New figures from Grant Thornton reveal that extortion and blackmail are more common forms of cyber-attack on businesses than theft of data or intellectual property.
This comes as the volume of attacks globally has risen sharply over the last 12 months. According to Grant Thornton, the findings lay bare the diversity of the threat to businesses today and the breadth of the response needed to remain resilient.
Grant Thornton’s International Business Report (IBR) survey finds that in New Zealand, 28% of businesses surveyed have faced a cyber-attack over the past year, placing Kiwi businesses eighth in the league table of 37 countries surveyed.
Nearly one in four businesses worldwide (21%) have faced a cyber-attack over the last 12 months, compared to 15% who said the same a year ago.
Of those who were attacked, the most common form of cyber-attack cited globally was damage to their business infrastructure (22% of firms). But other forms of cyber-attack experienced include using blackmail or extortion to obtain money (17%), a more common occurrence than theft of customer financial details (12%) or theft of intellectual property (11%).
Hamish Bowen, Partner, IT Advisory and Security at Grant Thornton New Zealand says, “Blackmail and extortion have been experienced more than theft because these types of attacks exploit the weakest link in an organisation, which is often people who are unaware of how their actions can open their organisation up to some serious vulnerabilities. The success of these attacks is also helping to fund more cyber-crime.
“In New Zealand there’s a common misconception that our physical location somehow shields us from cyber-attacks. Unfortunately the tyranny of distance doesn’t serve us well in this instance; our physical remoteness is irrelevant to attackers and is of no consequence to the exposure to cyber-attacks.
“Businesses will face larger financial loss from reputational damage, theft of customer details and intellectual property, and infrastructural damage.
“Regardless of the type of attack, it’s not a question of ‘if’, but ‘when’ your business will be attacked, so cyber security must become a priority for all organisations.
“Our own research here in New Zealand has revealed that cyber-security is one of the key top-of mind risks for organisations, but for most, risk management is increasingly being viewed as just a compliance or box-ticking exercise; recognising the risk is insufficient to protect your organisation.”
The IBR findings also reveal that globally, of those business leaders who have faced a cyber-attack in the last 12 months, nearly one in eight (13%) only realised the attack had occurred more than a week after the event. For 4%, it took longer than a month.
Bowen says, “We need to realise security for an organisation is a system of protection, prevention and response that requires people, process and technology. We have too often focused on the technology component leaving ourselves exposed to common threats like ransomware, because we are not investing in security training of people and improving our general security processes.
“This requires urgency and an investment in minimising the damage when the inevitable happens.”