Combating cybercrime with a robust cybersecurity strategy

When an organisation falls victim to a cyberattack, it can be devastating for its revenue and reputation, and it can be many years before it fully recovers. Cybercrime is an invisible, mercurial foe that shifts and changes as technology evolves - which is why businesses need to be constantly alert to potential threats and how to mitigate them.

Multiple high-profile cyberattacks in recent years show the real-world impact of cybercrime. For example, DDoS (Distributed Denial of Service) attacks against financial organisations and the banking sector significantly impacted financial operations, disabling trading and online banking for days. And Ransomware attacks against the health sector resulted in hospitals being shut down, risking patients' lives and exposing their private information.

Those are just examples of attacks which hit the headlines, but there continue to be multiple threats, and every organisation – large, medium, and small – is a target. Criminals operate globally, and New Zealand is very much in their line of sight.

Businesses can expend a lot of resources on people, process, and technology when it comes to cybersecurity, so it’s important to be strategic in your approach. Mind maps published by two leading global CISO’s Henry Jiang and Rafeeq Rehman, provide an indication of the complexity and sheer number of moving parts those responsible for cybersecurity must be across.

As the accountability for cybersecurity always lies with the business, the first step is to identify who will take on this responsibility, whether they will have a team, and if they will work with a Managed Security Services Provider (MSSP). The next step is for that person to develop a cybersecurity strategy and an excellent resource for this is the NIST CSF framework.

At Spark, we incorporate elements of the NIST framework when developing a cybersecurity strategy, for ourselves, and for our partners. There are also six guiding principles we apply.

‍

1. Align to the business strategy

Don’t do cybersecurity for its own sake; it needs to align with your business strategy. Cybersecurity is meant to be a business enabler, and to ensure the business can continue to function and generate revenue when under a cyberattack.

Annual reports, strategy documents, and talking regularly with key business stakeholders will keep you aligned with business goals.

At Spark, we work hard to help New Zealand businesses win big through digital technology such as 5G networks, cloud adoption, IoT (Internet of Things) and automation. Knowing these are some of Spark’s key areas, my team is focused on enabling our business by establishing strong cloud governance, as well as DevSecOps, to ensure that our solutions and technologies are as secure as they can be.

‍

2. Take a risk-centric approach

Cybercrime is one of the many risks that a business faces, alongside health and safety, natural disasters and crimes such as fraud and ram raids. Adopting a risk-centric approach will help your organisation understand the specific risks facing your business and prioritise how you can mitigate these, based on the potential damage they can cause, whether it be revenue loss, reputational damage, or operational impact. Constraints such as limited resource, budget, and time will also help guide how you prioritise which risks are most important.

When considering potential threats, think about what would have the most impact on your business. Is it malware, ransomware, DDoS, or a combination of all three? An attack such as a DDoS will likely be detrimental to a business that generates most of its revenue online, however a DDoS attack against an accounting firm is unlikely to be an event that's revenue impacting.

CERT NZ’s quarterly reports and the National Cyber Security Centre’s annual reports are both good places to learn about current threats to New Zealand businesses.

‍

3. Adopt a ‘when, not if’ mentality

Assume you are a target and invest in detection capability that enables you to know when you are under attack. And then plan for what to do when an attack occurs by creating an incident response plan. The Comptia State of Cybersecurity Report 2024, noted that 45% of enterprises in its survey are placing higher priority on determining the proper response to incidents.

When creating the plan, consider roles and responsibilities, look at how you can test its effectiveness before you need it, and think of ways to make the wider organisation aware of its existence. Spark recently asked New Zealand businesses when they last tested their incident response plan, and found that 52% of New Zealand businesses had done so in the last six months.

There are plenty of incident response templates available online, so you don’t need to ‘reinvent the wheel’ when it comes to developing your own plan. Consider then what type of testing will make the most impact. Defining the goals and anticipated outcomes of your security testing process will help make sure you are turning the dial on your security posture with each test.

‍

4. Modernise security architecture during digital transformation

As part of your organisation’s digital transformation, put the emphasis on modernising security architecture. Long gone are the days where we put our most precious assets and critical data within the centre of our core network.

The increasing adoption of cloud, as well as many users now working from home, means the traditional perimeter protection mechanism doesn’t help to achieve a secure outcome anymore. Adopting Zero Trust principles as part of your business’ digital transformation, will help ensure you are well positioned to securely adopt new and evolving cloud technology.

‍‍

5. Measure and grow your organisation’s cyber maturity

Unless you strategically put in place a way to uplift your organisation’s cybersecurity, nothing is likely to change. Start by using tools such as cybersecurity metrics, to measure and understand your current capability, and then determine where you want to be in the next quarter, half year, and full year.

There are a number of good cyber security maturity assessment frameworks available online, including the NIST CSF framework previously mentioned. These frameworks provide you with a good reference to establish key metrics that you can use to measure and report on your current and future cybersecurity maturity. It’s important to seek expert advice as well as using these frameworks, for credibility. It is a helpful tool to demonstrate to your Board and senior management the progress your organisation is making in uplifting its cybersecurity capability over time.

‍

6. Protect your Crown Jewels

Organisations have finite resources, money, and time, so I suggest spending 80% of your effort on protecting the assets that are the most precious, the ‘Crown Jewels’.

- Nyuk LoongKiw, Spark Cyber Defence Chapter Lead

They are defined as the most critical information assets, which if compromised, could severely undermine the business’s ability to make money and continue to operate. Examples include IP, executive/board papers, pricing data, HR/payroll data, contracts, market intelligence, and cybersecurity detail.

These are the assets that get the full cybersecurity treatment, such as ongoing penetration testing, user access reviews, and network segmentation. The other assets, meanwhile, must still be protected with mandatory security controls and vulnerability management.

To quote Sun Tzu, the Chinese military strategist: “Hence that general is skilful in attack whose opponent does not know what to defend; and he is skilful in defence whose opponent does not know what to attack.”

Sun Tzu wrote the seminal book on strategy ‘The Art of War’, and his advice has rung true throughout the ages. Whether the weapons are swords or source code, it’s important to always remember the enemy is out there, ready to strike. The only way to triumph is to have a battle plan that is tailor-made for your business.

Cybercrime is flourishing, and the people with the skillset to combat it are in high demand, which is why partnering with a trusted service provider can be a wise alternative to trying to do everything in-house.

As New Zealand’s largest telco and digital services provider, Spark has a team of 180 security professionals who oversee our network, and as a managed security service provider (MSSP), we work with businesses throughout New Zealand – large and small – on helping them to protect their most prized digital assets. We’re here to help your business develop your cybersecurity strategy and roadmap.

ABOUT THE AUTHOR

Nyuk Loong Kiw is a proven information security professional with over 22 years’ experience in cybersecurity. His areas of expertise are network security, incident response, security design/architecture along with 10+ years team and technical leadership experience.