Experts says there is a gaping chasm of awareness of the seriousness of the cyber security issue and the need to take appropriate steps to mitigate vulnerabilities
Cultural change required over cyber security – By Iain MacIntyre
Managers in the New Zealand construction industry need to incorporate cyber security within their base enterprise risk management framework and governance processes, as opposed to predominantly relying on technological solutions and delegation to IT managers.
Such is the urging of Kaon Security senior consultant Mark Micklefield, whose firm warns that as cyber criminals become increasingly sophisticated and aggressive in their endeavours, management needs to put cyber security on the agenda – before it becomes the agenda.
“As technology is used more widely in the construction industry, attention now needs to be paid as to how security is built into those systems, but also how they are operated,” Mr Micklefield tells NZCN. “So business unit managers – the executives that hold the profit and loss for each business unit – have to assume responsibility for the impact of an attack on their element of the business, rather than it being seen as being the IT manager’s problem,” he notes.
“Also, the human resources manager needs to be involved to drive the cultural change to the staff, and they have to be given the responsibility of being able to measure that improvement in understanding – again rather than it being an IT manager’s problem,” he adds.
“If those two things were to happen in New Zealand, we’d see businesses becoming a lot more robust than they are today.”
Closed for businessDescribing 2016 as the “year of ransomware”, Mr Micklefield says a major local construction wholesale and retail supplier was one of several victims of repeat attacks witnessed.
“In two instances, systems were taken offline by the encryption process which meant that stores had to close – they couldn’t actually do business. They recovered from that, but it was not an immediate process – a day or so out in both cases. That is clearly a supply chain concern if you’re a construction company normally expecting that you can buy material when needed.”
He notes those particular attacks were initiated via ‘whaling’ emails targeted at specific ‘C-level’ individuals within the organisation. “The typical format we saw was that an email would be directed at a finance or sales administrator with an attachment which would either be a PDF or Excel file with a title such as ‘order for you’ or ‘invoice for you’.
“So, if you’re not vigilant in identifying the sender and determining whether they are a real sender that should actually be doing business with you, you’re fooled into opening the attachment,” he explains.
“Staff of any organisation are vulnerable to this type of social engineering, because it is convincing them or trying to convince them that the communications are legitimate and so they have no fear of opening the attachment.”
Mimicking identitiesIn a recent incident across the Tasman, which Mr Micklefield observes should also raise concern in the local construction industry, hackers penetrated the Australian government’s tendering portal.
“Somehow they’ve managed to get a directory of the list of suppliers in the tendering portal and a campaign of email ‘phishing’ has been directed at those suppliers, mimicking the government identity,” he explains.
“As soon as they open the email and click on the links, the intent is to cause damage to their systems, either through ransomware attack or by effectively launching malware – the latter basically looking for credentials in that supplier’s systems, such as details of customers.”
Another, concerning new means of attack has been via websites during the browsing process alone – victims only becoming aware of their systems being breached when informed via an on-screen pop-up with accompanying demand for a number of bitcoins.
“So, you as an individual go through a website that you expect to be safe, only it has been infected – and just by clicking on areas of that website, it is launching code that is delivering ransomware to you,” Mr Micklefield notes. “The impact is either production/business transaction loss, because your systems are effectively encrypted and you can’t use them, or – in the case of whaling attacks – it can be direct monetary loss.”
No disclosureAdditionally, Mr Micklefield warns of the significant reputational damage that companies and organisations that suffer cyber attacks potentially incur – particularly in light of enhanced privacy legislation currently being developed in Parliament.
“We understand that a new privacy bill will include mandated disclosure of data breaches. This is following what has happened in the United Kingdom and Australia with their own legislation being reinforced,” he says.
“We see a lot go on, obviously, because we’re in the industry, but the average citizen only sees a certain amount in the press because there is no mandated disclosure. There is a hell of a lot more happening than anyone realises.
“Mandated disclosure will lift the lid on it, and then basically that will be a bit of a wake-up call for directors – because suddenly the reputation of their business is really heavily at risk.”
However, he laments there is still “a gaping chasm” of awareness of the seriousness of the cyber security issue and the need to take appropriate steps to mitigate vulnerabilities. “We were already evangelising that the biggest issue in cyber security is people’s weakness as opposed to technology, but last year just proved that beyond any shadow of a doubt. There needs to be within all industries – and construction is not immune to this – a concerted set of education campaigns to staff to increase their vigilance,” he says.
“Certainly, what we saw through 2016 is the cyber criminals out there – and a lot of them are very well organised – are more technologically and psychologically advanced than the people defending the systems in New Zealand.”
Developing a security strategyIn regards to the specific process of reviewing and improving the cyber security of a business or organisation, Mr Micklefield says Kaon’s methodology typically begins with a technical security audit or security policy compliance review.
“An audit with the resulting report is something that can be achieved within one to two months from engagement to completion. The net result of that is typically an improvement or remediation plan, that would take typically a year to complete the obvious remediations, but it may be a multi-year security improvement strategy,” he explains.
“Typically, we find the policy is non-existent, so establishing best-practice policy is the foundation for a new security strategy. Normally it would take about four to six weeks to complete this process and have the new policies in place. What we are finding now is the board wants the presentation, so they can discuss the remediation processes or the findings of the report and further outcomes that may be required,” he adds.
“It is not a single point-in-time fix. It is a cycle of improvements, policy awareness, operational security improvement, controls and objective analysis through either electronic monitoring or auditing to validate that the improvements are real.”
In late March this year, the NZ government released its first annual report in follow-up to the December 2015 launch of New Zealand’s cyber security strategy, action plan, and national plan to address cyber crime. The report outlines progress under the strategy’s four goals of achieving cyber resilience, building cyber capability, addressing cyber crime and enhancing international cooperation.
Areas of focus in 2017 include supporting the development of New Zealand’s cyber security industry, work on a cyber crime plan, helping small businesses to protect themselves online, and the launch of a national computer emergency readiness team (CERT).
It is understood the New Zealand Construction Industry Council is also reviewing its cyber security guidelines.
Iain MacIntyre is an award-winning journalist who specialises in transport and infrastructure issues within New Zealand