Why is NZ lagging behind the world in cybersecurity?


A recent report by the New Zealand Technology Users Association (TUANZ) found that we are ranked 56th in the world when it comes to cyber security. Why are we so far behind other countries and what should be done to make us better?

TUANZ is a 35-year-old independent organization that represents people who use technology. Its CEO, Craig Young, says they want Aotearoa to be among the 10 countries ready for digital technology by 2030, which includes an introduction to cybersecurity.

The ranking is based on the Portulans Institute’s international network readiness index – and doesn’t look good for New Zealand.

“This year’s report is based on a survey from 2021, and we dropped to 20th from 16th,” he says.

Compare that with Australia, which dropped from 12th only to 13th, while Scandinavian countries and places like Singapore are ranked high. Yang says the index addresses a wide range of issues, including how a country uses and develops technology, how its people use it, and whether they receive training.

As part of its 2022 Digital Priorities Report, TUANZ also interviewed 23 senior business and government leaders in New Zealand, including Kiwirail, Spark, NZ Rugby and the Auckland Council.

So how bad is the situation?

The state of cybersecurity in the NZ

In 2021, 8831 incidents were reported to CERT NZ, an increase of 13% compared to 2020. Statistics show that 15% of incidents reported to CERT NZ involved direct financial loss, totaling $ 16.8 million.

A survey released by Kordia Aura Information Security last December found that more than half (55%) of Kiwi businesses were successfully targeted by ransomware attacks in 12 months. Young says New Zealand is not doing well on things like secure internet services or more technical issues.

“It’s pretty sobering to think that New Zealand is in 56th place in terms of cyber security, and I think there are several reasons for that,” he said.

“I think New Zealand companies and organizations felt safe and secure at the bottom of the world. For example, because of COVID-19, we were able to close our borders, because we are an island at the bottom of the Pacific. Ocean. We have stopped planes coming and going, and people coming and going because of our physical location. “

But Young points out that this kind of thinking is not suitable for the cyber world.

“We are only a few milliseconds from anywhere and we are very connected to the rest of the world. It only takes a few milliseconds for a message to arrive or leave New Zealand,” he says.

Young says a reputation for not being overly strong in cybersecurity can also make Aotearo an attractive choice for hackers to target their messages or software. For example, if a hacker’s country of origin may appear as a red flag, targeting it through New Zealand is less likely to cause concern. He says that although New Zealand organizations may think they are big, they are quite small.

“Players from abroad can simply hit them because they have the capacity to do so, they are made to fight the big guys, and our organizations are not that big,” he says.

“We’ve been sitting here in a sense of security because we’re far away, we’re small and we don’t think we have anything of value. Well, actually, we have. It’s very quick to get here and that complacency has made us not too sure.”

But high-profile cyber attacks in New Zealand like the NZX and Waikato DHB have affected how companies view cyber security.

Cordia’s research found that just under half of IT decision-makers say their companies take cybersecurity seriously as a result of these local attacks. In addition, 41% found that they had more cybersecurity discussions within their organization, while 37% expanded their cybersecurity team or agency. The survey also found that 85% of IT decision-makers believe that New Zealand is as or more at risk than the rest of the world when it comes to cyber-attacks, compared to only 67% in 2018. But Kordia’s report also shows that 42% of companies admit that they do not perform crisis simulation exercises to assess their ability to respond to a cyber attack.

And the game is changing.

The growth of hybrid labor, fueled by a pandemic, is another security risk.

“If I work for a big company and work from home, I suddenly have a device here that’s connected to the general internet, not just my internal network,” Young says.

“I think a lot of CIOs are struggling to figure out how to pick up cyber skills or cyber skills kits within their organizations for that space.”

Staff development and talent management

Young says one of the most important areas New Zealand companies need to focus on is building cyber security skills in their staff. He says the most successful attacks on organizations often come through phishing or one person.

“With cyber security, you can have all the firewalls or updated software you should have, but if someone lets someone in, you know, it’s like letting someone in the front door, they’re going to come in and go,” he says.

The CEO of TUANZ says Aotearoa also needs cybersecurity experts and a range of talent.

The government’s draft Digital Technology Transformation Plan was open for consultation earlier this year, and Young hopes the final plan will have real strength to not only engage young people in cybersecurity, but also retrain people. He says the skills needed for those working in the cyber field are different from standard IT.

“The people you want in that area aren’t necessarily the same people you used to hire. They’re not necessarily people who are good at running a network. What they’re good at is breaking through the network or they’re good at protecting the network because they know how to break it,” he said. he.

“They’re good at discovering things or they’re creative. I’m not saying you have to go out and hire a hacker. I’m just saying people have a little different skills than a standard network provider.”

In a TUANZ report, the organization said its research shows that there are not enough local talents in the technology industry to meet demand, and the leaders it interviewed confirmed this perspective. Globally, in 2021, there were 3.5 million unfilled jobs in cyber security, and New Zealand was part of the international struggle to attract talent.

However, in terms of cybersecurity as the government’s focus, Young says it needs to lift the order. The Australian government recently announced the appointment of a dedicated Cyber ​​Security Secretary, Clare O’Neil.

“We don’t have a cyber security minister. It’s not talked about,” he said.

“There are some very good people in government who do some very good things like CERT NZ, but they are not big, they are small and they are targeted at certain things. The government itself has to work hard on its own security because, I think, they keep huge amounts of data for New Zealanders. “

There have been several different government initiatives. For example, in late 2020, it launched the Digital Boost program, which targets small business owners and aims to help them prepare digitally. The training platform offers 500 video tutorials and question and answer sessions, daily live workshops with experts and live support support. In the 2022 budget, the government also allocated funds for cyber security, including $ 30 million for CERT NZ and $ 320 million for data updates and digital infrastructure for health systems. It is also developing a digital strategy for Aotearou, which will be released later this year.

Young says this will show the direction the government is going when it comes to things like cyber security.

Automation plays a key role

The CEO of TUANZ says things like artificial intelligence and machine learning are already a big part of strengthening cybersecurity measures.

“People who attack, they use those tools. They use those tools to change things every day, you know, up to or within an hour,” he says.

“If I can’t come one way or the other, they’ll change the messages. So in this situation, you have to fight the fire with fire.”

Young says companies won’t be able to keep up if they don’t have some form of automation. He points to the example of the NZX, where the stock market was bombarded by denial of service (DoS) attacks in 2020.

“The numbers were incomprehensible compared to what we would have seen otherwise. That’s where your automation comes in because it constantly eliminates these things,” he says.

Young says in a report for next year that he hopes Aotearoa will be out of the 50s in terms of cyber security and the trend through the 40s. Still, he admits that some things take time.

“Certainly, it is one of those things that we will definitely watch out for and make noise during the year,” he says.

Comments are closed.