What does cybersecurity mean when we’re always online?

By Associate Professor Julian Jang-Jaccard

When we used to talk about personal security, we’d generally be talking about protecting our tangible, physical assets – protecting our homes and vehicles from break-ins, our valuable personal possessions from theft. Today however, security is much more about protecting intangible and untouchable assets too. And that can mean everything from making sure your favourite holiday photos on your smartphones aren’t erased to ensuring that your bank account or business website isn’t compromised by errors, outages or bad actors.

As our lives have moved online, we’ve also seen a big increase in the difficulty of defence – in the early days of personal computing and internet connectivity, we were much more limited both in the number of people who had computers at home and in the number of tasks we used them for. These days almost everyone owns multiple digital devices and operates a multitude of distinct and complex pieces of software. We know that each of those pieces of software has vulnerabilities, and in a world where you no longer need to be an expert to exploit those vulnerabilities – the dark web, for example,  is flooded with a concerningly accessible variety of hacking tools at very low prices – the risk is only going to become greater.

As our lives become ever-more digitally anchored, we need to understand the risks.

We live in an era where almost everything in our lives has the ability to connect to the internet. This does not only include desktop computers and smartphones but also a tremendous number of objects of all shapes and sizes from baby monitors that recognise voices and images, children’s cuddly toys that can listen to and respond to a child’s inquiries, to smart microwaves and smart refrigerators that are connected to wi-fi and can be controlled remotely. What we need to be mindful of is the fact that each time our life is digitally anchored – this can be everything from an email being received or a Bluetooth speaker being connected to a car engine starting with a keyless remote sensor – we create a new risk to be exploited.

Let us put this in real numeric terms, to understand the size of risk we live with today: as of 2022, there are supposed to be 11 billion “Internet of Things” connected devices in public circulation – by comparison, the world’s total population is just 7.6 billion. Even still, there’s no sign of that number decreasing –  by 2030, it’s expected that the number of such devices will be around 25 billion. In another word, the number of potential access points, and the cybersecurity risk we’re all exposed to, will be almost tripled by the end of this decade.

The dangers are always changing – and it’s hard to know whether we’re keeping up.

Unfortunately, not much data has been collected to help us understand New Zealanders’ level of cyber risk awareness. It’s only been five years since the official launch of New Zealand’s Computer Emergency Response Team (CERT NZ), and while this organisation does crucial work in responding to incidents and organising data around them – things like top incident categories, the total amount of financial loss, and vulnerability reporting – it’s worth noting that the Australian equivalent was launched more than 25 years ago, and the original American organisation in 1988. It’s great that we have this capability now, but we clearly have a lot of catching up to do.

The geographical isolation of New Zealand has contributed to our mentality that NZ is a secure and safe country, an attitude which has unfortunately made us complacent in the face of cyberattacks – according to the Cyber Risk Index published by digital security and privacy firm NordVPN, New Zealand is one of the 10 most vulnerable countries in the world at risk of cyberattacks.

Through the work we’re doing at Massey University, which often involves engaging with businesses across New Zealand, we’ve found that many of our SMEs are using outdated software. This can range from not updating operating systems to using old-style firewalls, where people (often not cybersecurity professionals) configure the organisation’s internet traffic settings manually or do a bit of hand-tuning each time a cybersecurity incident happens. In a way, this is understandable – at that scale businesses typically don’t have large budget to upgrade their security systems or hire expensive cybersecurity experts – but in practice these are the sorts of vulnerabilities that give openings for malware and attacks – in last year’s hugely disruptive Waikato DHB ransomware attack, a major aspect of the initial vulnerability was the fact that the organisation was working with outdated, insecure software systems.

We can be safer – but it’ll take a collective effort

One of the biggest challenges in cybersecurity is the rate of change – we’re up against an almost limitless rate of technological advancement and exploitation on the side of the hackers.

One holistic change which I’d like to see is that we start teaching cybersecurity as early as possible, to ensure that as a population we have a better knowledge of how to spot and avoid attacks. Last year, Australia proposed a primary school cybersecurity curriculum be included for kids aged five to 16, with $3.8 million was funded in the same year to start cybersecurity education for year 7 – 12 students. For businesses, CERT NZ now offers a range of free resources and tools to help them prevent themselves from potential cyberattacks without having to purchase costly defence tools or hire expensive cybersecurity professionals. 

The government has taken a range of steps to expand its cybersecurity efforts – most notably in establishing the National Cyber Security Centre and National Cyber Policy Office, and dedicating significant funding to academic research and development projects in the area – and can be commended for its work to protect not only the public internet but the entire cybersecurity ecosystem. But more support is needed. We need to build a better relationship between businesses and universities for improved sharing of data and nurturing of innovation in cybersecurity. We need more support for cybersecurity training and developing talent pools with the right skills. And we need to create pathways for people to grow, share and deploy those skills. With better foundations in place, New Zealand will be much safer, much more secure, and much more ready for the future.

Follow Conversations that Count – Ngā Kōrero Whai Take on Apple Podcasts, Spotify or your favourite podcast provider.