News

New Zealand cybersecurity – what’s coming in 2022

| In SMX Blog |
Kevin Ku W7zyugynprq Unsplash

Trends, predictions and a few warnings

While we don’t pretend to have a crystal ball, our team is immersed in the world of cybersecurity email – they see the pressures, the increases and the legislative and business shifts that can have a real impact on their clients. So we gathered those brains to hear their predictions for 2022. There’s some good news, some surprising shifts and a fair few warnings. Here’s what to expect this year.

1. Cybersecurity breaches will make headlines

Cybercrime is big business – it’s sophisticated, organised and relentless. The market, if you can call it that, has also significantly increased since the start of the pandemic – last year, a data breach costs $4.2m on average, up from $3.8m in 2020, continuing a year-on-year increase of 15%. Whole industries, secondary markets and supply chains have sprung up around finding and selling harvested credentials and access to exploited systems. People specialise in different roles and functions, just as in legitimate industries. Eventually, something will get through.

So, we can expect to see something give, with at least one major vulnerability affecting billions of people this year. It’s a question of when, not if.
 
The good news is that the cybersecurity industry in New Zealand has proven again and again that it has the expertise, resources and willingness to work together at pace to minimise negative impacts.

2. Legislative changes will make cyber security a board priority 

The new Privacy Act 2020 has some key additions that will put cybersecurity squarely on the agenda at board meetings. The Act came into effect last December and now makes it compulsory for an organisation to notify the Privacy Commissioner of a data breach involving personal information. It’s also added new criminal offences and fines for managers and directors found to have been negligent in protecting personal information – including how any third-party providers are handling data. That puts some teeth behind the issue – IT managers will find they’re not the only ones worrying about cybersecurity anymore.

3. Shift to more data being stored on-shore

The new Privacy Act also stipulates rules around data sovereignty – personal data can only be stored outside of the country if the privacy landscape in the host country is just as robust as New Zealand’s. Since few international data centres even mention NZ legislation, organisations will have to carefully review the security setup of each host country and data centre against local requirements – a potentially arduous process. Luckily, multiple large data centres soon going live in New Zealand will offer a simple solution – keep the data here. This will also come with some other benefits including easier oversight, less likelihood of outages, a potential price drop and lower latency times.

4. More New Zealand-targeted attacks are coming

New Zealand’s size, distance and isolation are no protection against attacks. If anything, we’re more vulnerable. More than 95% of NZ businesses and agencies are currently using or moving to M365, which means one vulnerability can impact pretty much every business in NZ.
 
As a small but highly-industrialised nation, we are a favourite testing ground, so a higher proportion of attacks are ones we’ve never seen before. Our national identity also makes us easy targets – we’re open, honest and trusting. We also run nimble businesses, with owners and managers often taking a DIY approach to specialist functions like finance, HR and IT security.
 
It’s not hard to guess that we’ll see more of those NZ-targeted attacks this year, but it’s not all bad news. Our small size makes us vulnerable, but also easier to protect – if we can get all the trusted brands in NZ to deploy DMARC and other best-practice email security policies, the risks to NZ businesses and consumers reduces dramatically. That’s because DMARC protects against spoofing and impersonation attacks like phishing and whaling, as well as receiving malware from stolen identities. Similarly, if companies make smart decisions around Microsoft 365 security, remote working and data security, they can shore up most of their vulnerable points of entry.

5. People are the real targets

While BEC (business email compromise), C-suite and phishing attacks impersonate well-known organisations, it’s worth remembering that their ultimate goal is to get money out of people. This wasn't always the case. Spam targeting individuals was once fairly low level. In the last five years, it’s become big business. Now, social engineering (aka digital cons) and privilege abuse (where a user’s access privileges are exploited) are the two biggest threats to organisations today. Cyberattacks exploit bugs in software to get to people, of course, but the real vulnerability is human fallibility. We click links in malicious emails, transfer funds to illegitimate bank accounts or leave personal information and credentials unprotected.

6. A continued need for specialists to supplement large, generalist providers

While core offerings from Microsoft, Google and other providers are very good, they’re still letting targeted attacks through – their generic filtering capabilities catch the big stuff, but are lacking when it comes to the needs of Australasian organisations. For example, their HIPAA compliance is excellent, but Kiwi organisations will struggle to get specific routines, like NHI number detection or compliance with New Zealand’s Privacy Act 2020. Those businesses with specific requirements, like bulk sending, will find their offering lacking.
 
This means specialist – and, importantly, local – providers will continue to be crucial in closing those gaps for Australia and New Zealand.

Prepare, don’t panic

While it’s true that organisations in Australia and New Zealand should be braced for more targeted and sophisticated attacks, the region is well set up to minimise disruption. New privacy legislation will make cybersecurity a board-level issue, while new local data centres will reduce risk and proven local expertise can catch and minimise attacks early on.
The key outtake behind these trends is to be prepared – look into how your platforms are protecting you against local threats, consider where your data is being housed and take steps to shore up your systems, particularly that ever-vulnerable email.
For more support or information on how you can be prepared in 2022, get in touch with the team at SMX.

Photo by Kevin Ku on Unsplash