Like Australia, New Zealand has witnessed troubling cybersecurity trends in recent years. According to the country’s National Cyber Security Centre, financially motivated cybercrime has outpaced state-backed activity for the first time, and the agency has warned of its threat to the wellbeing of New Zealanders. Recent research found that 70 percent of companies with 100 or more employees were in some way disrupted by cybercrime in 2023.
I recently had the opportunity to discuss these trends with Darren Beattie, head of information security at the Auckland-based Tower Insurance. Darren is responsible for ensuring the secure operations and communications of operations in New Zealand and six Pacific Island nations including Fiji, American Samoa, and Vanuatu.
Cybercriminals targeting insurers have dominated industry headlines in neighboring Australia following successful breaches of the major players like MediBank and MediSecure. Not surprisingly, across the Tasman Sea in New Zealand, it is also a serious concern for professionals like Beattie.
As he pointed out, the protection of personally identifiable information is paramount for insurers, who often retain information about the locations of clients’ vehicles and the valuables stored in their homes. This information could fetch a high price on the dark web, making Tower and other insurers attractive targets for cybercriminals. The proprietary algorithms insurers use to calculate policies are also prized and subject to abuse if stolen by threat actors.
While I was eager to learn what differentiates cyber trends in ANZ from the rest of the world, Beattie emphasized that hacktivists targeting supporters of Ukraine's struggle against Russia, opportunistic phishing scams, and credential theft are globally relevant aspects of cybercrime.
"We're all strung together with little pieces of fiber and, the fact is, being in New Zealand is no different than being in the UK or North America these days.
As elsewhere, cyber professionals in New Zealand have honed in on a few industry-prescribed best practices. Information-sharing with Australia and vendors is commonplace, as is an emphasis on user awareness training – a focus Beattie has seen grow in his 16 years as a cyber professional in New Zealand.
"I think, when we've had breaches like the Latitude breach, a lot of people were impacted and everyone realized it's not something that happens only in the U.S. or Europe. It happens here," Beattie said.
The cyberattack against the Australia-based financial institution affected more than a million New Zealanders and over 14 million in the wider ANZ region, prompting calls for greater “trans-Tasman” collaboration on cyber matters.
Zero trust in Middle Earth
Another global trend in cybercrime is getting caught in cycles of doom and gloom characterized by a near-sighted focus on hacks in the headlines. But, as Beattie pointed out, advancements in cyber protection sometimes emerge from bleak circumstances. Just as cybersecurity often improves after a breach, the trauma of COVID-19 was a catalyst for improving many organizations’ security posture.
This was certainly the case for Tower Insurance. Beattie says it helped his company buck inertia and gain the confidence that remote work could be done securely. Supply-chain shortages and mandatory work-from-home regimes forced him to grapple with issues like de-perimeterization and business being conducted on unmanaged devices.
"You suddenly had your kids' Chromebook or your wife's MacBook, something you would never use in a corporate environment, now having to be used because that was the only thing that was available," he recalls.
This forced evolution still holds lessons for companies undergoing their own transformations today, Beattie says, in New Zealand and beyond. As notions of a secure perimeter and trusted network begin to show their age, he began to turn his focus toward managing risk through contextual analysis of factors like device posture and behavioral anomalies.
Transformation, though, requires a change of mindset. That can be a challenge for leaders who fail to put themselves in their users’ mindsets. Beattie said he had to educate employees and even senior leaders that, while a zero trust approach can feel frictionless, assets were still being protected.
Ultimately, zero trust is best thought of as a journey, he says.
"Zero trust is not a product that you just implement and go and 'that's it.' It's an evolution. Your technology changes. User behavior changes. Your business changes."
For those just setting out, Beattie emphasizes the importance of alignment between IT and security leaders, a willingness to take incremental steps, and champion-building throughout the organization. When done right, he says, zero trust transformations lead to more secure organizations and happier users.
"Organizations that allow people to work from home for work-life balance, that's really important," he says. "And our users don't complain about security anymore because it just works."
To catch my complete conversation with Darren Beattie, watch Achieving Operational Security in ANZ here.
What to read next:
How zero trust architectures can fortify Australia’s cyber landscape
For the sake of its cybersecurity, Australia must come together