Cyber: The inside track

In the information age, our digital landscapes are also battlegrounds.

Cyberattacks can swiftly bring down individuals, companies, and government departments alike – it can even overwhelm key infrastructure.

And this type of subterfuge isn’t something unique to the global powers – it happens right here, at the bottom of the world in Aotearoa. Last year a cyberattack on a North Island health board exposed thousands of people’s sensitive patient files, and in July of this year, a Russian hacker group claimed responsibility for a network probe that saw a range of major New Zealand government websites crash.

The old stereotype of a hoodie-wearing hacker in a basement has evolved into a dynamic threat that’s impossible to dismiss.

It’s hard to get companies that have been attacked to talk about it, however Z Energy was good enough to talk about how it works to defend itself and the kinds of risks they face every day.

“We have encountered a number of compromises of companies in our ecosystem where we had reason to believe that our information was stored – in the email system, for instance,” says Marek Jawurek, head of information security at Z.

“No one is an island. You procure services from everywhere: you engage with a supplier that becomes, even, a partner, and you have to trust them to some extent, but also make sure that they look after your information with the right care.”

Z faces challenges most companies may not. Some cybercriminals may simply be chaos agents, or opportunists – but people who object to the fossil fuel industry, or want to exploit its strategic role as a fuel supplier, are an added risk.

“There’s various angles where Z has a different threat landscape than others due to what we do and the importance of the services we provide … during a crisis, supplying the police and the firefighters and critical services with fuel.,” says Jawurek.

But cybersecurity isn’t as straightforward as being hypervigilant. Businesses have to balance protecting their staff with avoiding cumbersome obstacles that get in the way of getting the job done efficiently.

Jawurek says Z’s strategy is designing systems that try to eliminate or reduce the potential for human error. Nobody wants to be the person who clicks a phishing link in their work emails, or accidentally brings in ransomware to the network, he says.

Bringing in multi-factor authentication, or MFA – which means using a second device or piece of data to confirm sign on – and EDR, endpoint detection and response – a range of tools to work out what devices are connected and can connected to your networks – has meant his team is no longer in “firefighting mode”.

“We used to have a weekly ‘thing’ that we needed to look at. Now that has gone down to once or twice a quarter.”

These tools aren’t just preventives. They’re also diagnostic – helping Jawurek and his team quickly identify what happened when something does go wrong. Take the classic example of the phishing link:

“We used to take the whole laptop and reimage it just because we lacked visibility of what happened … Nowadays, we can actually examine what link that was, when they did this, what happened on the device or on a system level after they clicked on the link.

“What previously took us four hours of the day is now five minutes at most.”

But because the digital environment is constantly evolving, fighting cyberattacks requires constant re-interrogation of your own systems.

With AI added into the mix, cybercriminals’ arsenals are limitless, says Global Incident Response Solution Lead at EY New Zealand Adrian van Hest. They could create 500,000 new variants of malware a day, if they wanted.

“It’s very hard for people to keep up,” van Hest says.

EY has research that puts companies into two camps when it comes to cyberattack preparedness: “secure creators”, that are primed and ready for threats; and “prone enterprises”, those that lack adequate defences and are more likely have successful attacks executed against them.

Van Hest says he finds it takes a wake-up call to make some organisations take cybersecurity seriously.

“Somebody really needs to make it real for them. If there’s another organisation in the sector that has experienced something, and the organisation is close enough to understand the pain, the reality, the trauma, the challenge, then organisations are motivated.”

The most commonly used way to break into a company’s network is through its own staff – their passwords and credentials. It’s a concept known as “social engineering”. Cybercriminals will find ways to get a staff member to release their credentials unwittingly.

“Somewhere in the region of 70 percent of compromises happen with authorised access. It’s your staff, or your trusted third parties.”

Knowing where to start with cybersecurity is key, says Nicola Hermansson, who leads EY’s cyber security and private practice team in New Zealand. This often boils down to what you want to protect, and who your attackers are and what they’re interested in.

EY is one of the organisations offering their services to companies who want to put their cybersecurity goods to the test.

“We've got some very skilled people that put on the bad guy hats and try and break into your organisation,” says Hermansson. “The idea behind that is we find the gaps before the bad guys do, and give you the clarity around where those gaps are and what you need to do to fix them.”

One of Kiwis’ most common weaknesses? Our sense of southern hospitality.

“Having moved to New Zealand seven years ago from the UK, one of my first observations was, gosh, people here are so nice, compared to the Londoners that I used to work with!” says Hermansson.

“And as nice people, we try and be helpful … when someone's behind us, we open the door and let them in. People want to help other people out. But what attackers do is they often prey on that.”

But our unique position as New Zealanders can also be an advantage, says Don Christie, managing director of Catalyst IT.

Christie is an advocate for what’s called data sovereignty – the idea that New Zealanders need data stored locally, using technology they have some control over, instead of relying on international suppliers.

“Where there's an opportunity for New Zealand to take a lead is by creating cyber resilience at a national level,” Christie says.

“We are a small country, and that works in our favour. So we can protect internet endpoints, home internet connections, or small business internet connections far more robustly than would be possible overseas, because we have so few connections. Because we have so few, we can monitor them … we could build capability in New Zealand to make this a far safer place. And this could again be under New Zealand's control as opposed to having to rely on overseas actors.”