aren’t even telling each other there are burglars in the neighbourhood. That ignorance will play into our enemy’s hands.”
New Zealand Technology Industry Association (NZTech) CEO, Graeme Muller, underscores that most New Zealand companies and organisations are unaware of the probability of and real cost of cyber security breaches.
“The average global cost of a breach is now US$154 per record and the likelihood is now 22 per cent of a breach over a two-year period,” he advised.
He advised all businesses to have a security plan in place and for large organisations not doing so, this could be seen as negligence by the board.
“It is not inevitable that a breach will occur, but the probability is high,” said Muller. “The trick is to get the technology, the processes and the people best prepared to avoid a breach, or if it happens, to effectively deal with a breach.”
Muller emphasises recognition of cyber security implications needs to improve among New Zealand businesses and organisations.
New Zealand Internet Task Force
To New Zealand’s credit though, InternetNZ recently welcomed an announcement made by the New Zealand Internet Task Force that it has launched a public funding campaign to build a Computer Security Incident Response Team (CSIRT).
The creation of a CSIRT will serve New Zealand’s SMEs and not-for-profit organisations by providing internet security.
InternetNZ’s CEO, Jordan Carter, said this is a chance to deliver much needed improvement and will provide greater confidence to New Zealand internet users.
“A CSIRT would mean Kiwi organisations and not-for-profits will have help from real independent experts if they are hacked by criminals or are dealing with some kind of cyber threat,” said Carter.
“InternetNZ has long been calling for a national CSIRT to help protect New Zealand’s internet community and we’re excited to see the New Zealand Internet Task Force create the beginnings of a national incident response capability.”
The New Zealand Internet Task Force is seeking funding partners and wants to talk to, and work with, any organisation that wants to work with them and help improve New Zealand’s cyber security.
According to Nick Race, Arbor country manager, there is no doubt that New Zealand will continue to see a lot of reflection amplification DDoS attack activity throughout 2016.
“The latent capability within the internet, which attackers are more than willing to exploit, still exists, so it wouldn’t be surprising to see an attack up at around 500Gbps – higher than any other recorded attack – in the not too distant future,” he said.
“We will continue see more of the high-profile breaches we’ve seen in retail over the last year in New Zealand. It is also likely that we’ll become aware of many smaller organisations falling victim to data theft. Many retailers have data that is either directly or indirectly valuable to attackers, and at the moment the value of that data is significantly higher than the cost to the attacker of extracting it.
“New Zealand retail organisations need to shift their approach and fast, they should leverage the data they have more effectively, share intelligence more quickly and usefully and fundamentally make better use of their existing security resources.”
This is part two of a two-part feature on cyber crime and retail. Part one of this feature can be found here.