New report finds New Zealand employers lagging when it comes to cybersecurity
The proliferation of artificial intelligence is fuelling the rise of cybercrime, according to an expert, who lamented the lagging cybersecurity measures across organisations in New Zealand.
Findings from Kordia's annual New Zealand Business Cyber Security Report revealed that 59% of businesses in the country were targeted by a cyber-attack in the past year.
Nearly half of these incidents (43%) were caused by email phishing, according to the report.
Alastair Miller, Principal Security Consultant at Kordia-owned Aura Information Security, attributed the "high" cases of email phishing to the rise of AI-generated cybercrime tactics.
"AI-generated cyber-attacks are the new frontier of cybercrime," Miller said in a statement. "The democratisation of increasingly sophisticated AI technology has catapulted the effectiveness and speed of cybercrime to extraordinary new heights."
According to Miller, AI has allowed greater personalisation and adaptability of phishing emails by mimicking writing styles or contextualising messages in a timely manner. It also enabled greater levels of automation, which resulted in highly scalable and incredibly efficient tactics for cyber criminals.
"AI has lowered the cost of entry and time investment needed by cybercriminals to craft, refine and adapt social engineering campaigns," Miller said. "As a result, we're seeing a surge of businesses reporting attacks involving sophisticated email phishing, something that we expect will continue to increase."
But the threat of AI does not stop at phishing attacks, according to the report. It noted that the unsanctioned use of AI tools by employees in the workplace is also putting businesses at risk.
"Employees are either accessing AI tools like ChatGPT without company knowledge or are not following any guidelines around data management to prevent exposure of company data to AI training models, for example, by feeding the AI with commercially sensitive or private information," Miller said.
In fact, the report noted that six per cent of cyber incidents involved an AI-related data breach.
"So even though AI implementation is rather new, we're already seeing some of the consequences of poor AI usage in this country," Miller said.
With AI-related threats on the rise, 28% of employers said they consider AI-generated cyber-attacks as a top threat to their business. However, the report noted that many businesses are not taking steps to improve cybersecurity. These include:
Not performing a penetration test in the past 12 months (67%)
Not monitoring or logging activity in their network (20%)
Not having any cybersecurity awareness/training in place (26%)
Not having awareness of any vulnerability management programme in the business (33%)
"It's disappointing to see New Zealand businesses lagging behind – around one third of businesses say they don't do any reporting on cyber risk to their board of directors, and around half haven't practised their cybersecurity response plan," Miller said.
"Bearing in mind that the businesses we surveyed are amongst some of the largest in the country and the biggest employers, we'd have liked to have seen more evidence of a focus on cyber issues."
According to Miller, their findings show that despite concerns around cybercrime, it's still not being taken seriously enough by organisations.
"Building and maintaining a strong cybersecurity posture comes down to doing the basics right, taking a risk-based approach, and always keeping one eye on the horizon for new and evolving threats," he said.
In line with this, Kordia recommended the following areas for cybersecurity this year:
Risk assess AI, and other emerging technologies
Factor third parties into business continuity plans
Take a risk-based approach to security investments
Treat identity as a security foundation
Prepare for quantum, the next wave of encryption