Latest ransomware attack prompts cybersecurity questions | Insurance Business New Zealand
With the latest international ransomware hit striking New Zealand’s schools, the issue of cybersecurity is firmly in the spotlight once again – and, according to experts, many of New Zealand’s companies are still taking the wrong approach to securing their systems.
Over 100 North Island kindergartens were forced offline in an international attack this week, and were forced to return to pen and paper for their day to day operations.
Thales ANZ director Brian Grant noted that the insurance and financial services sector was one of its biggest cybersecurity clients, and said that many insurers were still adopting a “tick off a list” approach to security. However, he said that companies using this approach and expecting good results are “probably in trouble.”
Read more: Half of ANZ companies failed their data protection compliance audit - survey
“When insurers look at securing their systems, they generally take the approach of ‘here is a list of things I need to do,’ and then they go down that list and tick things off,” Grant said.
“So, they’ll say: ‘I need to secure access to my people - tick,’ and they’ll go through a list as opposed to taking a step back and asking how they can be different, and how they can secure their entire organisation rather than just going through a list.”
“It’s a trap that a lot of companies and cybersecurity people fall into,” he explained.
“They have a list of controls, and they think that by ticking off that list, they’ll ultimately protect their business. Sometimes that can work, but, most of the time, everyone is checking off the same list. So, you’re not doing everything different, and if everyone else is getting breached and successfully attacked and you expect that you’re not going to be, then you’re probably in trouble.”
Grant said that while New Zealand has invested significant amounts of money and resources into cybersecurity, the ongoing successful attacks show that the return on investment is relatively small.
He said security companies also need to do more to raise awareness of cybersecurity issues, and to encourage companies to take a ‘broader picture’ of how they can secure their systems and data.
Read more: Are insurers investing in the wrong kind of cybersecurity?
“New Zealand has very much followed the same trend of taking the same strategy as everyone else, spending a lot on cyber security, and yet still having a lot of data breaches,” Grant said.
“We hate it when anyone gets successfully attacked - it’s terrible, and it reflects badly on the cybersecurity sector as a whole. We’ve got to do better, and we need to encourage organisations to change their mindset away from compiling ‘lists’ and towards thinking more strategically around how they can make themselves more secure.”
“There are a lot of resources out there for companies to make use of,” he added. “Telstra’s ‘five knows of cybersecurity’ is a really good pointer to how to start the journey on protecting data, and it talks about the value of your data, where it is, and who has access to it. That’s a really useful starting point.”