Tentacles of cybercrime a real threat to blase NZ businesses

COLIN SLATER

OPINION: Last year was 12 months of fraud, espionage, online warfare, hacktivism and other evils: Businesses have never felt so vulnerable to attack. New Zealand enterprises now face a real threat to their reputations, profits and futures - cybercrime.

This country - previously considered a relatively safe haven - has seen an unprecedented rise in the number of crimes committed using computers and the internet.

It is the third most frequent form of fraud to hit businesses. PWC's recent New Zealand and Global Economic Crime survey shows that of the one in two New Zealanders who say they were a victim of fraud in the past year, a quarter were subjected to one or more cybercrime-related issues.

That's a big number for our small country and reflects a growing problem to be addressed and faced head-on.

Well-planned and co-ordinated attacks have embarrassed governments and a range of companies from financial institutions to defence contractors and large corporations. High-profile security breaches have alerted New Zealand business leaders to the issues, and with growing computer awareness and dependency they're finally connecting risk to their reliance on technology.

For the first time, the "likelihood" part of any risk assessment has moved from "possible" to "probable".

Importantly, this growing awareness has focused the spotlight on the information technology industry, bringing the intricate complexities of what are seemingly impenetrable technical issues into everyday business conversations.

Businesses are grappling with how to protect their information and assets in the most secure way, yet, in a contradictorily move, old security measures are fast being removed as they seek to be more open and share more.

Today's business strategies encourage this trend for sharing information and "red-tape" removal as they strive to achieve more agile business models with faster decision-making processes at the expense of fully understanding the true security risks.

Users expect everything to be available at the click of a mouse, while we're busily social media sharing and updating personal information online.

This relatively new "act now, think later" approach sits in stark contrast to the conservative and considered "need-to-know" approach of days gone by.

However, business leaders and public institutions still have a long way to go. They aren't doing enough, or in many cases anything, to protect their interests as digital crime becomes easier.

We wouldn't leave our front door open and provide directions to the safe, inviting burglaries. So why don't we protect intellectual property and R&D investments better? Surely we have a duty to protect client information as much as we do our own trade secrets.

Worryingly, we know that almost 40 per cent of business people here haven't had any cyber security training in the past year. Some tell us they believe the risk of cybercrime will increase or remain the same, while, alarmingly, 34 per cent say their organisation doesn't have the in-house capability to prevent or detect incidents.

For those who have taken steps, very few have so in a planned fashion, resulting in a high degree of frustration that investment is not providing a sense of "return". Like all great business strategies, proper planning prevents, you know.

While the rapid change in technology is making it difficult for organisations to keep pace, in reality the technology is the least of the challenge. The primary issue for under-attack organisations is figuring out how technology can affect business risk profiles, such as damage to reputation or revenue.

Measuring and quantifying loss after an attack, or simply tracking what has been compromised, is a long and costly exercise - assuming an organisation even notices a security breach.

For example, earlier this year, investigations uncovered the "Shady RAT" attack that had remained hidden for up to five years, exposing around 70 organisations and their detailed confidential information to a "spear- fishing" email malware attack. It is believed the attack originated as part of an overseas government-led scheme. Sony was also hit last year when its customer information was stolen, reportedly costing it an estimated $1.32 billion.

If the security of your business and reputation is something you hold dear, join me in making 2012 the year of thwarting the hacker.

Plan ahead, understand your risk profile, plan what you wish to protect, be aggressive in your commitment to seeking and fixing vulnerabilities in your systems, and - above all else - operate with greater caution.

Remember, cyber criminals can lurk anywhere, inside or outside your organisation, in the building next door or even overseas. Detection risks are low and rewards high for tech-savvy criminals. Let's make their job more challenging and don't leave your organisation open as a tempting target.

Colin Slater is a partner at PWC New Zealand, advising on security and technology.