Research released by Kordia has exposed the serious consequences of cyber-attacks on some of New Zealand's largest corporations. The study encompassed 216 Kiwi businesses with 100 or more employees and revealed that more than two-thirds (69%) of those who reported experiencing a cyber-attack or similar incident stated they suffered an impact. Among these companies, almost half (46%) found it took more than a month to resolve the issue, with 9% requiring five months or more.

From the businesses affected by a cyber-attack in 2023, over one-third (36%) reported disruption to their operations, while 29% declared that personal data was accessed or stolen. Alastair Miller, Principal Consultant at Aura Information Security, a cybersecurity advisory and testing consultancy at Kordia, observed a shift in hackers targeting operational downtime over stealing or encrypting data as a means of extortion. "It's much harder for organisations to ignore an attack when they can't function for a period of time. The motivation to pay a ransom is greatly increased when you can't generate an operational income," he said.

Interestingly, almost three-quarters (70%) of business leaders stated they would consider paying a ransom to a cybercriminal. "Any cyber-attack disruptive enough to cause a business to completely go offline can cripple a business in days, but the reality is that a major incident can take months to resolve – with costs running into the hundreds of thousands," added Miller.

Miller pointed out that cyberattacks are not only a threat to privacy but also cause substantial harm to the employees of targeted organisations. "Around a quarter of respondents said recruiting skilled people to manage cybersecurity is a top challenge within their business. Cyber threats in 2023 impacted New Zealand citizens on a new, escalated scale," he warned. This resulted in a cybersecurity labour market that is incredibly constrained, both globally and in New Zealand. "The cyber security labour market is incredibly tight, both globally and here in New Zealand, so being able to hire and retain skilled people is crucial."

The potential harm is not limited to financial loss either. Studies have found that cyber-attacks can cause significant psychological distress, equivalent to political violence or terrorism. "With four in five NZ large businesses in our survey saying they faced a cyber incident in the past twelve months, these incidents will likely be taking a significant toll on the wellbeing of many of our cyber security leaders and their teams," Miller noted.

As cybersecurity threats evolve, New Zealand businesses are keen to see how the new government will respond. Kordia's survey results show that a third (33%) of Kiwi business leaders want the government to increase spending on national cybersecurity. More action to penalise organisations that fail to adequately protect data is also being anticipated. "Australia has made notable changes to cyber security governance, through a slew of legislative changes including harsher privacy law penalties of up to $50 million and mandatory reporting requirements for ransomware attacks. A notable number of respondents have indicated they would be supportive of similar initiatives in New Zealand," commented Miller.