Better level of maturity needed for SMEs fighting cyber-attacks

Small-to-medium enterprises form the backbone of New Zealand business, so it’s no wonder this country is often an easy target for offshore cyber-criminals.

The statistics speak for themselves and make for harrowing reading – 70% of have been subjected to phishing attacks and almost half have been exposed to other types of cyber-attacks.

With this as the status quo, I was curious to learn more about how the National Cyber Policy Office (NCPO) is testing the delivery of a 'Cyber Credentials Scheme' to protect New Zealand’s SMEs. A simple $400 solution for the NCPO to assess and learn more about protecting SMEs against cyber threats certainly sounds like a great start.

However, I believe the problem runs deeper because these same issues apply to consumers as well. Modern IT is lightyears ahead of consumer understanding, resulting in massive asymmetry between the buyer and hacker knowledge. For example, teaching businesses and individuals how to secure themselves online is like trying to teach how to assess the seismic stability of a building before renting it.

That’s because it’s out of the realm of most people’s knowledge and capability. To use the building analogy again, all one can really do is make sure the building industry is certified and the building is professionally assessed. This is why it’s no surprise SMEs are considered low-hanging fruit for hackers, with 43% of cyber-attacks targeting smaller businesses. Nowadays, it’s naïve to think that antivirus software is sufficient protection for your business.

For that reason, we must push harder for a better level of maturity in the IT space, where cyber-security becomes something individual businesses don’t need to worry about. In fact, I’d love to see New Zealand as the first country globally to have stricter codes of IT security, not only for online services and consulting services but physical equipment such as network devices, IoT devices and security cameras – to name a few.

A similar analogy I like to use is car safety. It’s now a selling point to list a car’s safety features before you consider purchasing it, but as a buyer, you know you don’t have to test this yourself because the industry has already done it. 

By contrast, parts of the IT industry operate more like the Wild Wild West. You might be sold a solution riddled with security flaws, yet would never know, until (in most cases) it’s too late. 

Therefore, whilst good progress is currently being made, including the cyber-security assessment support and certification package, I’d prefer to see IT service providers rated so that they are incentivised (both positively and negatively) to provide secure-by-default systems only and to ensure they're kept that way.

Andy Prow is chief executive and co-founder of RedShield Security Limited

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.