Norton recently released its annual Cyber-security Insight Report for New Zealand. The report found that:
- the amount consumers lost to cyber-crime in the past year was NZD$256.8 million,
- 83% of the respondents are worried that they will become a victim of cyber-crime,
- only 45% of consumers “always” use a secure password,
- only 15% of consumers feel completely in control over their online security, and
- only 38% of the respondents are confident they know what to do if they become a victim of cyber-crime.
Link (Norton): Norton Cyber-security Insight Report (New Zealand)
PwC has released its annual Global State of Information Security Survey.
Key findings for New Zealand include:
- New Zealand organisations are much less confident this year that their information security activities are effective. In 2014, 83.3% of New Zealand organisations were confident or somewhat confident, compared to just 64.7% this year.
- Many organisations are emphasising the people side of the information security equation. However, the survey data suggests that New Zealand is slightly behind the curve at board level. Globally, 34.8% of organisations say their board receives information security risk updates at least four times a year. In New Zealand, only 20.6% receive regular updates.
- New Zealand is falling behind global trends in information security spending.
- 43.3% of organisations have indicated that they have a security strategy in place for the cloud, 40% have mobile malware detection and 50.5% use common identity protection. But more than 40% do not currently have an overall strategy that takes into account the holistic needs of the organisation.
- 28% of organisations with a security incident in the past year suffered a loss or damage to internal records; 25.6% saw their brand or reputation compromised; and 18.3% suffered financial loss.
New Zealand respondents ‘ top information security priorities for the coming year are:
- identifying sensitive assets;
- security strategy for mobile devices;
- classifying the business value of data; and
- establishing security and baseline standards for third-party vendors, suppliers, and external partners.
Link (PwC): State of Information Security Survey in New Zealand
Europol’s European Cybercrime Centre has released the 2015 Internet Organised Crime Threat Assessment Report. The Report highlights the increasing professionalisation of cybercriminals in terms of how attacks are planned and orchestrated using new methods and techniques, and an increased risk appetite and willingness to confront victims.
Malware remains a key threat for private citizens and businesses. Ransomware attacks, particularly those incorporating encryption, were identified as a key threat both in terms of quantity and impact. Information stealers, such as banking Trojans, and the criminal use of Remote Access Tools also feature heavily in malware investigations.
The report notes that the attention of industry is yet not fully focused on cyber security or privacy-by-design – “many of the so-called smart devices are actually quite dumb when it comes to their security posture, being unaware of the fact that they are part of a botnet or being used for criminal attacks. The Simple Service Discovery Protocol, which is enabled by default on millions of Internet devices using the Universal Plug and Play protocol including routers, webcams, smart TVs or printers, became the leading Distributed Denial of Service amplification attack vector in the first quarter of 2015.”
Link: Europol Internet Organised Crime Threat Assessment Report 2015
A US study of more than 200 data security incidents in 2014 has revealed the following insights:
- employee negligence was the leading cause for a data security incident, demonstrating that technology solutions alone will not do it and that companies need also to drive better employee training and awareness, led by the right “tone from the top” and appropriate information security policies
- the average time lag between the incident occurrence and detection was 134 days, and
- in the investigation of a breach, regulators most often ask to review companies’ internal policy documents including policies and procedures governing privacy and security, disaster recovery and business continuity plans, and evidence of education and awareness programmes.
Link: The Baker Hostetler Data Security Incident Response Report 2015
The Australian Securities and Investments Commission (ASIC) has released a report to assist the Australian financial sector to improve cyber resilience. Suggested ‘health check prompts’ to cyber-risk management include:
- whether the board and senior management are aware of the entity’s cyber risks
- whether key third-party providers or clients are cyber resilient, and
- whether employees and contractors are properly trained to deal with cyber risk.
Link: Asic Report