Too many organisations think of cyberattacks as just an "IT problem", according to a cybersecurity expert.
That is despite recent high-profile attacks and the fact that CERT NZ figures show cybersecurity incidents caused nearly $17 million of direct financial losses in New Zealand last year alone, says cybersecurity consultant and former Air New Zealand Chief Information Security Officer (CISO) Michael Wallmannsberger.
Everyone still looks at the IT team whenever there's an issue, he says, but all business leaders have a role in cybersecurity: "Before an incident, nobody wants to listen to the CISO. After the incident, everyone becomes a CISO.
"Often the conversation about security problems turns to who stuffed up – but looking for who to blame for these systemic issues doesn't help respond to them more effectively. We need to start thinking of cybersecurity as a capability rather than just a deliverable.
"This change in attitude is really important because the reality is the cybersecurity issue has been a long time in the making and is only going to get tougher with time."
Wallmannsberger says there are three areas organisations can work on to help improve their defences and engage the rest of their people more effectively:
- Make it everyone's issue by managing cybersecurity threats and responses through a cross-functional group.
- Empower and enable security leaders with the access and influence they need to be effective.
- Reframe the issue with your people by talking less about security and more about the trust currently enjoyed with customers and stakeholders and the resilience of the systems behind the products and services you provide.
CERT NZ Director Rob Pope says expert and easy-to-follow advice is freely available, whatever the size or shape of an organisation.
"There is a wide range of incidents that can and do happen but we understand that not every organisation or business has enough dedicated resource to address cybersecurity.
"CERT NZ is one of a number of different agencies who have the knowhow to help people. Whether it's technical advice for IT specialists, tips and alerts for businesses owners or the latest on common threats for individuals, help is at hand.
"We operate a 'no wrong door' approach which means if there's someone better placed to help you, we'll point you in their direction.
"The results of cybersecurity attacks are wide-ranging and can include the loss of income, assets or customer goodwill, says Pope, "so it's time organisations started widening their view of responsibility and seeing cybersecurity as more than just an IT issue – it's a business issue.