ITX 2016 - Digital Risks and Cyber Security Threats

“Ten years ago, cybersecurity was not an issue. Now it is a central issue for policy. “

John Lewis (Centre for Strategic and International Studies) -  NZ Cyber Security Summit Report 2016

I attended two very good sessions at ITx 2016 on the Business implications of Cyber Security, I thought it was worth outlining their key points with specific reference to the NZ scene, together with our own research and experience.

Before I begin however, I think it is important to highlight what many in the industry believe to be the biggest risk for any business today: that is, choosing not to invest in innovation and digital technologies; particularly where the decision (or lack thereof) is motivated by fear or a lack of understanding.

My research recently led me to an interesting article by Bill Taylor in the 2013 Harvard Business Review article “Playing It Safe Is Riskier Than You Think”. It stated:

“Executives and entrepreneurs face two very different sorts of risks. One is that their organization will make a bold move that failed — a risk they call ‘sinking the ship.’ The other is that their organization will fail to make a bold move that would have succeeded — a risk they call ‘missing the boat.’

Rob Snodgrass of Spark Ventures in his ITx presentation “Corporate Innovation” was particularly clear on this point; noting that his organisation, Spark Ventures, is already fully digital, and is now focussing on the next phase of change.

“Missing the boat” today can end up being fatal for your business; ask Kodak how that strategy has worked in the long run (you may also like to read my blog from January last year “Past Experience May Not Prepare Today’s Businesses For A Digital Future”).

Back on topic, whether your organisation has fully embraced digital technologies, has a hybrid IT environment, or retains a traditional on premise environment, the topic of Cyber Security is, or should be, high on every business leader’s agenda (Directors, Owners and the entire C-Suite).

A clear message from the conference was that despite our geographical isolation, “Economic crime is a diversified and global issue. NZ is not immune”.

What does the NZ Cyber Security Threat look like?

The most frequent reasons for attacks cited in a recent NZ E-crime report were:

Unsolicited Malicious Damage
Organised Crime searching for financial gain
Espionage by Competitors or Foreign Governments
Use of the system for further attacks
Ethical Reasons (“Hacktivists”)

In the same report the key attack methods cited were:

Phishing (the attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy person or entity in an electronic communication)
Social Engineering (using psychological techniques to obtain sensitive information)
Infection with Malicious Malware
Compromised Web Application

All Systems Are Potentially Vulnerable and Present a Business Risk

For those organisations who believe that having systems and data on-site is a more secure option than Cloud based solutions, the following results (gathered from 200 NZ Corporates that voluntarily undertook independent external penetration testing) are sobering:

100% of the time the team were able to gain administrative access to systems
100% of the time the team were able to gain physical access to the data centre or server room
24% of the time wireless (wi-fi) vulnerabilities and unsecured mobile phones provided access to the “secure” network (the bad guys have big aerials, they don’t need to sit outside the building)
71% of Web applications had high risk vulnerabilities (poorly designed, coded or maintained)
32% of the time the team were able to penetrate Internet defences
15-54% of people gave their login password when asked and the average time to get through a locked door was 60 seconds (see Social Engineering above)

Simple Strategies Can Stop Opportunistic Hackers

However, research and experience indicate that a large portion of opportunistic (rather than dedicated and directed) attacks will be stopped by ensuring that:

Operating Systems and Applications are patched regularly
Local Administration Access is disabled or removed
An application whitelist is created and maintained (preventing unauthorized programs from running)

Legal Responsibilities of Managers and Directors

That impact of a serious breach can go beyond disruptions to systems and normal business operations to include: impact on business value and customer trust and the risk of prosecution and/or litigation for the business leadership (including the Directors).

A major challenge identified by both ITx Cyber Security speakers, is the lack of IT skills and experience on many NZ Boards, which when combined with a lack of strategic IT leadership and advice (i.e. no designated CIO, CSO or CTO role) leaves many organisations with the wrongly held belief that cyber security is purely an IT operational responsibility.

The speaker urged business leaders to take a “when” rather than “if” approach to planning for a breach, ensuring that everyone in the organisation is fully engaged and actively involved. Attention should be focussed not just on technology but also the legal, HR and communication aspects of developing a breach response.

A review of responsibilities and potential vulnerabilities should include:

The NZ Privacy Act
Existing Commercial Contracts – specifically any that offer or guarantee 100% data security
Directors Responsibilities – a good starting point is the NZ Institute of Directors Cyber Risk Practice Guide

In closing it was made clear that Business leaders need to embrace their Cyber Security responsibilities and recognise that while responsibility cannot be abdicated, internal and/or external IT professionals can help identify risks and contribute to the preparation and testing of whole of business responses.

My thanks to the organisers of ITx 2016 and to TUANZ and their excellent stream of presenters:

Rob Snodgrass for his presentation "Corporate Innovation:The Spark Ventures Story
Phillip Whitmore for his presentation "An Introduction to Cyber Security for Business"
Michael Wigley for his presentation "Cyber Security: legal responsibilities of managers and directors"

For more presentations by Lynley Lee.