Why is NZ lagging behind the world in cybersecurity?
A recent report by the Technology Users Association of New Zealand (TUANZ) has revealed that we are ranked 56th in the world when it comes to cybersecurity. Why are we so far behind other countries, and what must be done for us to be better?
TUANZ is a 35-year-old independent organisation that represents the people who use technology. Its CEO, Craig Young, says they want Aotearoa to be in the top 10 digitally ready nations by 2030, which includes getting up to speed on cybersecurity.
The ranking is based on the international network readiness index by the Portulans Institute - and it's not looking good for New Zealand.
"This year's report is based on 2021 research and we've dropped down to 20th from 16th," he says.
Compare that to Australia, which only dropped to 13th from 12th, while Scandinavian countries and places like Singapore rank highly. Young says the index looks at a wide range of issues, including how a country uses and develops technology, how its people use it, and whether they are being trained.
As part of its Digital Priorities Report 2022, TUANZ also interviewed 23 senior business and government leaders in New Zealand, including Kiwirail, Spark, NZ Rugby and Auckland Council.
So, just how bad is the situation?
State of cybersecurity in NZ
In 2021, 8831 incidents were reported to CERT NZ, a 13% increase on 2020. The statistics show that 15% of the incidents reported to CERT NZ included direct financial loss, with a combined total value of $16.8 million.
A survey released by Kordia's Aura Information Security last December found that more than half (55%) of Kiwi businesses have been successfully targeted by a ransomware attack in 12 months. Young says New Zealand doesn't do well regarding things like secure internet service or the more technical issues.
"It's quite sobering to think that New Zealand ranks 56th in cybersecurity and I think there's a couple of reasons for that," he says.
"I think that New Zealand companies and organisations, felt safe and secure by being down the bottom of the world. For example, for COVID-19 we were able to close our borders, because we're an island down the bottom of the Pacific Ocean. We stopped planes coming and going, and people coming and going because of our physical location."
But Young points out that this kind of thinking doesn't cut it in the cyber world.
"We're only a few milliseconds from anywhere and we are heavily connected with the rest of the world. It only takes a couple of milliseconds for a message to come or leave New Zealand," he says.
Young says a reputation of not being overly strong in cybersecurity can also make Aotearoa an attractive choice for hackers to route their messaging or software. For example, if the hacker's originating country may come up as a red flag, routing it through New Zealand is less likely to cause concern. He says while New Zealand organisations might think they're big, they're quite small.
"Overseas players can just hammer them because they have the capacity to do so, they're built to take on the big guys and our organisations aren't that big," he says.
"We've sort of sat here in a feeling of security because we're a long way away, we're small, and we don't think we've got anything of value. Well, actually, we do. It's very quick to get here and that complacency has led us to be in a place of not being overly secure."
But high-profile cyber attacks in New Zealand like the NZX and the Waikato DHB have affected how companies view cybersecurity.
Kordia's survey found just under half of IT decision-makers say their businesses take cyber security more seriously as a result of these local attacks. In addition, it found 41% had more discussion around cyber security within their organisation, while 37% expanded their cyber security team or agency. The survey also revealed that 85% of IT decision-makers considered New Zealand equally or more at risk as the rest of the world when it came to cyber-attacks, up from just 67% in 2018. But Kordia's report also found that 42% of businesses admit not running crisis simulation exercises to assess their ability to respond to a cyber-attack.
And the game is changing.
The growth of hybrid work, spurred on by the pandemic, is another security risk.
"If I work for a large corporate and I'm working from home, suddenly I've got a device here that's connected to the general internet, not just that it's connected to my internal network," says Young.
"I think a lot of the CIOs are struggling with trying to figure out how to raise the cyber skill sets or the cyber ability within their organisations for that space."
Upskilling staff and having a talent pipeline
Young says one of the most important areas New Zealand companies need to focus on is building cybersecurity skills in its staff. He says most successful attacks on organisations often come through phishing or one person.
"With cyber security, you can have all the firewalls or the up-to-date software that you should have, but if somebody lets somebody in, you know, it's like letting someone in the front door, they're gonna get in and go for it," he says.
The TUANZ CEO says Aotearoa also needs cybersecurity experts and a talent pipeline.
The draft of the government's Digital Technologies Industry Transformation Plan was open for consultation earlier this year, and Young hopes the final plan will have a real drive towards getting not only younger people into cybersecurity but also retraining people. He says the skills required for those working in the cyber area differ from standard IT.
"The people that you want in that area aren't necessarily the same people that you've generally hired before. They aren't necessarily people who are good at running a network. What they're good at is breaking into a network or they're good at protecting a network because they know how to break it," he says.
"They're good at ferreting things out, or they're creative. I'm not saying you have to go out and hire a hacker. I'm just saying that people have slightly different skill sets than just the standard network provider."
In TUANZ's report, the organisation said its research shows there is not enough local talent in the tech industry to meet demand and the leaders it interviewed confirmed this perspective. Globally, there were 3.5 million cybersecurity jobs unfilled in 2021, and New Zealand was part of an international scramble attract talent.
In terms of cybersecurity as a government focus though, Young says it does have to raised up the pecking order. The Australian government recently announced the appointment of a dedicated Cybersecurity Minister, Clare O'Neil.
"We don't have a minister for cybersecurity. It's not really talked about," he says.
"There are some very good people in government doing some very good things like CERT NZ, but they aren't big, they are small, and they are targeted to specific things. The government itself has to do quite a lot of work on its own security because I mean, they hold huge swathes of data for New Zealanders."
There have been several different government initiatives. For example, at the end of 2020, it launched the Digital Boost programme, which targets small business owners and aims to help them get digitally ready. The training platform offers 500 video tutorials and Q&A sessions, daily live workshops with experts and live helpdesk support. In Budget 2022, the government also set aside funding for cybersecurity, including $30m for CERT NZ and $320m for updating data and digital infrastructure for health systems. It's also developing the Digital Strategy for Aotearoa, which will be released later this year.
Young says that will show the direction the government is taking when it comes to things like cybersecurity.
Automation plays a critical role
The TUANZ CEO says things like AI and machine learning are already a huge part of beefing up cybersecurity measures.
"The people who are doing the attacking, they're using those tools. They're using those tools to change things daily, you know, to or within the hour," he says.
"If they can't get in one way or another they'll change the messaging around. So you got to fight fire with fire in this situation."
Young says companies won't be able to keep up unless they have some form of automation. He points to the NZX example, where the stock exchange was bombarded with Denial-of-Service (DoS) attacks in 2020.
"Numbers were incomprehensible compared to what they would normally see. That's where your automation comes in because it continuously bats away these things," he says.
Young says in next year's report, he's hoping Aotearoa will be out of the 50s for cybersecurity and trending through the 40s. However, he acknowledges that some things take time.
"Certainly, it's one of those things that we're definitely going to be keeping an eye on and making some noise on during the year," he says.